dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
59s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
Size

1.6MB
MD5

2c4dbe075f37719580a096bf67bf048e
SHA1

71673f7af94683985e875f3db73cbf1a5509228e
SHA256

1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567
SHA512

6d5bed3e46aa8e02d678c0a3f1ff6be56b776980af341e9ef84d9febaad843dfa2df28083ff6d8dcad9e74d4724ee1f09190b093c9bb3d1cb78068ca219d3c70
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5388	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5912	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5580	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5696	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6112	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5336	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5572	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5980	5288	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5372	5288	schtasks.exe	88

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral26/memory/3480-1-0x0000000000090000-0x0000000000232000-memory.dmp	dcrat
behavioral26/files/0x0007000000024311-26.dat	dcrat
behavioral26/files/0x0009000000024307-81.dat	dcrat
behavioral26/files/0x0009000000024337-116.dat	dcrat
behavioral26/files/0x0009000000024316-127.dat	dcrat
behavioral26/files/0x0008000000024325-162.dat	dcrat
behavioral26/files/0x0008000000024329-195.dat	dcrat
behavioral26/files/0x000900000002432d-207.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3328	powershell.exe
5820	powershell.exe
1964	powershell.exe
1284	powershell.exe
2440	powershell.exe
2696	powershell.exe
5076	powershell.exe
1792	powershell.exe
3996	powershell.exe
3568	powershell.exe
1104	powershell.exe
2604	powershell.exe
6088	powershell.exe
400	powershell.exe
1888	powershell.exe
2840	powershell.exe
4192	powershell.exe
1380	powershell.exe
1928	powershell.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe

Executes dropped EXE 6 IoCs

pid	Process
5008	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
368	sppsvc.exe
4512	sppsvc.exe
4684	sppsvc.exe
1704	sppsvc.exe
2760	sppsvc.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\121e5b5079f7c0	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXB478.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files\Windows Portable Devices\services.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\38384e6a620884	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files\VideoLAN\VLC\locale\dwm.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files\VideoLAN\VLC\locale\6cb0b6c459d5d3	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\dwm.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXA353.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXA3C1.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files\Windows Portable Devices\services.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\SearchApp.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\OfficeClickToRun.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\e6c9b481da804f	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files\Windows Portable Devices\9e8d7a4ca61bd9	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\RCX9C78.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\OfficeClickToRun.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RCXA5E5.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXB4E6.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files\Windows Portable Devices\RuntimeBroker.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\RCX9C77.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RCXA5E6.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RuntimeBroker.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files\Windows Portable Devices\c5b4cb5e9653cc	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\SearchApp.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\schemas\VpnProfile\backgroundTaskHost.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Windows\Tasks\StartMenuExperienceHost.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Windows\Tasks\55b276f4edf653	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\Tasks\RCXAA6D.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\Tasks\RCXAADC.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\Tasks\StartMenuExperienceHost.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	sppsvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2676	schtasks.exe
3716	schtasks.exe
5696	schtasks.exe
968	schtasks.exe
5388	schtasks.exe
4896	schtasks.exe
4828	schtasks.exe
5012	schtasks.exe
628	schtasks.exe
1356	schtasks.exe
2380	schtasks.exe
4904	schtasks.exe
4552	schtasks.exe
4692	schtasks.exe
2760	schtasks.exe
2284	schtasks.exe
4484	schtasks.exe
4680	schtasks.exe
2112	schtasks.exe
4012	schtasks.exe
896	schtasks.exe
4228	schtasks.exe
4056	schtasks.exe
5572	schtasks.exe
5580	schtasks.exe
2748	schtasks.exe
2028	schtasks.exe
5336	schtasks.exe
1168	schtasks.exe
4848	schtasks.exe
1508	schtasks.exe
4676	schtasks.exe
3692	schtasks.exe
4884	schtasks.exe
4508	schtasks.exe
4336	schtasks.exe
4596	schtasks.exe
4604	schtasks.exe
5912	schtasks.exe
1712	schtasks.exe
4728	schtasks.exe
3988	schtasks.exe
5020	schtasks.exe
396	schtasks.exe
2220	schtasks.exe
4920	schtasks.exe
4536	schtasks.exe
6112	schtasks.exe
4944	schtasks.exe
5980	schtasks.exe
5372	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
3328	powershell.exe
3328	powershell.exe
6088	powershell.exe
6088	powershell.exe
1104	powershell.exe
1104	powershell.exe
1888	powershell.exe
1888	powershell.exe
2604	powershell.exe
2840	powershell.exe
2840	powershell.exe
2604	powershell.exe
5076	powershell.exe
5076	powershell.exe
1380	powershell.exe
1380	powershell.exe
2696	powershell.exe
2696	powershell.exe
2440	powershell.exe
2440	powershell.exe
5820	powershell.exe
5820	powershell.exe
1964	powershell.exe
1964	powershell.exe
3996	powershell.exe
3996	powershell.exe
4192	powershell.exe
4192	powershell.exe
1380	powershell.exe
1284	powershell.exe
1284	powershell.exe
4192	powershell.exe
5076	powershell.exe
6088	powershell.exe
3328	powershell.exe
2840	powershell.exe
1104	powershell.exe
3996	powershell.exe
1888	powershell.exe
1284	powershell.exe
2696	powershell.exe
2604	powershell.exe
2440	powershell.exe
5820	powershell.exe
1964	powershell.exe
5008	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
5008	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
5008	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
5008	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
5008	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
5008	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
5008	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
5008	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
5008	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
3568	powershell.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	3328	powershell.exe
Token: SeDebugPrivilege	6088	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeDebugPrivilege	5820	powershell.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	5008	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	368	sppsvc.exe
Token: SeDebugPrivilege	4512	sppsvc.exe
Token: SeDebugPrivilege	4684	sppsvc.exe
Token: SeDebugPrivilege	1704	sppsvc.exe
Token: SeDebugPrivilege	2760	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 3328	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	136
PID 3480 wrote to memory of 3328	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	136
PID 3480 wrote to memory of 1888	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	137
PID 3480 wrote to memory of 1888	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	137
PID 3480 wrote to memory of 1380	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	138
PID 3480 wrote to memory of 1380	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	138
PID 3480 wrote to memory of 1104	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	139
PID 3480 wrote to memory of 1104	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	139
PID 3480 wrote to memory of 4192	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	141
PID 3480 wrote to memory of 4192	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	141
PID 3480 wrote to memory of 5076	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	142
PID 3480 wrote to memory of 5076	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	142
PID 3480 wrote to memory of 2696	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	143
PID 3480 wrote to memory of 2696	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	143
PID 3480 wrote to memory of 2440	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	145
PID 3480 wrote to memory of 2440	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	145
PID 3480 wrote to memory of 3996	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	146
PID 3480 wrote to memory of 3996	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	146
PID 3480 wrote to memory of 6088	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	148
PID 3480 wrote to memory of 6088	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	148
PID 3480 wrote to memory of 1284	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	149
PID 3480 wrote to memory of 1284	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	149
PID 3480 wrote to memory of 2604	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	150
PID 3480 wrote to memory of 2604	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	150
PID 3480 wrote to memory of 2840	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	151
PID 3480 wrote to memory of 2840	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	151
PID 3480 wrote to memory of 1964	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	152
PID 3480 wrote to memory of 1964	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	152
PID 3480 wrote to memory of 5820	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	153
PID 3480 wrote to memory of 5820	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	153
PID 3480 wrote to memory of 4496	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	166
PID 3480 wrote to memory of 4496	3480	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	166
PID 4496 wrote to memory of 2356	4496	cmd.exe	168
PID 4496 wrote to memory of 2356	4496	cmd.exe	168
PID 4496 wrote to memory of 5008	4496	cmd.exe	170
PID 4496 wrote to memory of 5008	4496	cmd.exe	170
PID 5008 wrote to memory of 1792	5008	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	180
PID 5008 wrote to memory of 1792	5008	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	180
PID 5008 wrote to memory of 3568	5008	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	181
PID 5008 wrote to memory of 3568	5008	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	181
PID 5008 wrote to memory of 400	5008	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	182
PID 5008 wrote to memory of 400	5008	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	182
PID 5008 wrote to memory of 1928	5008	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	183
PID 5008 wrote to memory of 1928	5008	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	183
PID 5008 wrote to memory of 4884	5008	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	188
PID 5008 wrote to memory of 4884	5008	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	188
PID 4884 wrote to memory of 4548	4884	cmd.exe	190
PID 4884 wrote to memory of 4548	4884	cmd.exe	190
PID 4884 wrote to memory of 368	4884	cmd.exe	191
PID 4884 wrote to memory of 368	4884	cmd.exe	191
PID 368 wrote to memory of 640	368	sppsvc.exe	192
PID 368 wrote to memory of 640	368	sppsvc.exe	192
PID 368 wrote to memory of 3328	368	sppsvc.exe	193
PID 368 wrote to memory of 3328	368	sppsvc.exe	193
PID 640 wrote to memory of 4512	640	WScript.exe	196
PID 640 wrote to memory of 4512	640	WScript.exe	196
PID 4512 wrote to memory of 3588	4512	sppsvc.exe	197
PID 4512 wrote to memory of 3588	4512	sppsvc.exe	197
PID 4512 wrote to memory of 1152	4512	sppsvc.exe	198
PID 4512 wrote to memory of 1152	4512	sppsvc.exe	198
PID 3588 wrote to memory of 4684	3588	WScript.exe	205
PID 3588 wrote to memory of 4684	3588	WScript.exe	205
PID 4684 wrote to memory of 5980	4684	sppsvc.exe	206
PID 4684 wrote to memory of 5980	4684	sppsvc.exe	206

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
"C:\Users\Admin\AppData\Local\Temp\1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\locale\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fclJj9tIA8.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2356
- - C:\Users\Admin\AppData\Local\Temp\1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
    "C:\Users\Admin\AppData\Local\Temp\1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1792
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\services.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3568
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\SearchApp.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\sppsvc.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1928
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WwqJyPGwGZ.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4884
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4548
    - - C:\d25f591a00514bc9ba8441\sppsvc.exe
        
        "C:\d25f591a00514bc9ba8441\sppsvc.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:368
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97a967b2-c51d-4ed1-bb52-4111fe631438.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\d25f591a00514bc9ba8441\sppsvc.exe
        
        C:\d25f591a00514bc9ba8441\sppsvc.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fad7679-6921-4008-8415-9ab635b9ee69.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\d25f591a00514bc9ba8441\sppsvc.exe
        
        C:\d25f591a00514bc9ba8441\sppsvc.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6b75303-83a7-49c9-b7a9-dd79e7f5297f.vbs"
        10⤵
        
        PID:5980
        
        C:\d25f591a00514bc9ba8441\sppsvc.exe
        
        C:\d25f591a00514bc9ba8441\sppsvc.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ecb4af0-be0b-4124-90b6-ae4ce4aa0ecb.vbs"
        12⤵
        
        PID:4600
        
        C:\d25f591a00514bc9ba8441\sppsvc.exe
        
        C:\d25f591a00514bc9ba8441\sppsvc.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71199bc0-ab06-4ebd-9cc0-759d5cd10fba.vbs"
        14⤵
        
        PID:5184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\389d1c90-d848-41df-8aad-3e158510b982.vbs"
        14⤵
        
        PID:556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69d35dd5-3544-47f4-a7eb-fe3aecc43221.vbs"
        12⤵
        
        PID:1252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91f16309-2005-47e1-8e03-eb5995a47bbc.vbs"
        10⤵
        
        PID:2560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5f2aaa7-0fb8-4b20-88f3-1f43d2f16812.vbs"
        8⤵
        
        PID:1152
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1561757-7f70-4067-b452-e02f174cc728.vbs"
        6⤵
        
        PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\d25f591a00514bc9ba8441\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\d25f591a00514bc9ba8441\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\d25f591a00514bc9ba8441\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\d25f591a00514bc9ba8441\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\locale\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\locale\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\7e20f84d5244aba7145631d4073af8\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\7e20f84d5244aba7145631d4073af8\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\7e20f84d5244aba7145631d4073af8\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\7e20f84d5244aba7145631d4073af8\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Tasks\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f5671" /sc MINUTE /mo 13 /tr "'C:\d25f591a00514bc9ba8441\1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f5671" /sc MINUTE /mo 5 /tr "'C:\d25f591a00514bc9ba8441\1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\d25f591a00514bc9ba8441\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\d25f591a00514bc9ba8441\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\d25f591a00514bc9ba8441\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\d25f591a00514bc9ba8441\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\7e20f84d5244aba7145631d4073af8\sysmon.exe

Filesize
1.6MB

MD5
2c4dbe075f37719580a096bf67bf048e

SHA1
71673f7af94683985e875f3db73cbf1a5509228e

SHA256
1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567

SHA512
6d5bed3e46aa8e02d678c0a3f1ff6be56b776980af341e9ef84d9febaad843dfa2df28083ff6d8dcad9e74d4724ee1f09190b093c9bb3d1cb78068ca219d3c70

Download Submit
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\OfficeClickToRun.exe

Filesize
1.6MB

MD5
dcef967eb6475b8634abd3dc0a2a2809

SHA1
c0debe862eb024bc1c5418fbeef2a535876fe455

SHA256
ce71f6ba3e9a6e403f72e6bb6a338a76dea65d65e071277661a88f02765f5c23

SHA512
e4240df55dfdf88ddf6ff9bbc5a6f51ec88d914d0328c1ee840722d472650a80ecde5e6c25d483a807d250c6dec127bfbe3b350a030b2be6b6c60f503277b1ea

Download Submit
C:\Program Files\Windows Portable Devices\RuntimeBroker.exe

Filesize
1.6MB

MD5
a5c6d00488086c464226a0f9bfc4e09a

SHA1
91b6f5f752c178bc619104755e00a3129ca29064

SHA256
a961f961e23572c19d3b4bdf13944da6c7daf652e99e30aeb061a8cfe0aa5c7e

SHA512
6cacf3436012770e6fb25ab999f2b9625343e2b3e14e9bf44f292a61b1afe9c4adb0f7b65f906c7adf3631cd6c8bad2ba4f656d997c7539aa772064ac6b2c839

Download Submit
C:\Recovery\WindowsRE\services.exe

Filesize
1.6MB

MD5
8f684966487e7d81d1fa4a825eae3604

SHA1
c4782d7f450dde61898d1e8f04fc4dcc48ed43b1

SHA256
925b611fbbd82cfef9627d32c972d5f0d874a505c459d1bb115b381b8b3867de

SHA512
e6a4ed001d751e014084c99c0a70d72cea76cc6774dfab0b2adcd2ee218cf451d159c1d41ad6b262a376be98e2605fc36b9ed6a52984740d4238cf841ceda731

Download Submit
C:\Recovery\WindowsRE\sihost.exe

Filesize
1.6MB

MD5
19c6348756c1074fd19cbaa8732210ad

SHA1
24bcb891d9e41f5406d0aa70b8ac55de5a5456bc

SHA256
62889d0e8a173e55feae9a8de276a9be53dd142d2860a39a6496b4ab80ffa60b

SHA512
9dac35fe437abbd45f4864e7354dba42e828b393bdddd8c0f4c8504ab2ba05e8d9f746a2c5cb3cd043639fb0dc1a7bffcc5c93373bf833131dec967affe1ff0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f26021db51b2ceb0c03baf5665a86386

SHA1
5487265d705c72daa8495c543f2182a64b373da3

SHA256
56a4d25798b8d3102fec5025892dd6ff79500aee72db311e82b1308f1783db6f

SHA512
e09f018d22c3dee7ff7dbd6d79182e5c94be1aba0ceaeef3652d254712fa8393dc81002e20de3749abd3420ce0ed23dee176fa50eeaf80d6ee09a9dae2a1a49f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
35be6e176d67a5af3e24a7f54b4a9574

SHA1
900bbb3f3f8a9d38a4e548b4ba60838a9eae41b9

SHA256
c0be8fe9bbed3f82068a8179a28fadfcaef8a524818f34b87b59b5e1b2cae1c7

SHA512
09d15913b88d2eb7529d661c5bb2ee20eef0a7df92b5eaaadb2ebc70ad68d9c38b341b148ac058c895b7f85a54d703c3543b043d8d2a3f0536d21d3c7ebbe15f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7ebbb17f3791dea62cf267d83cf036a4

SHA1
266c27acf64b85afd8380277f767cc54f91ab2b0

SHA256
2345628c466a33c557a0fba468c06436ce7121c56e6260492c5d6ce52d05ba19

SHA512
6e519f44c8d4e9fe752471f19ec9956e3cd6d73f741496d09bb0fb0c8f0048636b6a52204fa475436c0403d022500fd33452e0ad8f18b3ed2245b24b5bd7bb51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
566ef902c25833fe5f7f4484509fe364

SHA1
f8ba6651e7e4c64270e95aac690ad758fa3fc7f8

SHA256
28265aaf259c60ae208b025f4c6b317c0799154b5d40d650bf44ef09f4805514

SHA512
b2c696820b775c0705884f606b4ac464d75d8d5e415bee2fb1e68d07ca288c953936d9286f277082fc11fbae24748c6a872f0be540be37190f0383c7b16820a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaf0080989fabad865a080216418fbf2

SHA1
935075309ff07f95b5c2ff643661fef989526e15

SHA256
86e6ca8dc0b47aadbc45bbb2a31b758ec729e69998ababdb1a4350924621de9c

SHA512
21721722c94447b4f0d20f03856ea1171c774eb59a8fd239809480ead6c5b7c5a3e43d1e79dfd1bd1dbdadb65269595e9376b3053c1bd6a54bac91e04536e676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dbb22d95851b93abf2afe8fb96a8e544

SHA1
920ec5fdb323537bcf78f7e29a4fc274e657f7a4

SHA256
e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465

SHA512
16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b51dc9e5ec3c97f72b4ca9488bbb4462

SHA1
5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

SHA256
976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

SHA512
0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e25058a5d8ac6b42d8c7c9883c598303

SHA1
bd9e6194a36a959772fc020f905244900ffc3d57

SHA256
9f6fe2203df58ba90b512b436fd74f5eeb4f39f4f9f54a41e882fc54e5f35d51

SHA512
0146f2d1298acf189005217784e952d6e99bf7c8bf24ae9e9af1a2ca3d881dca39f19f3ecd06c7d0ad919bc929edaf6e97e0ab2d7f71733b9422527c594ea0c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ecb4af0-be0b-4124-90b6-ae4ce4aa0ecb.vbs

Filesize
712B

MD5
c3a52bc76ad141a794f397da878d748d

SHA1
9f9fcce40aca4fce396a7b748694f099ed46af8c

SHA256
d0c80ad7d23434daed997a8902c21048a73ee90175a21b096e287e2527d24b45

SHA512
861dcb39f142df81c659d7bd4c5805341a366385fc9911f9fbdc4e5eafda152cdda1c0fd4fd1cbc3cfd8993cd407a19a956ef6d280c6c1b850390067012a8a4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fad7679-6921-4008-8415-9ab635b9ee69.vbs

Filesize
712B

MD5
6aaff6c40d0a7445fed68b28d8a1b126

SHA1
7004c0dd9591340b05d9b3da90f7d059e6c22ac3

SHA256
733969f0690750e13f6177db539645519729b3af798ab1f6940dca04caf88179

SHA512
804f90ad62c1dacbc4535bbee601ccf91a17aac590f3393e95d31b92ecce9af4e06d08a8e3306898d3a87546215a485dc6efd6012e6bcb26f2fbec1439f23051

Download Submit
C:\Users\Admin\AppData\Local\Temp\71199bc0-ab06-4ebd-9cc0-759d5cd10fba.vbs

Filesize
712B

MD5
ad05fb3cbe714241e524b41a2555c7be

SHA1
e5166f33063b50cb586122df6f8b9cde70c15397

SHA256
76645ec10879ca2b58e2a65aa0f46e906e8e016ed8ba6c2eb543cad0a0483ecc

SHA512
3ca8a328aa3a84fb794a8318c905457a98f341024aaf10f1f3306df1a84d50ceb535d16bc090e107b816ebd762704f425bcb0ae6abcd9fa73f835c49c12bf901

Download Submit
C:\Users\Admin\AppData\Local\Temp\97a967b2-c51d-4ed1-bb52-4111fe631438.vbs

Filesize
711B

MD5
cfd4b1e0aa63d57d0b2657c090a5cd1b

SHA1
c2a83491f41f38dc516f47dc804e431d03c0710d

SHA256
0a3a5cd5f0a9ee135d66fe6fe509fdf789c6bf4ba089e7c652748f69c2b39d60

SHA512
04e1ddc4cac738d3f43be806e8df50e961ec86146b73dbb3eeb83e9df9523440b203215414b14a0761c9e25bf670260e683d97d829005401f97b0d3b617ed09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwqJyPGwGZ.bat

Filesize
201B

MD5
a135f06a13aa5d3094f8e9b4afbbc837

SHA1
878c7df11e84cea7b62c015011818238c1bd5a32

SHA256
3c8f29d67c0cec7d34a0778134699194521f5f25d4267d57b1027d929ac76500

SHA512
67240650992a1edce726b66e3f5af1fb3b11cc018540024516df9522388c3a3a2acca1c4e7baa247279ed870083ed064db1bd9229b8ac8335649ff61271d2dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tno45fce.nww.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1561757-7f70-4067-b452-e02f174cc728.vbs

Filesize
488B

MD5
4193b6fad5b8b52147e08d240c072e55

SHA1
3ca21bcf66f030011247ee7b9216cecaf379f056

SHA256
55be59a1a9ff308dbe29a501f95a2532d856117009b89d856dc36586696a01a3

SHA512
5d5a590b128451b68b4b34154cf971d3de21693268a1200f370c0aedaaf040fc9d6bf05dd935ac9a9633cc7bba35f0973de4717732f4474d7c089871bd215b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6b75303-83a7-49c9-b7a9-dd79e7f5297f.vbs

Filesize
712B

MD5
d6f13bccf9f2038f99254076f4bd31ac

SHA1
9ebfed9b0f0a9ba9ff2c8840a5a5a8b2119e6ba0

SHA256
103516c753a0d4955292809ce2f064efc7b9ab50fc1f4e6afbbc35ca8d6c328f

SHA512
34fb851f7dc779a7041436bd10ade428b76a5251b540ef1aa2b51c0de6bf7075d2acd979bf37cfd15c45af91bd1e7bc184fb8ff4fcb3dcb4f7796f5bd1e3f51d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fclJj9tIA8.bat

Filesize
267B

MD5
ca43b64eef1c586ddea808ac083de5b0

SHA1
920d6d04441ecc5f44a2ac4a499601cb1424947a

SHA256
bf6ba8dc241d2a516c59f60e9dfeb8cd1b078acdbe54650364840a9bc2c68ad4

SHA512
c618d3bcb3b8baffa9c7b56daf0a5bd997605f81822a3584a8d91ee73b2cb1ab17c92a515d5cd63fe7f042b029c4a70aa7aac58b9610d869628e7054af1d1788

Download Submit
C:\Windows\Tasks\RCXAADC.tmp

Filesize
1.6MB

MD5
393994fdcd402a26dac56ed71f034664

SHA1
1d5802c2491af65e59ab4ec0bac6193d50ac22e4

SHA256
920a87568569f82f3f6bc05f4753915b32bc85c84e0d040c39fd44862036abfb

SHA512
9657dcd4d1950301d745c441923fe8fd59a24e6a2dfa510c231ef564eeb62df2477e9248fd02d34ff3ea03dbaad0a338e24f8442a8f3db35e89a1ae5a75183be

Download Submit
C:\d25f591a00514bc9ba8441\dwm.exe

Filesize
1.6MB

MD5
b933adf1037aa4ac5cc3b777c1e7923a

SHA1
ebe55fe8696751718f5a58aea1cec763ae63acf2

SHA256
fc97d24ab42979eaba208bedc2eaaefc0ee508d0f77f57c7007dc861513296be

SHA512
55ddbede7793061d7a3a39f978bcb78a8aa00411d4db62493fd212916c7d0b32a02ab3c02146b65a2b2d2beaf0f90fc53442d98e5c21bfb6978f909ccbd42698

Download Submit
memory/3480-15-0x000000001B050000-0x000000001B058000-memory.dmp

Filesize
32KB

Download
memory/3480-11-0x000000001AEB0000-0x000000001AEBC000-memory.dmp

Filesize
48KB

Download
memory/3480-221-0x00007FFDE7D60000-0x00007FFDE8821000-memory.dmp

Filesize
10.8MB

Download
memory/3480-204-0x00007FFDE7D60000-0x00007FFDE8821000-memory.dmp

Filesize
10.8MB

Download
memory/3480-186-0x00007FFDE7D63000-0x00007FFDE7D65000-memory.dmp

Filesize
8KB

Download
memory/3480-12-0x000000001AEC0000-0x000000001AECA000-memory.dmp

Filesize
40KB

Download
memory/3480-13-0x000000001AED0000-0x000000001AEDE000-memory.dmp

Filesize
56KB

Download
memory/3480-17-0x000000001B070000-0x000000001B07C000-memory.dmp

Filesize
48KB

Download
memory/3480-14-0x000000001AEE0000-0x000000001AEE8000-memory.dmp

Filesize
32KB

Download
memory/3480-16-0x000000001B060000-0x000000001B06A000-memory.dmp

Filesize
40KB

Download
memory/3480-0-0x00007FFDE7D63000-0x00007FFDE7D65000-memory.dmp

Filesize
8KB

Download
memory/3480-1-0x0000000000090000-0x0000000000232000-memory.dmp

Filesize
1.6MB

Download
memory/3480-10-0x000000001AEA0000-0x000000001AEAC000-memory.dmp

Filesize
48KB

Download
memory/3480-9-0x000000001AE90000-0x000000001AE98000-memory.dmp

Filesize
32KB

Download
memory/3480-8-0x000000001AE80000-0x000000001AE90000-memory.dmp

Filesize
64KB

Download
memory/3480-7-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/3480-6-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/3480-5-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/3480-4-0x000000001B000000-0x000000001B050000-memory.dmp

Filesize
320KB

Download
memory/3480-3-0x0000000002440000-0x000000000245C000-memory.dmp

Filesize
112KB

Download
memory/3480-2-0x00007FFDE7D60000-0x00007FFDE8821000-memory.dmp

Filesize
10.8MB

Download
memory/5076-226-0x000002E393A70000-0x000002E393A92000-memory.dmp

Filesize
136KB

Download