dcrat | 597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Size

5.9MB
MD5

f3e5836ba9def44862cd5adb5d1ad9e5
SHA1

8b74f80ba8799969abe367bf502d9725129ffdeb
SHA256

597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd
SHA512

7f8c313d90a6460f446555170e624256796de3f5771454d836c2c20d67dcd7673ff7fd6c09bb87f14ae55bb18c671821f4106833444b9fd85f45b4235e3f8052
SSDEEP

98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw46:hyeU11Rvqmu8TWKnF6N/1wN

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3260	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2300	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2300	schtasks.exe	89

UAC bypass 3 TTPs 24 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1704	powershell.exe
1808	powershell.exe
2384	powershell.exe
3008	powershell.exe
4292	powershell.exe
5008	powershell.exe
2240	powershell.exe
1120	powershell.exe
2904	powershell.exe
2280	powershell.exe
3288	powershell.exe
676	powershell.exe
2024	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 7 IoCs

pid	Process
5872	csrss.exe
3496	csrss.exe
1840	csrss.exe
5720	csrss.exe
4344	csrss.exe
2584	csrss.exe
1676	csrss.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
5872	csrss.exe
5872	csrss.exe
3496	csrss.exe
3496	csrss.exe
1840	csrss.exe
1840	csrss.exe
5720	csrss.exe
5720	csrss.exe
4344	csrss.exe
4344	csrss.exe
2584	csrss.exe
2584	csrss.exe
1676	csrss.exe
1676	csrss.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\dllhost.exe	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fontdrvhost.exe	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\RCXBF10.tmp	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File created	C:\Program Files\VideoLAN\VLC\locale\5b884080fd4f94	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File created	C:\Program Files\Common Files\microsoft shared\dllhost.exe	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File created	C:\Program Files\Windows Defender\it-IT\ea1d8f6d871115	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File created	C:\Program Files\Windows Portable Devices\StartMenuExperienceHost.exe	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File created	C:\Program Files\Windows Portable Devices\55b276f4edf653	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\RCXBCFB.tmp	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File created	C:\Program Files\Windows Defender\it-IT\upfc.exe	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\RCXBF21.tmp	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\RCXC369.tmp	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\RCXC37A.tmp	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\upfc.exe	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXD20C.tmp	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXD28A.tmp	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File opened for modification	C:\Program Files\Windows Portable Devices\StartMenuExperienceHost.exe	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\RCXBCFC.tmp	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fontdrvhost.exe	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File created	C:\Program Files\Common Files\microsoft shared\5940a34987c991	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\csrss.exe	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File opened for modification	C:\Windows\de-DE\csrss.exe	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File created	C:\Windows\de-DE\886983d96e3d3e	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File opened for modification	C:\Windows\de-DE\RCXBAC6.tmp	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
File opened for modification	C:\Windows\de-DE\RCXBAD7.tmp	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4600	schtasks.exe
916	schtasks.exe
2704	schtasks.exe
452	schtasks.exe
3116	schtasks.exe
768	schtasks.exe
1736	schtasks.exe
5080	schtasks.exe
2228	schtasks.exe
1480	schtasks.exe
368	schtasks.exe
4284	schtasks.exe
4568	schtasks.exe
1840	schtasks.exe
2196	schtasks.exe
5104	schtasks.exe
3164	schtasks.exe
4816	schtasks.exe
4168	schtasks.exe
3260	schtasks.exe
940	schtasks.exe
1924	schtasks.exe
1536	schtasks.exe
2760	schtasks.exe
1584	schtasks.exe
3144	schtasks.exe
3376	schtasks.exe
376	schtasks.exe
5060	schtasks.exe
224	schtasks.exe
4044	schtasks.exe
3428	schtasks.exe
1596	schtasks.exe
1376	schtasks.exe
5064	schtasks.exe
2712	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2024	powershell.exe
2024	powershell.exe
676	powershell.exe
676	powershell.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
4292	powershell.exe
4292	powershell.exe
2384	powershell.exe
2384	powershell.exe
3008	powershell.exe
3008	powershell.exe
3288	powershell.exe
3288	powershell.exe
2904	powershell.exe
2904	powershell.exe
2240	powershell.exe
2240	powershell.exe
1704	powershell.exe
1704	powershell.exe
1808	powershell.exe
1808	powershell.exe
1120	powershell.exe
1120	powershell.exe
5008	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	3288	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	5872	csrss.exe
Token: SeDebugPrivilege	3496	csrss.exe
Token: SeDebugPrivilege	1840	csrss.exe
Token: SeDebugPrivilege	5720	csrss.exe
Token: SeDebugPrivilege	4344	csrss.exe
Token: SeDebugPrivilege	2584	csrss.exe
Token: SeDebugPrivilege	1676	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2280	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	135
PID 2948 wrote to memory of 2280	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	135
PID 2948 wrote to memory of 4292	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	136
PID 2948 wrote to memory of 4292	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	136
PID 2948 wrote to memory of 2904	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	137
PID 2948 wrote to memory of 2904	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	137
PID 2948 wrote to memory of 3008	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	138
PID 2948 wrote to memory of 3008	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	138
PID 2948 wrote to memory of 2384	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	139
PID 2948 wrote to memory of 2384	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	139
PID 2948 wrote to memory of 1808	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	140
PID 2948 wrote to memory of 1808	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	140
PID 2948 wrote to memory of 1704	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	141
PID 2948 wrote to memory of 1704	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	141
PID 2948 wrote to memory of 1120	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	142
PID 2948 wrote to memory of 1120	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	142
PID 2948 wrote to memory of 2024	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	143
PID 2948 wrote to memory of 2024	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	143
PID 2948 wrote to memory of 676	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	144
PID 2948 wrote to memory of 676	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	144
PID 2948 wrote to memory of 3288	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	145
PID 2948 wrote to memory of 3288	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	145
PID 2948 wrote to memory of 2240	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	146
PID 2948 wrote to memory of 2240	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	146
PID 2948 wrote to memory of 5008	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	147
PID 2948 wrote to memory of 5008	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	147
PID 2948 wrote to memory of 2484	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	161
PID 2948 wrote to memory of 2484	2948	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe	161
PID 2484 wrote to memory of 5436	2484	cmd.exe	163
PID 2484 wrote to memory of 5436	2484	cmd.exe	163
PID 2484 wrote to memory of 5872	2484	cmd.exe	164
PID 2484 wrote to memory of 5872	2484	cmd.exe	164
PID 5872 wrote to memory of 6096	5872	csrss.exe	165
PID 5872 wrote to memory of 6096	5872	csrss.exe	165
PID 5872 wrote to memory of 6140	5872	csrss.exe	166
PID 5872 wrote to memory of 6140	5872	csrss.exe	166
PID 6096 wrote to memory of 3496	6096	WScript.exe	168
PID 6096 wrote to memory of 3496	6096	WScript.exe	168
PID 3496 wrote to memory of 5428	3496	csrss.exe	170
PID 3496 wrote to memory of 5428	3496	csrss.exe	170
PID 3496 wrote to memory of 3148	3496	csrss.exe	171
PID 3496 wrote to memory of 3148	3496	csrss.exe	171
PID 5428 wrote to memory of 1840	5428	WScript.exe	178
PID 5428 wrote to memory of 1840	5428	WScript.exe	178
PID 1840 wrote to memory of 5700	1840	csrss.exe	179
PID 1840 wrote to memory of 5700	1840	csrss.exe	179
PID 1840 wrote to memory of 5064	1840	csrss.exe	180
PID 1840 wrote to memory of 5064	1840	csrss.exe	180
PID 5700 wrote to memory of 5720	5700	WScript.exe	181
PID 5700 wrote to memory of 5720	5700	WScript.exe	181
PID 5720 wrote to memory of 5640	5720	csrss.exe	182
PID 5720 wrote to memory of 5640	5720	csrss.exe	182
PID 5720 wrote to memory of 2776	5720	csrss.exe	183
PID 5720 wrote to memory of 2776	5720	csrss.exe	183
PID 5640 wrote to memory of 4344	5640	WScript.exe	184
PID 5640 wrote to memory of 4344	5640	WScript.exe	184
PID 4344 wrote to memory of 632	4344	csrss.exe	185
PID 4344 wrote to memory of 632	4344	csrss.exe	185
PID 4344 wrote to memory of 5932	4344	csrss.exe	186
PID 4344 wrote to memory of 5932	4344	csrss.exe	186
PID 632 wrote to memory of 2584	632	WScript.exe	188
PID 632 wrote to memory of 2584	632	WScript.exe	188
PID 2584 wrote to memory of 5352	2584	csrss.exe	189
PID 2584 wrote to memory of 5352	2584	csrss.exe	189

System policy modification 1 TTPs 24 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe
"C:\Users\Admin\AppData\Local\Temp\597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/a5520cf74cedd2462ce392906afc/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/c2c7c62e3dd3bcbd2ee6d4/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F52IVAaXss.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5436
- - C:\Windows\de-DE\csrss.exe
    "C:\Windows\de-DE\csrss.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:5872
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30b7cbae-abd3-4938-8335-7f6cab4d27c3.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:6096
    - - C:\Windows\de-DE\csrss.exe
        
        C:\Windows\de-DE\csrss.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3496
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2700e03-e945-4026-9054-de4d50a98333.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5428
        
        C:\Windows\de-DE\csrss.exe
        
        C:\Windows\de-DE\csrss.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c456974-e70a-4f2f-9ca7-d1adc6ecd035.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5700
        
        C:\Windows\de-DE\csrss.exe
        
        C:\Windows\de-DE\csrss.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84fee740-cbb5-4e95-a112-83e290204941.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5640
        
        C:\Windows\de-DE\csrss.exe
        
        C:\Windows\de-DE\csrss.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61080bfd-d74c-471b-955b-fe839b3c6c30.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\de-DE\csrss.exe
        
        C:\Windows\de-DE\csrss.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\569e08d3-7ff1-49cc-99f5-0c83960a055d.vbs"
        14⤵
        
        PID:5352
        
        C:\Windows\de-DE\csrss.exe
        
        C:\Windows\de-DE\csrss.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bb6b817-605c-4f59-83bd-176ee5be65b0.vbs"
        16⤵
        
        PID:5116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88f7677f-f8c3-4bb4-828a-aac8d3bb3dec.vbs"
        16⤵
        
        PID:3008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e93e57d1-1feb-4a83-857f-1951bfc41843.vbs"
        14⤵
        
        PID:5336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c2d728e-6a0d-43b8-bc5d-524077db50d2.vbs"
        12⤵
        
        PID:5932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc593efa-237e-44aa-9366-d2e29567661e.vbs"
        10⤵
        
        PID:2776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a430e2c-082a-4b54-a8c3-bddbba2c6d14.vbs"
        8⤵
        
        PID:5064
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb58cff1-be72-4e69-9b99-011d0a2f2118.vbs"
        6⤵
        
        PID:3148
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cf02df4-7565-4dfa-91ec-42e7162a5454.vbs"
      4⤵
      PID:6140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\locale\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\locale\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\microsoft shared\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\microsoft shared\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\a5520cf74cedd2462ce392906afc\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\a5520cf74cedd2462ce392906afc\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\a5520cf74cedd2462ce392906afc\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\it-IT\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\it-IT\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Cookies\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Cookies\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\a5520cf74cedd2462ce392906afc\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\a5520cf74cedd2462ce392906afc\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\a5520cf74cedd2462ce392906afc\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\c2c7c62e3dd3bcbd2ee6d4\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\c2c7c62e3dd3bcbd2ee6d4\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\c2c7c62e3dd3bcbd2ee6d4\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\c2c7c62e3dd3bcbd2ee6d4\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\c2c7c62e3dd3bcbd2ee6d4\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\c2c7c62e3dd3bcbd2ee6d4\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\PrintHood\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\PrintHood\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Defender\it-IT\upfc.exe

Filesize
5.9MB

MD5
f3e5836ba9def44862cd5adb5d1ad9e5

SHA1
8b74f80ba8799969abe367bf502d9725129ffdeb

SHA256
597a997556f01cdcf12ecc949d04518e9ed4f9e2223dbf666dce77ae0f031cdd

SHA512
7f8c313d90a6460f446555170e624256796de3f5771454d836c2c20d67dcd7673ff7fd6c09bb87f14ae55bb18c671821f4106833444b9fd85f45b4235e3f8052

Download Submit
C:\Program Files\Windows Portable Devices\RCXD28A.tmp

Filesize
5.9MB

MD5
b07455fffa0adcd5244b22bd8db02b47

SHA1
129a98a2270c4e4197ee36830a7a4288f6a3c98b

SHA256
4990b19c3b7c64638041ed28398745b21f0e7fd776d12be2c6c3a9a18ec74018

SHA512
857e2e0b4f1fa7e1e64e72450358be22df36e56a1d92bb792fec71a05a2cd8e62a9ca565473304975884a78211520c06dcdecb31f7606c2bcad4553c0f701741

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
229da4b4256a6a948830de7ee5f9b298

SHA1
8118b8ddc115689ca9dc2fe8c244350333c5ba8b

SHA256
3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11

SHA512
3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\unsecapp.exe

Filesize
5.9MB

MD5
cc0fde9fd30838352399139e520342f6

SHA1
b55f2c593ff990c93db47b718f653c13da57dc90

SHA256
20d2bb2363f66e6e7dc07e19f1e424b10d6f30e73e006f576c431ccbeeed6587

SHA512
88f95d9f6ee77ad1976ee0020b80f4ffea62f381df8182c9c4627760b130fecfdfd4352e16cc2704cb4cc50088b51f1e6c52d8fa5fd4df1fe1cff51476fef6e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f2ad62dba9a81bbeb71bcd289d0a9ef5

SHA1
911d5a49479a9635ba27582d04a3bf3725eefbc8

SHA256
0265a3a01ef4169a5896beb138ea23c1ee7c5127f5d91d547bd4c169f28a32fe

SHA512
1a953ae39512a6bbe7fc803386b505c682689b657703da535cbc97af68424b115264f06b2c5f7ec5bf809f6d79503efe4e7ae36b5e479bf328b0258e60596bab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
643f98db244717856667bfd771e9db1c

SHA1
5434950e3506ae0cca216690c8fb5d2b38dd591d

SHA256
5e01aecf68e759cce4264330c3b7bc5b30b0d6c17718e558543c87530cf78256

SHA512
886d498dfce303f191b32d7001197aad7bd5eec12b5885ef620be32750902da2369536b10f451e712380bd7b420c051447b998d42f53ffae9b6a358c4db66a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
56addce8ad0788fa7ed121c8239f965f

SHA1
ac9482a712ad866d8d8ba241489613344883ba32

SHA256
cf8f4a84a53607b45f9dfed75c34776b03777d64ac3c44112ccc5638957557d8

SHA512
ecb98df46c6ccec6e9f401f1c8456b26cf38afe82e2bea885c8dc10619fcbaba9e89432f055b1bdbcce40254b06b1e20e330ea4ac724e4f0c673a5697c548521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
80dfd43d9904cb4bdd37f6934f47ccf8

SHA1
72c0981be679ef6a22cbabbdc3e02a7e80a3eafc

SHA256
a6e60a417d8c6649d78716bcfae64c452ca60367f2280f0b41d5febac503edad

SHA512
793f081a3c5f89a88e4472be0ee26f04f47cbba6a8c5af2710fb8d09a224fc7ded64ff68924325cce0b518f330458cdd0bfafbab9f805ddcc68393aa3f179247

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7ebbb17f3791dea62cf267d83cf036a4

SHA1
266c27acf64b85afd8380277f767cc54f91ab2b0

SHA256
2345628c466a33c557a0fba468c06436ce7121c56e6260492c5d6ce52d05ba19

SHA512
6e519f44c8d4e9fe752471f19ec9956e3cd6d73f741496d09bb0fb0c8f0048636b6a52204fa475436c0403d022500fd33452e0ad8f18b3ed2245b24b5bd7bb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bb6b817-605c-4f59-83bd-176ee5be65b0.vbs

Filesize
702B

MD5
d0f8b0ac089d53ab50fef6843d68b3c4

SHA1
5907d63401843f693114b0fe522a4caff1fb6307

SHA256
32d9ba2ca21161a9e3b9ab3dbebc169982b390a266730dfa2bf9d9d290471739

SHA512
e912f85f83a7c00378b282055a22bb65115c28902b5a1b343959b6ccc1414d4b9350f19fde67248897ed5a7294103ec8b67d27c9ee2d7e4ae5fa046aeacfb3b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\30b7cbae-abd3-4938-8335-7f6cab4d27c3.vbs

Filesize
702B

MD5
95963021d793f88b21103b329a708fa4

SHA1
fc35d9305af8c59188837769585c91be1c709566

SHA256
130e04391b75ae42da85f60f25971e972d249eba91361ce7075abce37a27b188

SHA512
7a93dd935889334a06d9ef6daeccd186a718581b4f31391fdf5e6297c670c92cded3674a71df82b57c2c981c96b1db9cae13c2a42e9f6502bcf17ef5d9e7253a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3cf02df4-7565-4dfa-91ec-42e7162a5454.vbs

Filesize
478B

MD5
15f90df90984174cac5b7b7159c08b2d

SHA1
cf4b54855c7350147495b9bfc36b36e1de94b869

SHA256
4de125f7b0339237911070f2e9fc8c82cc86dd6bdb23085d7e5b7edbb5cafc72

SHA512
ce69bafd19289584a6a1d6df0f27adba594b2605c0ef454f110e8f3eb63e9d7465ed10ccbefe3113f4f1f115f06eb0401c083f6ba4a433f1037920e98b1f5d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\569e08d3-7ff1-49cc-99f5-0c83960a055d.vbs

Filesize
702B

MD5
513c852dc2c01294ef995a60f5c8f9c2

SHA1
ba1370a02c482cefd33487998d0be24b2c6ded8f

SHA256
b27f419f9fec5f37749024100293a2ed6a65751250121cbcc14ba1bbdce7870e

SHA512
4c5806b1dddcdc715ea516e62e0e0c37fbb701986a7aac67e607bea9241a5c8f35fd7c758be4101705f863b90a398f6ad26ab99caa3c4d2362c997a27a72aa78

Download Submit
C:\Users\Admin\AppData\Local\Temp\61080bfd-d74c-471b-955b-fe839b3c6c30.vbs

Filesize
702B

MD5
3656ba3ff4740e113b5dbbf375c22aae

SHA1
388647a9e548f1fe0650155c4b860a0eafe88f0a

SHA256
9041cf3156fba05c3a237bdd7377f9eacaefaa2754edc51a26587d9397e00751

SHA512
3908aca5ad7fd40fd63aeef70c93c81551885729227f952c3bd681daabc02426f4c1a3f5a24917060675f182b33afadb4869cffdf5b937024c484ecb7b1a121f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c456974-e70a-4f2f-9ca7-d1adc6ecd035.vbs

Filesize
702B

MD5
1df907865991ce5a73a6c02d87d70456

SHA1
1c6b003a38d718162fcb637e042595d1ed4121a0

SHA256
e45c83eec65e7e7b83e5951d0deffa8e2a8206013ef57b24edd89e0ca80d85bd

SHA512
37e7dffd6ebb89d610d729d89a159d5612f279b652f4085ac75638b25a0fe9c6dbef787b6081cbc46f598d87bdfdad1fc8b5a28f3ac2526892e3e52e7d6659a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\84fee740-cbb5-4e95-a112-83e290204941.vbs

Filesize
702B

MD5
3b4a968fafb2d8e76d6b8367df336980

SHA1
65c5c27e04d5e2108b745fd0b778ae4af345b123

SHA256
6782d9e93095127a849c4a6544c5d50cc9a101afd7a255104f7257febf192a97

SHA512
7f72fe633fb9e13e6d7b322d53bd861e430da683d3cf98336335fcf46b4ce7c5ff9431cfd7627acfb5ef3ff0b4fe4512822b2c48019a727ed8d86cfe8e8f6a6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\F52IVAaXss.bat

Filesize
191B

MD5
d5e7606cb3ebafac14f73f99885f8b5e

SHA1
faae72a846dc7701d0555179ecc0bc312a7e46bb

SHA256
231bbbbee562fd9c8121e36eb0c03607a2942911b717bfbd7031ab998d9b8bbd

SHA512
22693a8f49c7fe49921d3ad05eafc9961ad32c3fa8838fe6b5ecc6239542035da6a4f7a73fa51748376ccad2d3c6c0ff5efcd6ebde98e279ac8f9e6607eb7cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_srvnnfe3.xft.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2700e03-e945-4026-9054-de4d50a98333.vbs

Filesize
702B

MD5
a32e23f29351d0fd11e5d6f785a43317

SHA1
196ae9655f19a3cbe7d7c4a344890cb8f57864ee

SHA256
1be9fb8c8f68247501e290201f5696a91e9b8baab4f0b6f03faabeead864f878

SHA512
b42574d2b5867c886f975bea6911704afe25cb0e98718c80caf6479e57076d5a7ecbe959ac47a41690ab85a45516c271d1e46fea293a701011283d9f22b65080

Download Submit
C:\a5520cf74cedd2462ce392906afc\fontdrvhost.exe

Filesize
5.9MB

MD5
d0eef120fd270fe8f761d1d1f0810e5a

SHA1
815a61856c5518025203ebe74ebc93731dd6bba2

SHA256
29815407469315cd6341f94268bf974beaf4ca13cf62cb5c22ad0cbf7b3f2ea4

SHA512
5d86e60ab36940e9c9b98b815bb1a503270c39ac1ef3b21a3deebf0f9c2530070ea6dd45f6c69c9f58b6d48eb2bcb72706dbbf7bc6fc08a3b19bb901a3110a30

Download Submit
memory/676-233-0x00000202090A0000-0x00000202090C2000-memory.dmp

Filesize
136KB

Download
memory/2948-17-0x000000001C340000-0x000000001C34A000-memory.dmp

Filesize
40KB

Download
memory/2948-19-0x000000001C3A0000-0x000000001C3AC000-memory.dmp

Filesize
48KB

Download
memory/2948-25-0x000000001C940000-0x000000001CE68000-memory.dmp

Filesize
5.2MB

Download
memory/2948-27-0x000000001C420000-0x000000001C42C000-memory.dmp

Filesize
48KB

Download
memory/2948-26-0x000000001C410000-0x000000001C41C000-memory.dmp

Filesize
48KB

Download
memory/2948-29-0x000000001C440000-0x000000001C44C000-memory.dmp

Filesize
48KB

Download
memory/2948-30-0x000000001C450000-0x000000001C45C000-memory.dmp

Filesize
48KB

Download
memory/2948-32-0x000000001C560000-0x000000001C56C000-memory.dmp

Filesize
48KB

Download
memory/2948-31-0x000000001C6D0000-0x000000001C6D8000-memory.dmp

Filesize
32KB

Download
memory/2948-28-0x000000001C430000-0x000000001C438000-memory.dmp

Filesize
32KB

Download
memory/2948-36-0x000000001C6A0000-0x000000001C6AE000-memory.dmp

Filesize
56KB

Download
memory/2948-35-0x000000001C690000-0x000000001C698000-memory.dmp

Filesize
32KB

Download
memory/2948-34-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/2948-33-0x000000001C570000-0x000000001C57A000-memory.dmp

Filesize
40KB

Download
memory/2948-37-0x000000001C6B0000-0x000000001C6B8000-memory.dmp

Filesize
32KB

Download
memory/2948-38-0x000000001C6C0000-0x000000001C6CC000-memory.dmp

Filesize
48KB

Download
memory/2948-39-0x000000001C6E0000-0x000000001C6E8000-memory.dmp

Filesize
32KB

Download
memory/2948-40-0x000000001C6F0000-0x000000001C6FA000-memory.dmp

Filesize
40KB

Download
memory/2948-41-0x000000001C700000-0x000000001C70C000-memory.dmp

Filesize
48KB

Download
memory/2948-22-0x000000001C3D0000-0x000000001C3D8000-memory.dmp

Filesize
32KB

Download
memory/2948-21-0x000000001C3C0000-0x000000001C3CC000-memory.dmp

Filesize
48KB

Download
memory/2948-20-0x000000001C3B0000-0x000000001C3B8000-memory.dmp

Filesize
32KB

Download
memory/2948-187-0x00007FFFE1C93000-0x00007FFFE1C95000-memory.dmp

Filesize
8KB

Download
memory/2948-24-0x000000001C3E0000-0x000000001C3F2000-memory.dmp

Filesize
72KB

Download
memory/2948-210-0x00007FFFE1C90000-0x00007FFFE2751000-memory.dmp

Filesize
10.8MB

Download
memory/2948-18-0x000000001C350000-0x000000001C3A6000-memory.dmp

Filesize
344KB

Download
memory/2948-235-0x00007FFFE1C90000-0x00007FFFE2751000-memory.dmp

Filesize
10.8MB

Download
memory/2948-0-0x00007FFFE1C93000-0x00007FFFE1C95000-memory.dmp

Filesize
8KB

Download
memory/2948-15-0x000000001BBB0000-0x000000001BBB8000-memory.dmp

Filesize
32KB

Download
memory/2948-16-0x000000001BBC0000-0x000000001BBD0000-memory.dmp

Filesize
64KB

Download
memory/2948-14-0x000000001BBD0000-0x000000001BBDC000-memory.dmp

Filesize
48KB

Download
memory/2948-8-0x000000001C1F0000-0x000000001C240000-memory.dmp

Filesize
320KB

Download
memory/2948-9-0x000000001BA40000-0x000000001BA48000-memory.dmp

Filesize
32KB

Download
memory/2948-10-0x000000001BA50000-0x000000001BA60000-memory.dmp

Filesize
64KB

Download
memory/2948-11-0x000000001BA60000-0x000000001BA76000-memory.dmp

Filesize
88KB

Download
memory/2948-1-0x0000000000500000-0x0000000000DF8000-memory.dmp

Filesize
9.0MB

Download
memory/2948-2-0x0000000002E30000-0x0000000002E31000-memory.dmp

Filesize
4KB

Download
memory/2948-12-0x000000001BA80000-0x000000001BA88000-memory.dmp

Filesize
32KB

Download
memory/2948-13-0x000000001BA90000-0x000000001BAA2000-memory.dmp

Filesize
72KB

Download
memory/2948-6-0x000000001BA10000-0x000000001BA18000-memory.dmp

Filesize
32KB

Download
memory/2948-7-0x000000001BA20000-0x000000001BA3C000-memory.dmp

Filesize
112KB

Download
memory/2948-5-0x0000000002F20000-0x0000000002F2E000-memory.dmp

Filesize
56KB

Download
memory/2948-3-0x00007FFFE1C90000-0x00007FFFE2751000-memory.dmp

Filesize
10.8MB

Download
memory/2948-4-0x0000000002F10000-0x0000000002F1E000-memory.dmp

Filesize
56KB

Download
memory/5720-406-0x000000001D340000-0x000000001D352000-memory.dmp

Filesize
72KB

Download
memory/5872-368-0x000000001DDA0000-0x000000001DDF6000-memory.dmp

Filesize
344KB

Download
memory/5872-367-0x000000001DD10000-0x000000001DD22000-memory.dmp

Filesize
72KB

Download