dcrat | 4bcbb8983fe7425976c5a1789deff73fb138e80981f5ebfef1f835bcc6757760

Resubmissions

14/04/2025, 07:51

250414-jp1kfssjz9 10

14/04/2025, 07:46

250414-jl9nyssjt9 10

08/04/2025, 15:58

250408-tevasswl18 10

08/04/2025, 14:19

250408-rm2nqsvqw2 10

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2025, 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f736c152b3d1812f1142ed0da99e0ac8.exe
Size

5.9MB
MD5

f736c152b3d1812f1142ed0da99e0ac8
SHA1

5df819dd9a3c73b64b33950ecfac1c690fa0f03d
SHA256

78acaa343a31b3474452e4deb58753f16b72e9ba9ec2f537fd7d7431f699c246
SHA512

a3b30acae19dfcb40089e64bab3dae770b1f26d0de54c90a288a280f06a7656cf1739304b1eae8b0d7c12f1bdcd81780bb6499770e255d37a940dc138496b041
SSDEEP

98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4X:hyeU11Rvqmu8TWKnF6N/1wC

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	2944	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2944	schtasks.exe	88

UAC bypass 3 TTPs 33 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1960	powershell.exe
3044	powershell.exe
820	powershell.exe
1180	powershell.exe
3168	powershell.exe
60	powershell.exe
4260	powershell.exe
3712	powershell.exe
3040	powershell.exe
4568	powershell.exe
3704	powershell.exe
1664	powershell.exe
4104	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	f736c152b3d1812f1142ed0da99e0ac8.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	f736c152b3d1812f1142ed0da99e0ac8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	sysmon.exe

Executes dropped EXE 10 IoCs

pid	Process
5400	sysmon.exe
5832	sysmon.exe
4356	sysmon.exe
2204	sysmon.exe
4592	sysmon.exe
5488	sysmon.exe
6028	sysmon.exe
4312	sysmon.exe
888	sysmon.exe
5252	sysmon.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 22 IoCs

pid	Process
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
5400	sysmon.exe
5400	sysmon.exe
5832	sysmon.exe
5832	sysmon.exe
4356	sysmon.exe
4356	sysmon.exe
2204	sysmon.exe
2204	sysmon.exe
4592	sysmon.exe
4592	sysmon.exe
5488	sysmon.exe
5488	sysmon.exe
6028	sysmon.exe
6028	sysmon.exe
4312	sysmon.exe
4312	sysmon.exe
888	sysmon.exe
888	sysmon.exe
5252	sysmon.exe
5252	sysmon.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office 15\RCX8C2B.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files\Microsoft Office 15\RCX8C3B.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\RCX8E5F.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCX956B.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\5b884080fd4f94	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\TextInputHost.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\22eafd247d37c3	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files (x86)\Microsoft.NET\eddb19405b7ce1	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files (x86)\Reference Assemblies\SearchApp.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files\Microsoft Office 15\121e5b5079f7c0	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files\Microsoft Office 15\sysmon.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RCX9094.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\fontdrvhost.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files (x86)\Reference Assemblies\38384e6a620884	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCX955B.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\9e8d7a4ca61bd9	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files (x86)\Microsoft.NET\backgroundTaskHost.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RCX90A4.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\RCX8E80.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\fontdrvhost.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\TextInputHost.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\backgroundTaskHost.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\SearchApp.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX85CD.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RCXA303.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RCXA314.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files\Microsoft Office 15\sysmon.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX85BC.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\OCR\it-it\OfficeClickToRun.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Windows\ShellComponents\f736c152b3d1812f1142ed0da99e0ac8.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Windows\ShellComponents\62ab93cd72465b	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Windows\ShellComponents\RCXA9EF.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Windows\ShellComponents\RCXA9FF.tmp	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Windows\ShellComponents\f736c152b3d1812f1142ed0da99e0ac8.exe	f736c152b3d1812f1142ed0da99e0ac8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	f736c152b3d1812f1142ed0da99e0ac8.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	sysmon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2556	schtasks.exe
4436	schtasks.exe
4200	schtasks.exe
2268	schtasks.exe
2676	schtasks.exe
2376	schtasks.exe
1480	schtasks.exe
2588	schtasks.exe
2564	schtasks.exe
4080	schtasks.exe
3140	schtasks.exe
4208	schtasks.exe
1960	schtasks.exe
4896	schtasks.exe
224	schtasks.exe
2092	schtasks.exe
1468	schtasks.exe
5008	schtasks.exe
2972	schtasks.exe
1220	schtasks.exe
3576	schtasks.exe
3068	schtasks.exe
2696	schtasks.exe
1348	schtasks.exe
1732	schtasks.exe
4672	schtasks.exe
4472	schtasks.exe
1684	schtasks.exe
3948	schtasks.exe
368	schtasks.exe
1908	schtasks.exe
3144	schtasks.exe
564	schtasks.exe
4860	schtasks.exe
3596	schtasks.exe
1596	schtasks.exe
3712	schtasks.exe
2472	schtasks.exe
412	schtasks.exe
4632	schtasks.exe
1472	schtasks.exe
1568	schtasks.exe
2984	schtasks.exe
5056	schtasks.exe
4344	schtasks.exe
2808	schtasks.exe
2256	schtasks.exe
4132	schtasks.exe
4192	schtasks.exe
4840	schtasks.exe
3820	schtasks.exe
3888	schtasks.exe
1460	schtasks.exe
4444	schtasks.exe
2468	schtasks.exe
1932	schtasks.exe
4664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe
1224	f736c152b3d1812f1142ed0da99e0ac8.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1224	f736c152b3d1812f1142ed0da99e0ac8.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	3704	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	60	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	3712	powershell.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	4260	powershell.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	5400	sysmon.exe
Token: SeDebugPrivilege	5832	sysmon.exe
Token: SeDebugPrivilege	4356	sysmon.exe
Token: SeDebugPrivilege	2204	sysmon.exe
Token: SeDebugPrivilege	4592	sysmon.exe
Token: SeDebugPrivilege	5488	sysmon.exe
Token: SeDebugPrivilege	6028	sysmon.exe
Token: SeDebugPrivilege	4312	sysmon.exe
Token: SeDebugPrivilege	888	sysmon.exe
Token: SeDebugPrivilege	5252	sysmon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 1960	1224	f736c152b3d1812f1142ed0da99e0ac8.exe	152
PID 1224 wrote to memory of 1960	1224	f736c152b3d1812f1142ed0da99e0ac8.exe	152
PID 1224 wrote to memory of 3044	1224	f736c152b3d1812f1142ed0da99e0ac8.exe	153
PID 1224 wrote to memory of 3044	1224	f736c152b3d1812f1142ed0da99e0ac8.exe	153
PID 1224 wrote to memory of 60	1224	f736c152b3d1812f1142ed0da99e0ac8.exe	154
PID 1224 wrote to memory of 60	1224	f736c152b3d1812f1142ed0da99e0ac8.exe	154
PID 1224 wrote to memory of 4260	1224	f736c152b3d1812f1142ed0da99e0ac8.exe	155
PID 1224 wrote to memory of 4260	1224	f736c152b3d1812f1142ed0da99e0ac8.exe	155
PID 1224 wrote to memory of 3712	1224	f736c152b3d1812f1142ed0da99e0ac8.exe	156
PID 1224 wrote to memory of 3712	1224	f736c152b3d1812f1142ed0da99e0ac8.exe	156
PID 1224 wrote to memory of 820	1224	f736c152b3d1812f1142ed0da99e0ac8.exe	157
PID 1224 wrote to memory of 820	1224	f736c152b3d1812f1142ed0da99e0ac8.exe	157
PID 1224 wrote to memory of 1180	1224	f736c152b3d1812f1142ed0da99e0ac8.exe	158
PID 1224 wrote to memory of 1180	1224	f736c152b3d1812f1142ed0da99e0ac8.exe	158
PID 1224 wrote to memory of 3040	1224	f736c152b3d1812f1142ed0da99e0ac8.exe	159
PID 1224 wrote to memory of 3040	1224	f736c152b3d1812f1142ed0da99e0ac8.exe	159
PID 1224 wrote to memory of 3168	1224	f736c152b3d1812f1142ed0da99e0ac8.exe	160
PID 1224 wrote to memory of 3168	1224	f736c152b3d1812f1142ed0da99e0ac8.exe	160
PID 1224 wrote to memory of 4568	1224	f736c152b3d1812f1142ed0da99e0ac8.exe	161
PID 1224 wrote to memory of 4568	1224	f736c152b3d1812f1142ed0da99e0ac8.exe	161
PID 1224 wrote to memory of 3704	1224	f736c152b3d1812f1142ed0da99e0ac8.exe	162
PID 1224 wrote to memory of 3704	1224	f736c152b3d1812f1142ed0da99e0ac8.exe	162
PID 1224 wrote to memory of 1664	1224	f736c152b3d1812f1142ed0da99e0ac8.exe	163
PID 1224 wrote to memory of 1664	1224	f736c152b3d1812f1142ed0da99e0ac8.exe	163
PID 1224 wrote to memory of 4104	1224	f736c152b3d1812f1142ed0da99e0ac8.exe	164
PID 1224 wrote to memory of 4104	1224	f736c152b3d1812f1142ed0da99e0ac8.exe	164
PID 1224 wrote to memory of 3576	1224	f736c152b3d1812f1142ed0da99e0ac8.exe	178
PID 1224 wrote to memory of 3576	1224	f736c152b3d1812f1142ed0da99e0ac8.exe	178
PID 3576 wrote to memory of 3680	3576	cmd.exe	180
PID 3576 wrote to memory of 3680	3576	cmd.exe	180
PID 3576 wrote to memory of 5400	3576	cmd.exe	181
PID 3576 wrote to memory of 5400	3576	cmd.exe	181
PID 5400 wrote to memory of 5608	5400	sysmon.exe	182
PID 5400 wrote to memory of 5608	5400	sysmon.exe	182
PID 5400 wrote to memory of 5652	5400	sysmon.exe	183
PID 5400 wrote to memory of 5652	5400	sysmon.exe	183
PID 5608 wrote to memory of 5832	5608	WScript.exe	186
PID 5608 wrote to memory of 5832	5608	WScript.exe	186
PID 5832 wrote to memory of 1672	5832	sysmon.exe	190
PID 5832 wrote to memory of 1672	5832	sysmon.exe	190
PID 5832 wrote to memory of 2512	5832	sysmon.exe	191
PID 5832 wrote to memory of 2512	5832	sysmon.exe	191
PID 1672 wrote to memory of 4356	1672	WScript.exe	195
PID 1672 wrote to memory of 4356	1672	WScript.exe	195
PID 4356 wrote to memory of 4140	4356	sysmon.exe	197
PID 4356 wrote to memory of 4140	4356	sysmon.exe	197
PID 4356 wrote to memory of 3136	4356	sysmon.exe	198
PID 4356 wrote to memory of 3136	4356	sysmon.exe	198
PID 4140 wrote to memory of 2204	4140	WScript.exe	199
PID 4140 wrote to memory of 2204	4140	WScript.exe	199
PID 2204 wrote to memory of 5244	2204	sysmon.exe	200
PID 2204 wrote to memory of 5244	2204	sysmon.exe	200
PID 2204 wrote to memory of 232	2204	sysmon.exe	201
PID 2204 wrote to memory of 232	2204	sysmon.exe	201
PID 5244 wrote to memory of 4592	5244	WScript.exe	202
PID 5244 wrote to memory of 4592	5244	WScript.exe	202
PID 4592 wrote to memory of 5628	4592	sysmon.exe	204
PID 4592 wrote to memory of 5628	4592	sysmon.exe	204
PID 4592 wrote to memory of 5580	4592	sysmon.exe	205
PID 4592 wrote to memory of 5580	4592	sysmon.exe	205
PID 5628 wrote to memory of 5488	5628	WScript.exe	206
PID 5628 wrote to memory of 5488	5628	WScript.exe	206
PID 5488 wrote to memory of 5840	5488	sysmon.exe	207
PID 5488 wrote to memory of 5840	5488	sysmon.exe	207

System policy modification 1 TTPs 33 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f736c152b3d1812f1142ed0da99e0ac8.exe
"C:\Users\Admin\AppData\Local\Temp\f736c152b3d1812f1142ed0da99e0ac8.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/d9c22b4eaa3c0b9c12c7/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:60
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/dfe2e59cddd00040f555dab607351a1d/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4104
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EZ0S9RMyIO.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3680
- - C:\Program Files\Microsoft Office 15\sysmon.exe
    "C:\Program Files\Microsoft Office 15\sysmon.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:5400
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0415058f-2d97-4a89-8597-70423d91e8a2.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5608
    - - C:\Program Files\Microsoft Office 15\sysmon.exe
        
        "C:\Program Files\Microsoft Office 15\sysmon.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5832
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33f5ad25-5697-4b76-8165-bad78bf83811.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Program Files\Microsoft Office 15\sysmon.exe
        
        "C:\Program Files\Microsoft Office 15\sysmon.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae959068-c232-40cc-aa3d-6684f7a70eeb.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Program Files\Microsoft Office 15\sysmon.exe
        
        "C:\Program Files\Microsoft Office 15\sysmon.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6660fd03-92a2-42c4-93b1-babd42de261f.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5244
        
        C:\Program Files\Microsoft Office 15\sysmon.exe
        
        "C:\Program Files\Microsoft Office 15\sysmon.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f39dd94-7d67-4d88-9ed6-bb340b999e90.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:5628
        
        C:\Program Files\Microsoft Office 15\sysmon.exe
        
        "C:\Program Files\Microsoft Office 15\sysmon.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9f3d80f-1aed-4583-8d65-ee6d21c50e9e.vbs"
        14⤵
        
        PID:5840
        
        C:\Program Files\Microsoft Office 15\sysmon.exe
        
        "C:\Program Files\Microsoft Office 15\sysmon.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:6028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2820a57c-ac86-4a9e-8d8b-4e423b9be8e9.vbs"
        16⤵
        
        PID:5296
        
        C:\Program Files\Microsoft Office 15\sysmon.exe
        
        "C:\Program Files\Microsoft Office 15\sysmon.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b88c8bc7-27f0-4bd0-8ad8-7704068db95a.vbs"
        18⤵
        
        PID:5248
        
        C:\Program Files\Microsoft Office 15\sysmon.exe
        
        "C:\Program Files\Microsoft Office 15\sysmon.exe"
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d62cd02f-fd0f-41fb-bf74-6cd1d0ce95db.vbs"
        20⤵
        
        PID:5228
        
        C:\Program Files\Microsoft Office 15\sysmon.exe
        
        "C:\Program Files\Microsoft Office 15\sysmon.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32f0a780-a844-43b1-bbeb-66812248b576.vbs"
        20⤵
        
        PID:3872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd5ed06a-10dc-4678-b272-447317209117.vbs"
        18⤵
        
        PID:4344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\559a4d71-3518-41a2-b547-e973b4b19b94.vbs"
        16⤵
        
        PID:1932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\779c9b56-822a-4d59-ac22-90a1e5d18dca.vbs"
        14⤵
        
        PID:2892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de5fc6ea-4770-4369-93a8-1ac0be9132e1.vbs"
        12⤵
        
        PID:5580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\063cc9e7-38c3-463d-8a52-7e36fda8a8b3.vbs"
        10⤵
        
        PID:232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9f391a1-b34d-44e6-b72d-348a33a4b3cf.vbs"
        8⤵
        
        PID:3136
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f80dacc-cb75-4f92-8d27-fac3f80c68e0.vbs"
        6⤵
        
        PID:2512
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\614a0305-803d-4a84-a2ec-a4507d5369ea.vbs"
      4⤵
      PID:5652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Pictures\Camera Roll\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Camera Roll\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Pictures\Camera Roll\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\d9c22b4eaa3c0b9c12c7\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\d9c22b4eaa3c0b9c12c7\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\d9c22b4eaa3c0b9c12c7\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\d9c22b4eaa3c0b9c12c7\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f736c152b3d1812f1142ed0da99e0ac8f" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellComponents\f736c152b3d1812f1142ed0da99e0ac8.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f736c152b3d1812f1142ed0da99e0ac8" /sc ONLOGON /tr "'C:\Windows\ShellComponents\f736c152b3d1812f1142ed0da99e0ac8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f736c152b3d1812f1142ed0da99e0ac8f" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellComponents\f736c152b3d1812f1142ed0da99e0ac8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\d9c22b4eaa3c0b9c12c7\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\d9c22b4eaa3c0b9c12c7\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Default\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\en-US\TextInputHost.exe

Filesize
5.9MB

MD5
f736c152b3d1812f1142ed0da99e0ac8

SHA1
5df819dd9a3c73b64b33950ecfac1c690fa0f03d

SHA256
78acaa343a31b3474452e4deb58753f16b72e9ba9ec2f537fd7d7431f699c246

SHA512
a3b30acae19dfcb40089e64bab3dae770b1f26d0de54c90a288a280f06a7656cf1739304b1eae8b0d7c12f1bdcd81780bb6499770e255d37a940dc138496b041

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log

Filesize
1KB

MD5
229da4b4256a6a948830de7ee5f9b298

SHA1
8118b8ddc115689ca9dc2fe8c244350333c5ba8b

SHA256
3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11

SHA512
3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5224a8af64b17b8a36247f8bda22bc94

SHA1
841edc986867d9813534b217790e76b017c48617

SHA256
464cb1185c4ac036587a0583565205a60a9d67c6130ac6bf3e666d197a79aa55

SHA512
041d2827788aa8b7f3320b013380d74cc12a444adcf587ef8dfcbb52353548abf1746f34e33f0bfb6117ed488e85d9f8e0bfffbf79011546199ee371e192fdde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e69ced0a44ced088c3954d6ae03796e7

SHA1
ef4cac17b8643fb57424bb56907381a555a8cb92

SHA256
49ee2b78c2766e68fad51109337710f032e25649bcebebf14562edfbf2e98108

SHA512
15ebe961c61ee8efadd8370d856c936e5b605c3b847b8ddabb3cafb63c724d374a0a9567054852444de95794c7c8b3f9f12d05258104573c7546ff88023d7cd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3c9a06205efb4ec6b1ca25ba605f9f6d

SHA1
53f4cbc7a0b1f493e53f99d49c08c56c2ac912f8

SHA256
4ef4ffb0f743afc2ee1bb8edcc10ec450439a82dbbbb9cbdebeee633db4cc61a

SHA512
e936041f7fe2278a939290bc2b5409a01ae070abc58df4e4bb938e4a406d0c96b19a1fa4db21b9f158efcfbe956f3ddbd97cb670215f2d6f2c1328fa4e455657

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7ebbb17f3791dea62cf267d83cf036a4

SHA1
266c27acf64b85afd8380277f767cc54f91ab2b0

SHA256
2345628c466a33c557a0fba468c06436ce7121c56e6260492c5d6ce52d05ba19

SHA512
6e519f44c8d4e9fe752471f19ec9956e3cd6d73f741496d09bb0fb0c8f0048636b6a52204fa475436c0403d022500fd33452e0ad8f18b3ed2245b24b5bd7bb51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0c3cddab7d289f65843ac7ee436ff50d

SHA1
19046a0dc416df364c3be08b72166becf7ed9ca9

SHA256
c94ea9a9d0877a48ade47f77733be15871512f7aded45a211eb636bdcf7e45a1

SHA512
45c710a959f67ed05c25709c24887a4d5e5909e94f2012bd1cad64b32729fafea6f6628b2552f36c9d98bf8a1ddf50bb84d92d6e1cb15f20b2a74739ff19c9ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4552709998d20ebebb7d79b1e2caba85

SHA1
a136173b2c02a5c678afbfb05d859dcf7fce5e73

SHA256
e96edbb0c4584421178d50c77bb16d7fe8b3839c357c170268dc13c00e8bb435

SHA512
53f623fa2780ceead709084e842a38f01ae921223e2bff2a97e45ad4a792c73e7370e97da4d323a5b857bf446e3295b6422ffa2dbaf68d34a65ebf6751d7d83f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0415058f-2d97-4a89-8597-70423d91e8a2.vbs

Filesize
723B

MD5
2e960aea9e0190d4daadbfc8e8f93eaa

SHA1
664842004c55fadd6dba3a4e57aac69fa2fe0dcc

SHA256
7499aece28c34c0b4f16cef9a002f1b10e8c391a3e64d5806d72de95143e57fb

SHA512
56365b307446816a4f6246c61d8129e6b007d578a35d7656bc9a04696267e735c0221ab71a539eada5dff738c0b07f0aaffada489053b4cb4c3bae1bea663fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2820a57c-ac86-4a9e-8d8b-4e423b9be8e9.vbs

Filesize
723B

MD5
0212afe62c9b63afc2742caa49f22415

SHA1
9c56199ba5845c86e49b2508545c4a946f7061d5

SHA256
a9df073d59b903fbce318a451d11f2796ce1e0642a1f4cb702f4b81d2a7dfa0d

SHA512
73e6402b701e4b157fe0669af49c14c20c4416899b8791053eb8cfd149ad93f41045363367ab8955a4e98b79b03dd730b0c43f7da3381ca0cff8fb26248c6792

Download Submit
C:\Users\Admin\AppData\Local\Temp\33f5ad25-5697-4b76-8165-bad78bf83811.vbs

Filesize
723B

MD5
47059aadb751b3660f805ae7ea88027f

SHA1
8e4c05dba10a8e441304ce23e67b0ce8e20e7f2f

SHA256
88f06abc7e6fde87946e81eaa3392758b048c127f7cfecb33994fccfa0563f8d

SHA512
02ea4620897caaa85750f920047ddef8e9bff5d12f581d637b7f74736a19e7cd91952d65f79575022c2d42966d206608d760eaa8723007fdbf2841720c1af83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\614a0305-803d-4a84-a2ec-a4507d5369ea.vbs

Filesize
499B

MD5
a6755280f6f7839bc8412a42133c18fa

SHA1
829721e14348c147f794513cbfd1621a48f33294

SHA256
923b25f38e2195da09b4ea18c1b8ff002b587f02b53073654dcb80f732d1fecc

SHA512
a662f2224ae004ee85ea2e97841e0ecae4b13e9a514a22d29d2adb32c2da8015368caed626887645e1dcf99b692f8fc42485df0cfb91d470337a4a6ae03fbbf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6660fd03-92a2-42c4-93b1-babd42de261f.vbs

Filesize
723B

MD5
575f4da2173ce6f4402d518a406e1191

SHA1
48b362c85c7e8ff5ba5fea6df928a85b1c71a2d0

SHA256
2a28e3a62c383096f33b0676039f1ffad4494d0d35a49adbf047237950aee708

SHA512
6e87c0f2154cdbfb1869bf27d2d8a7df04c8cb216ef816c155911109130059f8cf6e6f41b2340caee0a44845c81317017b094ff97d4d1dbf1c6576321b0f0627

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f39dd94-7d67-4d88-9ed6-bb340b999e90.vbs

Filesize
723B

MD5
bdbee615f3b891d4ffd1886d84b407fb

SHA1
a0e33930da8308d12691b3661958460e464412e0

SHA256
473a357d8f49dd74a78c5d73c8848ef8e5818db8ec1efedf6698549a1e2d2449

SHA512
89669d36e7c2b85868eeb182cea1e3764264a972a9fde725d7d050558bb331f18fefa85c7bc722a9aa93f97d0fa05ec493f9ad4d5b143631ebc4518715dfc42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EZ0S9RMyIO.bat

Filesize
212B

MD5
d1e6cc9d251d6f3fb793f87508a9d8df

SHA1
f080e3aa22f02bd93c9b404b6749b40bacae280a

SHA256
ce747c59613d989b7f76e8316b89953069f7d44ab578c39b1a6583a88d3e4a35

SHA512
360c0f2f30ed332efbc3c32fdab3494fde8da2ddcced6985e2db4640a7c5bcf81d599fae5e56081d4092688dff1a8e9e88c79ce8f48ecb044aa5fea3a240fa79

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vnfh0rvk.xtb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae959068-c232-40cc-aa3d-6684f7a70eeb.vbs

Filesize
723B

MD5
a3da20196ce2a4b0ecba23cf2602292a

SHA1
3f424c20ca1dc1dfa04259416add5b3649ecf6ec

SHA256
387868038865c22ca13f22e2a79b814878f1194d894f1acab216aabc4a0f68cf

SHA512
e2ed03d75c32d524ecd8729378bb808d84df450d793a7d8bf30b33e7fe916f757f938d3eb44fc3c052d12504a6957830e12c9df6a4aef999f10c64e7e54e4766

Download Submit
C:\Users\Admin\AppData\Local\Temp\b88c8bc7-27f0-4bd0-8ad8-7704068db95a.vbs

Filesize
723B

MD5
0976259d2e4ab55c717890e60a6bbe01

SHA1
b85d62c82740c43f68d376037d1e05b487f1dff8

SHA256
4f8ac56a67615915fe750c5f531de7f89f9e5db98e28fea67b14ea0d573ff104

SHA512
10027229c22eb9dbdd547f4548cc53a280897f3d23dafbc9f1b3aa1579c4c7a55f4b38bc52e855f98e5e036825f9529a731b1b5ca4fbf0c4bdef2f23ce089a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c9f3d80f-1aed-4583-8d65-ee6d21c50e9e.vbs

Filesize
723B

MD5
cbe6fb7fd6c29264208e590efe5f14a4

SHA1
117c8776814d36056fe46756688167c7c358d6f0

SHA256
3f3fcadbd442125bc3cd9bb2803034e62f16e5cdc919fd07b240b9e499a7bd2f

SHA512
8d7daaa6e542865b2af87e059ab3c27fafd8ae34e6018995dc5f6034c6ca0c4866cf2b987cbd879c56f2aae808a779cca1271d4003e5ad936ef5cc86e884fa82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d62cd02f-fd0f-41fb-bf74-6cd1d0ce95db.vbs

Filesize
722B

MD5
9f53403b5d85c01b0c27e92af544c734

SHA1
53fb3d5d8d6d2df71354769fa2940c9cfc288265

SHA256
e8d83ef2d5f43c7222593ece81cdc47ccf7f513fae2c673b35aabfc796ba578e

SHA512
ff83f7357e2d79958e5ba637fe44849eb39b33fac88392e0f096952d22d86b5abf095f8bbda6be7e6e279319030c29e27925e38d9e8cffe94848b2dd8a83f42c

Download Submit
C:\Users\Default\explorer.exe

Filesize
5.9MB

MD5
a56186a547eea6ae32d64f0d2eb28100

SHA1
dde5f974d2815f647fb85cf5fd43b788e0fca30a

SHA256
1c761e50b753558a6f0d770372efd33c9a85d75b8853e82d810fedfb73ee1f5c

SHA512
7f37832b56c6529037ebab04e847dcf4feeffb7b050e8eb0b9918ff480d1434b95090421d90146b6f9b33a169f8d4b52115bf98b8c131c76f0c7fa7431b56cba

Download Submit
C:\d9c22b4eaa3c0b9c12c7\dwm.exe

Filesize
5.9MB

MD5
15ad2109fbf2df41805a47b45389565e

SHA1
c0c84bf61f878f2ef7ca7020b828612caf98b77b

SHA256
77c8eaac68f4ccb1f4b13fcc98ead09a751354295163e7b434d6dfc50b963793

SHA512
e47f3955c75d62e4937ee9d96ad0108888c66c4696b5b1b76d073b18821ac68c2a776e95b51c29aa50fb59eacb6c6c4949abc223d2f8c155747b521f28cd0102

Download Submit
C:\d9c22b4eaa3c0b9c12c7\smss.exe

Filesize
5.9MB

MD5
d59d12e202d78efac2710c6a8a53497e

SHA1
3a986076adec411823316110137c97ec55f0e3b3

SHA256
290e4241fde58db86fd825777c1b8e52656c1c15452746ee0bf94a793da66077

SHA512
1d7c26e047fd3227628dfcd97298b150271b1f3f1e47f7f7d8a05e5f5df39573c135927ac133aa31313b76b3e08f249691a3f33be3a598ddc5d8d7c4668b7eee

Download Submit
memory/888-566-0x000000001C100000-0x000000001C112000-memory.dmp

Filesize
72KB

Download
memory/1224-18-0x000000001D1C0000-0x000000001D216000-memory.dmp

Filesize
344KB

Download
memory/1224-22-0x000000001D240000-0x000000001D248000-memory.dmp

Filesize
32KB

Download
memory/1224-29-0x000000001D2B0000-0x000000001D2BC000-memory.dmp

Filesize
48KB

Download
memory/1224-28-0x000000001D2A0000-0x000000001D2A8000-memory.dmp

Filesize
32KB

Download
memory/1224-30-0x000000001D2C0000-0x000000001D2CC000-memory.dmp

Filesize
48KB

Download
memory/1224-32-0x000000001D3E0000-0x000000001D3EC000-memory.dmp

Filesize
48KB

Download
memory/1224-34-0x000000001D500000-0x000000001D50E000-memory.dmp

Filesize
56KB

Download
memory/1224-33-0x000000001D3F0000-0x000000001D3FA000-memory.dmp

Filesize
40KB

Download
memory/1224-31-0x000000001D3D0000-0x000000001D3D8000-memory.dmp

Filesize
32KB

Download
memory/1224-36-0x000000001D520000-0x000000001D52E000-memory.dmp

Filesize
56KB

Download
memory/1224-35-0x000000001D510000-0x000000001D518000-memory.dmp

Filesize
32KB

Download
memory/1224-40-0x000000001D560000-0x000000001D56A000-memory.dmp

Filesize
40KB

Download
memory/1224-39-0x000000001D550000-0x000000001D558000-memory.dmp

Filesize
32KB

Download
memory/1224-38-0x000000001D540000-0x000000001D54C000-memory.dmp

Filesize
48KB

Download
memory/1224-37-0x000000001D530000-0x000000001D538000-memory.dmp

Filesize
32KB

Download
memory/1224-41-0x000000001D570000-0x000000001D57C000-memory.dmp

Filesize
48KB

Download
memory/1224-26-0x000000001D280000-0x000000001D28C000-memory.dmp

Filesize
48KB

Download
memory/1224-192-0x00007FFCF2B33000-0x00007FFCF2B35000-memory.dmp

Filesize
8KB

Download
memory/1224-25-0x000000001D7B0000-0x000000001DCD8000-memory.dmp

Filesize
5.2MB

Download
memory/1224-239-0x00007FFCF2B30000-0x00007FFCF35F1000-memory.dmp

Filesize
10.8MB

Download
memory/1224-21-0x000000001D230000-0x000000001D23C000-memory.dmp

Filesize
48KB

Download
memory/1224-24-0x000000001D250000-0x000000001D262000-memory.dmp

Filesize
72KB

Download
memory/1224-1-0x00000000002C0000-0x0000000000BB8000-memory.dmp

Filesize
9.0MB

Download
memory/1224-27-0x000000001D290000-0x000000001D29C000-memory.dmp

Filesize
48KB

Download
memory/1224-344-0x00007FFCF2B30000-0x00007FFCF35F1000-memory.dmp

Filesize
10.8MB

Download
memory/1224-20-0x000000001D220000-0x000000001D228000-memory.dmp

Filesize
32KB

Download
memory/1224-19-0x000000001D210000-0x000000001D21C000-memory.dmp

Filesize
48KB

Download
memory/1224-0-0x00007FFCF2B33000-0x00007FFCF2B35000-memory.dmp

Filesize
8KB

Download
memory/1224-17-0x000000001B9F0000-0x000000001B9FA000-memory.dmp

Filesize
40KB

Download
memory/1224-11-0x000000001B7E0000-0x000000001B7F6000-memory.dmp

Filesize
88KB

Download
memory/1224-15-0x000000001B970000-0x000000001B978000-memory.dmp

Filesize
32KB

Download
memory/1224-16-0x000000001B980000-0x000000001B990000-memory.dmp

Filesize
64KB

Download
memory/1224-14-0x000000001B990000-0x000000001B99C000-memory.dmp

Filesize
48KB

Download
memory/1224-2-0x0000000001440000-0x0000000001441000-memory.dmp

Filesize
4KB

Download
memory/1224-13-0x000000001B960000-0x000000001B972000-memory.dmp

Filesize
72KB

Download
memory/1224-12-0x000000001B950000-0x000000001B958000-memory.dmp

Filesize
32KB

Download
memory/1224-9-0x0000000002EF0000-0x0000000002EF8000-memory.dmp

Filesize
32KB

Download
memory/1224-10-0x000000001B7D0000-0x000000001B7E0000-memory.dmp

Filesize
64KB

Download
memory/1224-8-0x000000001B9A0000-0x000000001B9F0000-memory.dmp

Filesize
320KB

Download
memory/1224-3-0x00007FFCF2B30000-0x00007FFCF35F1000-memory.dmp

Filesize
10.8MB

Download
memory/1224-6-0x0000000002DA0000-0x0000000002DA8000-memory.dmp

Filesize
32KB

Download
memory/1224-7-0x0000000002ED0000-0x0000000002EEC000-memory.dmp

Filesize
112KB

Download
memory/1224-5-0x0000000002D90000-0x0000000002D9E000-memory.dmp

Filesize
56KB

Download
memory/1224-4-0x0000000002D80000-0x0000000002D8E000-memory.dmp

Filesize
56KB

Download
memory/2204-505-0x000000001C610000-0x000000001C622000-memory.dmp

Filesize
72KB

Download
memory/3040-325-0x000001167F440000-0x000001167F462000-memory.dmp

Filesize
136KB

Download
memory/5252-579-0x00000000039E0000-0x00000000039F2000-memory.dmp

Filesize
72KB

Download
memory/5400-467-0x000000001C3B0000-0x000000001C3C2000-memory.dmp

Filesize
72KB

Download