dcrat | 4bcbb8983fe7425976c5a1789deff73fb138e80981f5ebfef1f835bcc6757760

Resubmissions

14/04/2025, 07:51

250414-jp1kfssjz9 10

14/04/2025, 07:46

250414-jl9nyssjt9 10

08/04/2025, 15:58

250408-tevasswl18 10

08/04/2025, 14:19

250408-rm2nqsvqw2 10

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
14/04/2025, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f736c152b3d1812f1142ed0da99e0ac8.exe
Size

5.9MB
MD5

f736c152b3d1812f1142ed0da99e0ac8
SHA1

5df819dd9a3c73b64b33950ecfac1c690fa0f03d
SHA256

78acaa343a31b3474452e4deb58753f16b72e9ba9ec2f537fd7d7431f699c246
SHA512

a3b30acae19dfcb40089e64bab3dae770b1f26d0de54c90a288a280f06a7656cf1739304b1eae8b0d7c12f1bdcd81780bb6499770e255d37a940dc138496b041
SSDEEP

98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4X:hyeU11Rvqmu8TWKnF6N/1wC

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6120	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5368	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6064	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5488	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5184	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5180	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5320	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5196	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6092	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6048	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3880	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6064	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3420	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6056	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	3300	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	3300	schtasks.exe	78

UAC bypass 3 TTPs 15 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 26 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3776	powershell.exe
920	powershell.exe
1912	powershell.exe
5664	powershell.exe
2872	powershell.exe
5884	powershell.exe
5104	powershell.exe
912	powershell.exe
4212	powershell.exe
564	powershell.exe
2244	powershell.exe
5236	powershell.exe
3848	powershell.exe
5452	powershell.exe
1788	powershell.exe
3808	powershell.exe
1208	powershell.exe
4552	powershell.exe
3424	powershell.exe
4572	powershell.exe
1392	powershell.exe
2284	powershell.exe
428	powershell.exe
760	powershell.exe
5032	powershell.exe
4308	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	f736c152b3d1812f1142ed0da99e0ac8.exe

Executes dropped EXE 4 IoCs

pid	Process
1608	f736c152b3d1812f1142ed0da99e0ac8.exe
4192	sppsvc.exe
3388	sppsvc.exe
8	sppsvc.exe

Checks whether UAC is enabled 1 TTPs 10 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f736c152b3d1812f1142ed0da99e0ac8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f736c152b3d1812f1142ed0da99e0ac8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
3064	f736c152b3d1812f1142ed0da99e0ac8.exe
3064	f736c152b3d1812f1142ed0da99e0ac8.exe
1608	f736c152b3d1812f1142ed0da99e0ac8.exe
1608	f736c152b3d1812f1142ed0da99e0ac8.exe
4192	sppsvc.exe
4192	sppsvc.exe
3388	sppsvc.exe
3388	sppsvc.exe
8	sppsvc.exe
8	sppsvc.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\en-US\fontdrvhost.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\5b884080fd4f94	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files\Uninstall Information\SppExtComObj.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files\Uninstall Information\e1ef82546f0b02	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\fontdrvhost.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Program Files\Uninstall Information\SppExtComObj.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Program Files\ModifiableWindowsApps\smss.exe	f736c152b3d1812f1142ed0da99e0ac8.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Boot\Resources\ja-JP\smss.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Windows\SystemApps\spoolsv.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Windows\SystemApps\f3b6ecef712a24	f736c152b3d1812f1142ed0da99e0ac8.exe
File created	C:\Windows\ServiceState\EventLog\Data\RuntimeBroker.exe	f736c152b3d1812f1142ed0da99e0ac8.exe
File opened for modification	C:\Windows\SystemApps\spoolsv.exe	f736c152b3d1812f1142ed0da99e0ac8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	f736c152b3d1812f1142ed0da99e0ac8.exe
Key created	\REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000_Classes\Local Settings	f736c152b3d1812f1142ed0da99e0ac8.exe
Key created	\REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2787523927-1212474705-3964982594-1000_Classes\Local Settings	sppsvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
396	schtasks.exe
5196	schtasks.exe
6064	schtasks.exe
3420	schtasks.exe
4664	schtasks.exe
3448	schtasks.exe
4392	schtasks.exe
4832	schtasks.exe
2416	schtasks.exe
3880	schtasks.exe
2420	schtasks.exe
4900	schtasks.exe
4764	schtasks.exe
1796	schtasks.exe
2416	schtasks.exe
6056	schtasks.exe
4476	schtasks.exe
4112	schtasks.exe
6092	schtasks.exe
4180	schtasks.exe
3640	schtasks.exe
2968	schtasks.exe
4360	schtasks.exe
4980	schtasks.exe
4532	schtasks.exe
5180	schtasks.exe
3404	schtasks.exe
6048	schtasks.exe
2496	schtasks.exe
2360	schtasks.exe
908	schtasks.exe
5368	schtasks.exe
4592	schtasks.exe
4584	schtasks.exe
4192	schtasks.exe
1856	schtasks.exe
4452	schtasks.exe
2524	schtasks.exe
3672	schtasks.exe
6064	schtasks.exe
4152	schtasks.exe
4896	schtasks.exe
4752	schtasks.exe
5320	schtasks.exe
1420	schtasks.exe
3180	schtasks.exe
4960	schtasks.exe
4252	schtasks.exe
5184	schtasks.exe
4980	schtasks.exe
5488	schtasks.exe
2524	schtasks.exe
1668	schtasks.exe
6120	schtasks.exe
1092	schtasks.exe
3388	schtasks.exe
4596	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3064	f736c152b3d1812f1142ed0da99e0ac8.exe
3064	f736c152b3d1812f1142ed0da99e0ac8.exe
3064	f736c152b3d1812f1142ed0da99e0ac8.exe
3064	f736c152b3d1812f1142ed0da99e0ac8.exe
3064	f736c152b3d1812f1142ed0da99e0ac8.exe
3064	f736c152b3d1812f1142ed0da99e0ac8.exe
3064	f736c152b3d1812f1142ed0da99e0ac8.exe
3064	f736c152b3d1812f1142ed0da99e0ac8.exe
3064	f736c152b3d1812f1142ed0da99e0ac8.exe
3064	f736c152b3d1812f1142ed0da99e0ac8.exe
3064	f736c152b3d1812f1142ed0da99e0ac8.exe
3064	f736c152b3d1812f1142ed0da99e0ac8.exe
3064	f736c152b3d1812f1142ed0da99e0ac8.exe
3064	f736c152b3d1812f1142ed0da99e0ac8.exe
3064	f736c152b3d1812f1142ed0da99e0ac8.exe
3064	f736c152b3d1812f1142ed0da99e0ac8.exe
3064	f736c152b3d1812f1142ed0da99e0ac8.exe
3064	f736c152b3d1812f1142ed0da99e0ac8.exe
3064	f736c152b3d1812f1142ed0da99e0ac8.exe
3064	f736c152b3d1812f1142ed0da99e0ac8.exe
3064	f736c152b3d1812f1142ed0da99e0ac8.exe
3064	f736c152b3d1812f1142ed0da99e0ac8.exe
3064	f736c152b3d1812f1142ed0da99e0ac8.exe
1912	powershell.exe
1912	powershell.exe
4572	powershell.exe
4572	powershell.exe
5032	powershell.exe
5032	powershell.exe
920	powershell.exe
920	powershell.exe
5884	powershell.exe
5884	powershell.exe
2872	powershell.exe
2872	powershell.exe
5236	powershell.exe
5236	powershell.exe
4308	powershell.exe
4308	powershell.exe
3776	powershell.exe
3776	powershell.exe
2244	powershell.exe
2244	powershell.exe
3424	powershell.exe
3424	powershell.exe
1208	powershell.exe
1208	powershell.exe
4552	powershell.exe
4552	powershell.exe
3064	f736c152b3d1812f1142ed0da99e0ac8.exe
3064	f736c152b3d1812f1142ed0da99e0ac8.exe
1912	powershell.exe
4572	powershell.exe
5032	powershell.exe
920	powershell.exe
1208	powershell.exe
4308	powershell.exe
2244	powershell.exe
5236	powershell.exe
4552	powershell.exe
5884	powershell.exe
2872	powershell.exe
3424	powershell.exe
3776	powershell.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	f736c152b3d1812f1142ed0da99e0ac8.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	5884	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	5236	powershell.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	3776	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	3424	powershell.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	1608	f736c152b3d1812f1142ed0da99e0ac8.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	5664	powershell.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeDebugPrivilege	428	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	5452	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	3808	powershell.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	4192	sppsvc.exe
Token: SeDebugPrivilege	3388	sppsvc.exe
Token: SeDebugPrivilege	8	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 5884	3064	f736c152b3d1812f1142ed0da99e0ac8.exe	94
PID 3064 wrote to memory of 5884	3064	f736c152b3d1812f1142ed0da99e0ac8.exe	94
PID 3064 wrote to memory of 4572	3064	f736c152b3d1812f1142ed0da99e0ac8.exe	95
PID 3064 wrote to memory of 4572	3064	f736c152b3d1812f1142ed0da99e0ac8.exe	95
PID 3064 wrote to memory of 2872	3064	f736c152b3d1812f1142ed0da99e0ac8.exe	96
PID 3064 wrote to memory of 2872	3064	f736c152b3d1812f1142ed0da99e0ac8.exe	96
PID 3064 wrote to memory of 1912	3064	f736c152b3d1812f1142ed0da99e0ac8.exe	97
PID 3064 wrote to memory of 1912	3064	f736c152b3d1812f1142ed0da99e0ac8.exe	97
PID 3064 wrote to memory of 920	3064	f736c152b3d1812f1142ed0da99e0ac8.exe	99
PID 3064 wrote to memory of 920	3064	f736c152b3d1812f1142ed0da99e0ac8.exe	99
PID 3064 wrote to memory of 5236	3064	f736c152b3d1812f1142ed0da99e0ac8.exe	100
PID 3064 wrote to memory of 5236	3064	f736c152b3d1812f1142ed0da99e0ac8.exe	100
PID 3064 wrote to memory of 3424	3064	f736c152b3d1812f1142ed0da99e0ac8.exe	101
PID 3064 wrote to memory of 3424	3064	f736c152b3d1812f1142ed0da99e0ac8.exe	101
PID 3064 wrote to memory of 2244	3064	f736c152b3d1812f1142ed0da99e0ac8.exe	102
PID 3064 wrote to memory of 2244	3064	f736c152b3d1812f1142ed0da99e0ac8.exe	102
PID 3064 wrote to memory of 4552	3064	f736c152b3d1812f1142ed0da99e0ac8.exe	104
PID 3064 wrote to memory of 4552	3064	f736c152b3d1812f1142ed0da99e0ac8.exe	104
PID 3064 wrote to memory of 3776	3064	f736c152b3d1812f1142ed0da99e0ac8.exe	106
PID 3064 wrote to memory of 3776	3064	f736c152b3d1812f1142ed0da99e0ac8.exe	106
PID 3064 wrote to memory of 1208	3064	f736c152b3d1812f1142ed0da99e0ac8.exe	107
PID 3064 wrote to memory of 1208	3064	f736c152b3d1812f1142ed0da99e0ac8.exe	107
PID 3064 wrote to memory of 4308	3064	f736c152b3d1812f1142ed0da99e0ac8.exe	108
PID 3064 wrote to memory of 4308	3064	f736c152b3d1812f1142ed0da99e0ac8.exe	108
PID 3064 wrote to memory of 5032	3064	f736c152b3d1812f1142ed0da99e0ac8.exe	109
PID 3064 wrote to memory of 5032	3064	f736c152b3d1812f1142ed0da99e0ac8.exe	109
PID 3064 wrote to memory of 1608	3064	f736c152b3d1812f1142ed0da99e0ac8.exe	120
PID 3064 wrote to memory of 1608	3064	f736c152b3d1812f1142ed0da99e0ac8.exe	120
PID 1608 wrote to memory of 5664	1608	f736c152b3d1812f1142ed0da99e0ac8.exe	163
PID 1608 wrote to memory of 5664	1608	f736c152b3d1812f1142ed0da99e0ac8.exe	163
PID 1608 wrote to memory of 3808	1608	f736c152b3d1812f1142ed0da99e0ac8.exe	164
PID 1608 wrote to memory of 3808	1608	f736c152b3d1812f1142ed0da99e0ac8.exe	164
PID 1608 wrote to memory of 564	1608	f736c152b3d1812f1142ed0da99e0ac8.exe	165
PID 1608 wrote to memory of 564	1608	f736c152b3d1812f1142ed0da99e0ac8.exe	165
PID 1608 wrote to memory of 4212	1608	f736c152b3d1812f1142ed0da99e0ac8.exe	166
PID 1608 wrote to memory of 4212	1608	f736c152b3d1812f1142ed0da99e0ac8.exe	166
PID 1608 wrote to memory of 760	1608	f736c152b3d1812f1142ed0da99e0ac8.exe	168
PID 1608 wrote to memory of 760	1608	f736c152b3d1812f1142ed0da99e0ac8.exe	168
PID 1608 wrote to memory of 1788	1608	f736c152b3d1812f1142ed0da99e0ac8.exe	169
PID 1608 wrote to memory of 1788	1608	f736c152b3d1812f1142ed0da99e0ac8.exe	169
PID 1608 wrote to memory of 912	1608	f736c152b3d1812f1142ed0da99e0ac8.exe	171
PID 1608 wrote to memory of 912	1608	f736c152b3d1812f1142ed0da99e0ac8.exe	171
PID 1608 wrote to memory of 428	1608	f736c152b3d1812f1142ed0da99e0ac8.exe	172
PID 1608 wrote to memory of 428	1608	f736c152b3d1812f1142ed0da99e0ac8.exe	172
PID 1608 wrote to memory of 5452	1608	f736c152b3d1812f1142ed0da99e0ac8.exe	173
PID 1608 wrote to memory of 5452	1608	f736c152b3d1812f1142ed0da99e0ac8.exe	173
PID 1608 wrote to memory of 2284	1608	f736c152b3d1812f1142ed0da99e0ac8.exe	174
PID 1608 wrote to memory of 2284	1608	f736c152b3d1812f1142ed0da99e0ac8.exe	174
PID 1608 wrote to memory of 5104	1608	f736c152b3d1812f1142ed0da99e0ac8.exe	175
PID 1608 wrote to memory of 5104	1608	f736c152b3d1812f1142ed0da99e0ac8.exe	175
PID 1608 wrote to memory of 1392	1608	f736c152b3d1812f1142ed0da99e0ac8.exe	177
PID 1608 wrote to memory of 1392	1608	f736c152b3d1812f1142ed0da99e0ac8.exe	177
PID 1608 wrote to memory of 3848	1608	f736c152b3d1812f1142ed0da99e0ac8.exe	178
PID 1608 wrote to memory of 3848	1608	f736c152b3d1812f1142ed0da99e0ac8.exe	178
PID 1608 wrote to memory of 2828	1608	f736c152b3d1812f1142ed0da99e0ac8.exe	189
PID 1608 wrote to memory of 2828	1608	f736c152b3d1812f1142ed0da99e0ac8.exe	189
PID 2828 wrote to memory of 5084	2828	cmd.exe	191
PID 2828 wrote to memory of 5084	2828	cmd.exe	191
PID 2828 wrote to memory of 4192	2828	cmd.exe	192
PID 2828 wrote to memory of 4192	2828	cmd.exe	192
PID 4192 wrote to memory of 5076	4192	sppsvc.exe	193
PID 4192 wrote to memory of 5076	4192	sppsvc.exe	193
PID 4192 wrote to memory of 1092	4192	sppsvc.exe	194
PID 4192 wrote to memory of 1092	4192	sppsvc.exe	194

System policy modification 1 TTPs 15 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f736c152b3d1812f1142ed0da99e0ac8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f736c152b3d1812f1142ed0da99e0ac8.exe
"C:\Users\Admin\AppData\Local\Temp\f736c152b3d1812f1142ed0da99e0ac8.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/0cb73852daa51db2b857a67a2f/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/4e680a59735f26a7ec8828743a9fe6/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5032
- C:\Users\Admin\AppData\Local\Temp\f736c152b3d1812f1142ed0da99e0ac8.exe
  "C:\Users\Admin\AppData\Local\Temp\f736c152b3d1812f1142ed0da99e0ac8.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/0cb73852daa51db2b857a67a2f/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/4e680a59735f26a7ec8828743a9fe6/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3848
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tq3MYUh4rW.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:5084
  - - C:\0cb73852daa51db2b857a67a2f\sppsvc.exe
      "C:\0cb73852daa51db2b857a67a2f\sppsvc.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4192
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d59be1f5-8010-41f8-94d5-b71f81b2b4e2.vbs"
        5⤵
        
        PID:5076
      - C:\0cb73852daa51db2b857a67a2f\sppsvc.exe
        
        C:\0cb73852daa51db2b857a67a2f\sppsvc.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4ea3392-4e66-4b70-9641-40a8135f1f78.vbs"
        7⤵
        
        PID:5892
        
        C:\0cb73852daa51db2b857a67a2f\sppsvc.exe
        
        C:\0cb73852daa51db2b857a67a2f\sppsvc.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:8
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb9b7ea1-f8ea-48db-b524-2d1810f0774c.vbs"
        9⤵
        
        PID:5144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\731d6db1-da86-4afa-9a52-6ecc72121cb6.vbs"
        9⤵
        
        PID:3772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81cec35c-3d6b-4212-a768-7571f6d08d83.vbs"
        7⤵
        
        PID:5276
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38d82b96-36b8-4879-a93c-2a4dcf02b104.vbs"
        5⤵
        
        PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\0cb73852daa51db2b857a67a2f\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\0cb73852daa51db2b857a67a2f\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\0cb73852daa51db2b857a67a2f\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\4e680a59735f26a7ec8828743a9fe6\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\4e680a59735f26a7ec8828743a9fe6\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\4e680a59735f26a7ec8828743a9fe6\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Templates\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Templates\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Templates\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\0cb73852daa51db2b857a67a2f\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\0cb73852daa51db2b857a67a2f\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\0cb73852daa51db2b857a67a2f\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\4e680a59735f26a7ec8828743a9fe6\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\4e680a59735f26a7ec8828743a9fe6\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\4e680a59735f26a7ec8828743a9fe6\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\0cb73852daa51db2b857a67a2f\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\0cb73852daa51db2b857a67a2f\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\0cb73852daa51db2b857a67a2f\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\4e680a59735f26a7ec8828743a9fe6\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\4e680a59735f26a7ec8828743a9fe6\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\4e680a59735f26a7ec8828743a9fe6\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\SystemApps\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\SystemApps\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\SystemApps\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\4e680a59735f26a7ec8828743a9fe6\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\4e680a59735f26a7ec8828743a9fe6\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\4e680a59735f26a7ec8828743a9fe6\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\0cb73852daa51db2b857a67a2f\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\0cb73852daa51db2b857a67a2f\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\0cb73852daa51db2b857a67a2f\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\0cb73852daa51db2b857a67a2f\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\0cb73852daa51db2b857a67a2f\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\0cb73852daa51db2b857a67a2f\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\0cb73852daa51db2b857a67a2f\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\0cb73852daa51db2b857a67a2f\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\0cb73852daa51db2b857a67a2f\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6092

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4e680a59735f26a7ec8828743a9fe6\sppsvc.exe

Filesize
5.9MB

MD5
0546c829e58975d00e505ce1b73db2af

SHA1
86b1ed1128f92f2496120bc420125f5b70562737

SHA256
ed9441a3d969011bc884c6474e385ac029d55d0749273105b456576d46a61777

SHA512
ac95604131ffe679cb1cc82a9171464d88027e9e983c22017bf61a3c8cabe3e44765b52129ec03f4fa39c1881b502c538b038136b9788d9844d31526f56bdca4

Download Submit
C:\Recovery\WindowsRE\sysmon.exe

Filesize
5.9MB

MD5
367de11d35ff130a6a88427cd40ad194

SHA1
fd952deefc1cc970d967b0205e524b6fde823935

SHA256
2cf5dede1f9753199f57618b1d0c94ddf73a374740dbe5e8b0c2648dc6ceb46d

SHA512
7d9a216fc872efd66c373cdb05e5825a2878e10cb4a0b70c21245c060c3af6cae288641922efd24a60289e14f930a0f9708edcc2587f0449912d6729bdf5cd27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f736c152b3d1812f1142ed0da99e0ac8.exe.log

Filesize
1KB

MD5
38a631c5933383fd234b799a50dface0

SHA1
af27c0b7e5dc27ce1235ddf917a1ac0b659bcffa

SHA256
8d6eab30182508b787b758623794baf89ccd05e11203abddf13f4a878e38529e

SHA512
fc2f5c82287b4761d478a9b82d87eb84a734ea24a1998367e941d4106bcd4d754da95e3da6f532e6040ee46d779063aa1f530fd9cbe51631ddc98530330c50fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log

Filesize
1KB

MD5
e44d7e6834e600a5f3b5211eb4aa1de1

SHA1
322197fc761c18114a0b3cd7f997ec8c28a4196d

SHA256
dc1d71cb579d614caf67a0451b60fb20d94d679fd32c9e5c7ba534a13e4956f3

SHA512
41d6df9eea9fe07887f9c9b35c5676b232c470fad15d8aec4d6995229f86736355b7ba1f6ab65501dba6fcde8548b2243253159fd75beb63d33b927428786401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6903d57eed54e89b68ebb957928d1b99

SHA1
fade011fbf2e4bc044d41e380cf70bd6a9f73212

SHA256
36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52

SHA512
c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7d760ca2472bcb9fe9310090d91318ce

SHA1
cb316b8560b38ea16a17626e685d5a501cd31c4a

SHA256
5c362b53c4a4578d8b57c51e1eac15f7f3b2447e43e0dad5102ecd003d5b41d4

SHA512
141e8661d7348ebbc1f74f828df956a0c6e4cdb70f3b9d52623c9a30993bfd91da9ed7d8d284b84f173d3e6f47c876fb4a8295110895f44d97fd6cc4c5659c35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3284cb698efa6fb773dc0eebd30a3214

SHA1
a1093d44f025e5ba9609e99a3fc5fce3723fd7f3

SHA256
22f6a7c20c96be4775bec28c377d98d91a160fb5dd3158083e4365286161a2aa

SHA512
af3ea3c69350087cd0e6768679ba7bdfff4c184b5bfe7abf9152aa161713c56c6dc86390543507580f9ae0a6103d26486dbe37330dbc78e172a966957ba43606

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b26e5bedfb520c4c341b64a636b83fe1

SHA1
991188792f4778e59ff166007bebc549107128dc

SHA256
34836bf15fe6bf8a0903f9065338c160ea03b4f26d1217dd0c294fec4a7feafb

SHA512
b93c4eb59fffdc7ba829442156b5af536d4865362a2abecef717ed92612e2e14c10a702f25bb2a1ed0b43dcdbd2e62ef7bfdf6d435c21fc06873d9a4642efd7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
895921ce34c6694cd67969996e9d342a

SHA1
6c80f39256cac54a2b542d524346234d4f38b4b0

SHA256
9a8e2ea2b42f21eab0ee1eba4a51d13227ebee2c2a05c018f7cc111eb53dfd4e

SHA512
ae396126f869181212c2398e6e2d918d97c1d09c64392395baa08d9f7d125c3ab65f97fb485cbc558545dd9f8e4b57a203997d4b05c038ae616c0f03a744cab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cad6ee71e2f46608490520923ec5d2ff

SHA1
e975523ab16e08c69c671db25eb18a17ebeddeae

SHA256
a844aef1c1a30f44b01052bc36aa683e0f5a62b1b98bd4db09350630a223a753

SHA512
5fcd17d2ea19c1882d20471a2b9ae35eb0e46f3a34346447ce0f29ce193cc52d61fc77c5998e47c3a82c00cd6445a45a3083aa041c9b247397fce79ebeda9163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2882e136563e56aac4c52a68d657e298

SHA1
bb0e315c6e10a498fcad3700761bcc6e70eb1fbc

SHA256
5031b9aa422eb1f2ff88e012dc133f049e1f92c3e6edd6aef7cfe9c2b8272a25

SHA512
d2c5f857d5901c157cbe2e08366592e1dfbf6b6395e9ab7c1d94a1bf529ee17a72bbecf4f304e1728dfc9905b4de89be53b25dfe09c783ed9dd365a6c73523c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6bdffef5097b45395b4ee99f27841ce9

SHA1
9b91f0b6d7387206ae0a611468f9513b6228955b

SHA256
020439eaf71dca8ce044380615fd8212c04b0637863f30dbaf0a6fcbf66e39cc

SHA512
c2edf3e572021d479a0c1b9ad72237fe535c443d6f6a40d53f7ad596678f4eef0cccd97e91b0c8e0f82275654ef9fb408fe4a5d1655bfbb1684d838420023b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\38d82b96-36b8-4879-a93c-2a4dcf02b104.vbs

Filesize
492B

MD5
6e9f8e04fea3406022fdb9c3120bb89b

SHA1
4f28a1d1bea6590b99430da99769e4a5fc9cd4c3

SHA256
c87298e5560f9f841a21ff02e4060a0895d398765f0c22426de92ccbb373c50f

SHA512
37dd0abdc02ad0c90203c27ea9babc44e5132a8e38a8e0690985bf58660476bb44a1335cabaf5854061541c889b6f6917b5e0fc4d2dd691fee166a757e42c4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kyfrcyfn.mk5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4ea3392-4e66-4b70-9641-40a8135f1f78.vbs

Filesize
716B

MD5
2184df5e6661c9ebdd438b789201fc5f

SHA1
905d8d81146f2ba41fccd2ddcfaf7699af35e876

SHA256
34aad8fa05ad6dc7db2017eaaff2f0bffc838887d278579a65cd95d18abcdf00

SHA512
d7cfe369e5460fc38f067fbf01fdb658f83b43ac731ad45106e9f6940340947cb3260f171f6298dbd2f8418c16842bd790781f91c99d1f88f40e2b24f0c813ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\d59be1f5-8010-41f8-94d5-b71f81b2b4e2.vbs

Filesize
716B

MD5
8e045d067beafa2ba200659087cca24e

SHA1
e8bbcbd8c8d2bab9edf5fde6121a46a2005f8908

SHA256
60073db6dccec875222e7eb8660ab1fbe32c64f9b2064af1b34e6a34ef3d03a1

SHA512
5d097771cac723bb0682780bcb84fc13f668a9e07cab74bbe719a916e50b9b121b6857488eadec734f0b097ce6c0afe4174c95d549b73cdaa59cf419e4da855e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb9b7ea1-f8ea-48db-b524-2d1810f0774c.vbs

Filesize
713B

MD5
4f3aa8d4db973a9cf71cf53e76f65282

SHA1
07133b8eadc530d7c087786a66487d22a62602b1

SHA256
a8c7693453d7d3c94f85653505cbef4b5715b90804a71084f706be01704c1273

SHA512
9eff5bee1bfccd90ad28d364a0b7af8ee9b2d37f6055a4041fb4eee409f11a69e1d174a0a7c14a925363338bee6da8481d3c790b298e7c2a82506bf7ff05cdfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tq3MYUh4rW.bat

Filesize
205B

MD5
6c7ed2ef2beaeb4ca62da1708cb242d9

SHA1
e8e9eb44e5d8d9a5873faf6b6408cd3037030073

SHA256
e636e7ef599dbb548cce1fd6d4c9ed743a524e46696af539435099d1f91a9592

SHA512
af6c63a08673ebacf7d08d8bf7d8b7fdc3e6e5975df0839a9e4dcede3d45464fd6c0978310f63d714801eec89a57b18bb85b1395b4d66cde9a900e82d7a91181

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
5.9MB

MD5
f736c152b3d1812f1142ed0da99e0ac8

SHA1
5df819dd9a3c73b64b33950ecfac1c690fa0f03d

SHA256
78acaa343a31b3474452e4deb58753f16b72e9ba9ec2f537fd7d7431f699c246

SHA512
a3b30acae19dfcb40089e64bab3dae770b1f26d0de54c90a288a280f06a7656cf1739304b1eae8b0d7c12f1bdcd81780bb6499770e255d37a940dc138496b041

Download Submit
memory/1608-253-0x000000001C230000-0x000000001C242000-memory.dmp

Filesize
72KB

Download
memory/1912-124-0x000001FE50B10000-0x000001FE50B32000-memory.dmp

Filesize
136KB

Download
memory/3064-29-0x000000001C370000-0x000000001C37C000-memory.dmp

Filesize
48KB

Download
memory/3064-41-0x000000001C630000-0x000000001C63C000-memory.dmp

Filesize
48KB

Download
memory/3064-37-0x000000001C5F0000-0x000000001C5F8000-memory.dmp

Filesize
32KB

Download
memory/3064-33-0x000000001C5B0000-0x000000001C5BA000-memory.dmp

Filesize
40KB

Download
memory/3064-32-0x000000001C5A0000-0x000000001C5AC000-memory.dmp

Filesize
48KB

Download
memory/3064-31-0x000000001C590000-0x000000001C598000-memory.dmp

Filesize
32KB

Download
memory/3064-30-0x000000001C380000-0x000000001C38C000-memory.dmp

Filesize
48KB

Download
memory/3064-28-0x000000001C360000-0x000000001C368000-memory.dmp

Filesize
32KB

Download
memory/3064-27-0x000000001C350000-0x000000001C35C000-memory.dmp

Filesize
48KB

Download
memory/3064-25-0x000000001C870000-0x000000001CD98000-memory.dmp

Filesize
5.2MB

Download
memory/3064-22-0x000000001C300000-0x000000001C308000-memory.dmp

Filesize
32KB

Download
memory/3064-21-0x000000001C2F0000-0x000000001C2FC000-memory.dmp

Filesize
48KB

Download
memory/3064-20-0x000000001C2E0000-0x000000001C2E8000-memory.dmp

Filesize
32KB

Download
memory/3064-19-0x000000001C2D0000-0x000000001C2DC000-memory.dmp

Filesize
48KB

Download
memory/3064-11-0x000000001B8A0000-0x000000001B8B6000-memory.dmp

Filesize
88KB

Download
memory/3064-9-0x0000000002F30000-0x0000000002F38000-memory.dmp

Filesize
32KB

Download
memory/3064-8-0x000000001B8F0000-0x000000001B940000-memory.dmp

Filesize
320KB

Download
memory/3064-7-0x000000001B880000-0x000000001B89C000-memory.dmp

Filesize
112KB

Download
memory/3064-6-0x0000000002F20000-0x0000000002F28000-memory.dmp

Filesize
32KB

Download
memory/3064-40-0x000000001C620000-0x000000001C62A000-memory.dmp

Filesize
40KB

Download
memory/3064-39-0x000000001C610000-0x000000001C618000-memory.dmp

Filesize
32KB

Download
memory/3064-38-0x000000001C600000-0x000000001C60C000-memory.dmp

Filesize
48KB

Download
memory/3064-34-0x000000001C5C0000-0x000000001C5CE000-memory.dmp

Filesize
56KB

Download
memory/3064-36-0x000000001C5E0000-0x000000001C5EE000-memory.dmp

Filesize
56KB

Download
memory/3064-224-0x00007FFC75080000-0x00007FFC75B42000-memory.dmp

Filesize
10.8MB

Download
memory/3064-35-0x000000001C5D0000-0x000000001C5D8000-memory.dmp

Filesize
32KB

Download
memory/3064-0-0x00007FFC75083000-0x00007FFC75085000-memory.dmp

Filesize
8KB

Download
memory/3064-26-0x000000001C340000-0x000000001C34C000-memory.dmp

Filesize
48KB

Download
memory/3064-24-0x000000001C310000-0x000000001C322000-memory.dmp

Filesize
72KB

Download
memory/3064-12-0x000000001B8C0000-0x000000001B8C8000-memory.dmp

Filesize
32KB

Download
memory/3064-13-0x000000001B8E0000-0x000000001B8F2000-memory.dmp

Filesize
72KB

Download
memory/3064-17-0x000000001B960000-0x000000001B96A000-memory.dmp

Filesize
40KB

Download
memory/3064-18-0x000000001C280000-0x000000001C2D6000-memory.dmp

Filesize
344KB

Download
memory/3064-15-0x000000001B940000-0x000000001B948000-memory.dmp

Filesize
32KB

Download
memory/3064-16-0x000000001B950000-0x000000001B960000-memory.dmp

Filesize
64KB

Download
memory/3064-14-0x000000001B8D0000-0x000000001B8DC000-memory.dmp

Filesize
48KB

Download
memory/3064-10-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/3064-1-0x00000000003B0000-0x0000000000CA8000-memory.dmp

Filesize
9.0MB

Download
memory/3064-5-0x0000000002DB0000-0x0000000002DBE000-memory.dmp

Filesize
56KB

Download
memory/3064-4-0x0000000002DA0000-0x0000000002DAE000-memory.dmp

Filesize
56KB

Download
memory/3064-3-0x00007FFC75080000-0x00007FFC75B42000-memory.dmp

Filesize
10.8MB

Download
memory/3064-2-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/3388-463-0x000000001B7A0000-0x000000001B7B2000-memory.dmp

Filesize
72KB

Download
memory/4192-449-0x000000001C3A0000-0x000000001C3B2000-memory.dmp

Filesize
72KB

Download