dcrat | 4bcbb8983fe7425976c5a1789deff73fb138e80981f5ebfef1f835bcc6757760

Resubmissions

14/04/2025, 07:51

250414-jp1kfssjz9 10

14/04/2025, 07:46

250414-jl9nyssjt9 10

08/04/2025, 15:58

250408-tevasswl18 10

08/04/2025, 14:19

250408-rm2nqsvqw2 10

Analysis

max time kernel
148s
max time network
152s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250410-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250410-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
14/04/2025, 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
Size

1.6MB
MD5

52e4554ec87085ec0d31bca66d35df00
SHA1

3196fc8f3064b5d80cd8829c0b3fd6730b2141c0
SHA256

f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93
SHA512

04070464d0489ec88509dc767f9c5f0db4dc2e1b3bb06ac3719441a5a923172d9fcac478dfab1b7ad4cdd2bbc0a39f77c6dd0d5d256dfd82d474e74e1b9af899
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5600	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5156	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6056	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5180	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5644	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5584	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5412	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5676	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5820	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	4400	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	4400	schtasks.exe	81

DCRat payload 18 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral28/memory/2264-1-0x0000000000320000-0x00000000004C2000-memory.dmp	dcrat
behavioral28/files/0x000800000002589b-46.dat	dcrat
behavioral28/files/0x00070000000282aa-53.dat	dcrat
behavioral28/files/0x0009000000028273-61.dat	dcrat
behavioral28/files/0x0009000000028278-69.dat	dcrat
behavioral28/files/0x000900000002827c-77.dat	dcrat
behavioral28/files/0x0009000000028280-85.dat	dcrat
behavioral28/files/0x0009000000028283-93.dat	dcrat
behavioral28/files/0x000a000000028250-101.dat	dcrat
behavioral28/files/0x000900000002828a-109.dat	dcrat
behavioral28/files/0x000a00000002828d-124.dat	dcrat
behavioral28/files/0x0009000000028293-133.dat	dcrat
behavioral28/files/0x0009000000028297-141.dat	dcrat
behavioral28/files/0x000900000002829a-150.dat	dcrat
behavioral28/files/0x000900000002829d-158.dat	dcrat
behavioral28/files/0x000900000002589b-166.dat	dcrat
behavioral28/files/0x000a00000002829f-174.dat	dcrat
behavioral28/memory/2664-403-0x00000000005C0000-0x0000000000762000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1772	powershell.exe
5184	powershell.exe
2752	powershell.exe
2712	powershell.exe
1132	powershell.exe
3608	powershell.exe
3004	powershell.exe
1364	powershell.exe
5928	powershell.exe
2936	powershell.exe
3144	powershell.exe
2360	powershell.exe
5380	powershell.exe
1624	powershell.exe
5884	powershell.exe
2252	powershell.exe
4016	powershell.exe
1644	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000\Control Panel\International\Geo\Nation	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
Key value queried	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 3 IoCs

pid	Process
2664	fontdrvhost.exe
2364	fontdrvhost.exe
220	fontdrvhost.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\27d1bcfc3c54e0	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\lsass.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files (x86)\Windows Portable Devices\38384e6a620884	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX91D5.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files (x86)\Google\Update\System.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX999C.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\upfc.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\5b884080fd4f94	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX9167.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX992D.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\lsass.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\6203df4a6bafc7	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\RCX9BA0.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\fontdrvhost.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RCX9447.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RCX94B6.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXA309.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files\Windows Portable Devices\6cb0b6c459d5d3	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\RCX8518.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\RCX8587.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files\Windows Portable Devices\dwm.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\ea1d8f6d871115	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\upfc.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files\Windows Portable Devices\dwm.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\fontdrvhost.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\RCX9C0F.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXA377.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files (x86)\Google\Update\System.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\TAPI\RuntimeBroker.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Windows\TAPI\9e8d7a4ca61bd9	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Windows\TAPI\RCX9E13.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Windows\TAPI\RCX9E91.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Windows\TAPI\RuntimeBroker.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
Key created	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-137520623-1834890667-2396102459-1000_Classes\Local Settings	fontdrvhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
648	schtasks.exe
1204	schtasks.exe
3708	schtasks.exe
4540	schtasks.exe
5156	schtasks.exe
3020	schtasks.exe
4520	schtasks.exe
5412	schtasks.exe
3664	schtasks.exe
4952	schtasks.exe
6056	schtasks.exe
5676	schtasks.exe
2436	schtasks.exe
4264	schtasks.exe
4708	schtasks.exe
4684	schtasks.exe
4776	schtasks.exe
4544	schtasks.exe
5584	schtasks.exe
4700	schtasks.exe
1084	schtasks.exe
4724	schtasks.exe
4692	schtasks.exe
4764	schtasks.exe
4836	schtasks.exe
4416	schtasks.exe
1260	schtasks.exe
1044	schtasks.exe
5180	schtasks.exe
464	schtasks.exe
4804	schtasks.exe
4892	schtasks.exe
4792	schtasks.exe
1480	schtasks.exe
3384	schtasks.exe
4236	schtasks.exe
5644	schtasks.exe
1048	schtasks.exe
4864	schtasks.exe
4784	schtasks.exe
740	schtasks.exe
5820	schtasks.exe
4916	schtasks.exe
4944	schtasks.exe
5600	schtasks.exe
3252	schtasks.exe
4772	schtasks.exe
4780	schtasks.exe
4120	schtasks.exe
4880	schtasks.exe
4168	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
2252	powershell.exe
2252	powershell.exe
1644	powershell.exe
1644	powershell.exe
1624	powershell.exe
1624	powershell.exe
5184	powershell.exe
2712	powershell.exe
5184	powershell.exe
2712	powershell.exe
5884	powershell.exe
5884	powershell.exe
5928	powershell.exe
1132	powershell.exe
5928	powershell.exe
1132	powershell.exe
4016	powershell.exe
4016	powershell.exe
3608	powershell.exe
3608	powershell.exe
2360	powershell.exe
2360	powershell.exe
1364	powershell.exe
1364	powershell.exe
5380	powershell.exe
5380	powershell.exe
2252	powershell.exe
1772	powershell.exe
1772	powershell.exe
2752	powershell.exe
2752	powershell.exe
2936	powershell.exe
2936	powershell.exe
3004	powershell.exe
3004	powershell.exe
3144	powershell.exe
3144	powershell.exe
2712	powershell.exe
2936	powershell.exe
2360	powershell.exe
3608	powershell.exe
3144	powershell.exe
5884	powershell.exe
1644	powershell.exe
1644	powershell.exe
1132	powershell.exe
4016	powershell.exe
2752	powershell.exe
5380	powershell.exe
5184	powershell.exe
5184	powershell.exe
1624	powershell.exe
1624	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeDebugPrivilege	5184	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	5884	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	5928	powershell.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	5380	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	2664	fontdrvhost.exe
Token: SeIncreaseQuotaPrivilege	2936	powershell.exe
Token: SeSecurityPrivilege	2936	powershell.exe
Token: SeTakeOwnershipPrivilege	2936	powershell.exe
Token: SeLoadDriverPrivilege	2936	powershell.exe
Token: SeSystemProfilePrivilege	2936	powershell.exe
Token: SeSystemtimePrivilege	2936	powershell.exe
Token: SeProfSingleProcessPrivilege	2936	powershell.exe
Token: SeIncBasePriorityPrivilege	2936	powershell.exe
Token: SeCreatePagefilePrivilege	2936	powershell.exe
Token: SeBackupPrivilege	2936	powershell.exe
Token: SeRestorePrivilege	2936	powershell.exe
Token: SeShutdownPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeSystemEnvironmentPrivilege	2936	powershell.exe
Token: SeRemoteShutdownPrivilege	2936	powershell.exe
Token: SeUndockPrivilege	2936	powershell.exe
Token: SeManageVolumePrivilege	2936	powershell.exe
Token: 33	2936	powershell.exe
Token: 34	2936	powershell.exe
Token: 35	2936	powershell.exe
Token: 36	2936	powershell.exe
Token: SeIncreaseQuotaPrivilege	2252	powershell.exe
Token: SeSecurityPrivilege	2252	powershell.exe
Token: SeTakeOwnershipPrivilege	2252	powershell.exe
Token: SeLoadDriverPrivilege	2252	powershell.exe
Token: SeSystemProfilePrivilege	2252	powershell.exe
Token: SeSystemtimePrivilege	2252	powershell.exe
Token: SeProfSingleProcessPrivilege	2252	powershell.exe
Token: SeIncBasePriorityPrivilege	2252	powershell.exe
Token: SeCreatePagefilePrivilege	2252	powershell.exe
Token: SeBackupPrivilege	2252	powershell.exe
Token: SeRestorePrivilege	2252	powershell.exe
Token: SeShutdownPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeSystemEnvironmentPrivilege	2252	powershell.exe
Token: SeRemoteShutdownPrivilege	2252	powershell.exe
Token: SeUndockPrivilege	2252	powershell.exe
Token: SeManageVolumePrivilege	2252	powershell.exe
Token: 33	2252	powershell.exe
Token: 34	2252	powershell.exe
Token: 35	2252	powershell.exe
Token: 36	2252	powershell.exe
Token: SeIncreaseQuotaPrivilege	2712	powershell.exe
Token: SeSecurityPrivilege	2712	powershell.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 1772	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	133
PID 2264 wrote to memory of 1772	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	133
PID 2264 wrote to memory of 1624	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	134
PID 2264 wrote to memory of 1624	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	134
PID 2264 wrote to memory of 5928	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	135
PID 2264 wrote to memory of 5928	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	135
PID 2264 wrote to memory of 1644	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	136
PID 2264 wrote to memory of 1644	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	136
PID 2264 wrote to memory of 3608	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	138
PID 2264 wrote to memory of 3608	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	138
PID 2264 wrote to memory of 1132	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	139
PID 2264 wrote to memory of 1132	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	139
PID 2264 wrote to memory of 4016	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	141
PID 2264 wrote to memory of 4016	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	141
PID 2264 wrote to memory of 2712	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	142
PID 2264 wrote to memory of 2712	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	142
PID 2264 wrote to memory of 2752	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	143
PID 2264 wrote to memory of 2752	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	143
PID 2264 wrote to memory of 5380	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	144
PID 2264 wrote to memory of 5380	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	144
PID 2264 wrote to memory of 2360	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	146
PID 2264 wrote to memory of 2360	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	146
PID 2264 wrote to memory of 2252	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	147
PID 2264 wrote to memory of 2252	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	147
PID 2264 wrote to memory of 5884	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	148
PID 2264 wrote to memory of 5884	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	148
PID 2264 wrote to memory of 3144	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	149
PID 2264 wrote to memory of 3144	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	149
PID 2264 wrote to memory of 1364	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	151
PID 2264 wrote to memory of 1364	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	151
PID 2264 wrote to memory of 2936	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	152
PID 2264 wrote to memory of 2936	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	152
PID 2264 wrote to memory of 5184	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	153
PID 2264 wrote to memory of 5184	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	153
PID 2264 wrote to memory of 3004	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	154
PID 2264 wrote to memory of 3004	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	154
PID 2264 wrote to memory of 2664	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	169
PID 2264 wrote to memory of 2664	2264	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	169
PID 2664 wrote to memory of 5024	2664	fontdrvhost.exe	171
PID 2664 wrote to memory of 5024	2664	fontdrvhost.exe	171
PID 2664 wrote to memory of 4300	2664	fontdrvhost.exe	172
PID 2664 wrote to memory of 4300	2664	fontdrvhost.exe	172
PID 5024 wrote to memory of 2364	5024	WScript.exe	174
PID 5024 wrote to memory of 2364	5024	WScript.exe	174
PID 2364 wrote to memory of 2568	2364	fontdrvhost.exe	175
PID 2364 wrote to memory of 2568	2364	fontdrvhost.exe	175
PID 2364 wrote to memory of 4804	2364	fontdrvhost.exe	176
PID 2364 wrote to memory of 4804	2364	fontdrvhost.exe	176
PID 2568 wrote to memory of 220	2568	WScript.exe	177
PID 2568 wrote to memory of 220	2568	WScript.exe	177
PID 220 wrote to memory of 5096	220	fontdrvhost.exe	178
PID 220 wrote to memory of 5096	220	fontdrvhost.exe	178
PID 220 wrote to memory of 1212	220	fontdrvhost.exe	179
PID 220 wrote to memory of 1212	220	fontdrvhost.exe	179

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
"C:\Users\Admin\AppData\Local\Temp\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7819bb69b3861a95b3\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\cd2be074b6f9ceb7c82a5635e25f\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7819bb69b3861a95b3\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7819bb69b3861a95b3\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\cd2be074b6f9ceb7c82a5635e25f\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7819bb69b3861a95b3\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\cd2be074b6f9ceb7c82a5635e25f\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\fontdrvhost.exe
  "C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\fontdrvhost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92462a6c-d3ea-4a0c-a8bc-fcea467dd385.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\fontdrvhost.exe
      "C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\fontdrvhost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2364
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e74615a8-7a6c-4a22-93cd-8853bdd261a7.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2568
      - C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\fontdrvhost.exe
        
        "C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\fontdrvhost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e168bca-edb0-4be0-b9e7-83d4d6f2a0e4.vbs"
        7⤵
        
        PID:5096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8133f11d-d2ca-4f56-8cd6-2a6efdb8ab21.vbs"
        7⤵
        
        PID:1212
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7516ee8-7f49-4a7e-8314-5086f275a7ac.vbs"
        5⤵
        
        PID:4804
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e26175d-f6e5-43ed-bff6-ac0a9f62c9b8.vbs"
    3⤵
    PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\7819bb69b3861a95b3\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\7819bb69b3861a95b3\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\7819bb69b3861a95b3\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\cd2be074b6f9ceb7c82a5635e25f\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\cd2be074b6f9ceb7c82a5635e25f\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\cd2be074b6f9ceb7c82a5635e25f\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\7819bb69b3861a95b3\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\7819bb69b3861a95b3\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\7819bb69b3861a95b3\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\7819bb69b3861a95b3\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\7819bb69b3861a95b3\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\7819bb69b3861a95b3\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\cd2be074b6f9ceb7c82a5635e25f\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\cd2be074b6f9ceb7c82a5635e25f\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\cd2be074b6f9ceb7c82a5635e25f\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\7819bb69b3861a95b3\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\7819bb69b3861a95b3\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\7819bb69b3861a95b3\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Update\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\cd2be074b6f9ceb7c82a5635e25f\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\cd2be074b6f9ceb7c82a5635e25f\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\cd2be074b6f9ceb7c82a5635e25f\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\TAPI\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\7819bb69b3861a95b3\RCX7B9B.tmp

Filesize
1.6MB

MD5
c75ab8845008382c2fdff02ad5b07362

SHA1
7aca7c435f4e047b373981aed89899b63eac38b7

SHA256
bcebeba53013a29deeef8190cc0267e87244441f16b8d92e5897692cb83b0d01

SHA512
8210e370ff1ac9690e15ebec73bd927da3537b634ecf0a003ea122563a24dd72382f63cc7d28916c3cc588bb3319024699112d4d31c1d7bb540ca65fb88e6b0c

Download Submit
C:\7819bb69b3861a95b3\StartMenuExperienceHost.exe

Filesize
1.6MB

MD5
bc5003fa92766cd61987bb87989d220e

SHA1
b9602f3966fa8ba129da7a28afe77532e8e49de7

SHA256
a72dee689bb6754a9ea5ff08c7b7fd74e69bf58529f1342624975b60d45b9a38

SHA512
56d8c43f96d26ac96e496f3852161d97ac17ac2924144338fd20258e10b47bb5eea708218f862aa70a99051afca1561faccf3de76ed206adec2567758fd5e89a

Download Submit
C:\7819bb69b3861a95b3\fontdrvhost.exe

Filesize
1.6MB

MD5
cdd669890c31dfbe19de77b344d37c8f

SHA1
53faeb9d62b490e9d5b6503dbf76d15699a7ad0a

SHA256
dff5aeb4abbc10c6c2928f0b55b7862c3bd7c1bffe022d081885d55a4ac36948

SHA512
cc02f9221f1ffeccf186a51d54db677aeb37b17fa89f6f8fcd22bdfd99e6e3b198d49a97ba2609d9317532b01504c5abe68709338acaf86fb1e267bc4bd75dd6

Download Submit
C:\7819bb69b3861a95b3\sihost.exe

Filesize
1.6MB

MD5
10964a339da34d7c1134d69c3421e371

SHA1
44b2b3aab2fc2fa887ab4dca8b11604e494bc2f1

SHA256
afbd0d6e7bc9df5148d188ad9053d6d8a864c734b1085af4b281eed93b74a8a0

SHA512
e564a03f09ff62bf7e45fdf983767cfb156a82d112fca0e5357637df35157ed15fbe8b5139d7f7f78dde396e35f721efb00d187172a64fec45b80a8a21db237b

Download Submit
C:\Program Files (x86)\Windows Portable Devices\SearchApp.exe

Filesize
1.6MB

MD5
7398a98cd5b572ae29aecddc3cc7371d

SHA1
aaaaf0494d28f0a7bd40282c8da282a5d8535aff

SHA256
040d76c9918032c18f17dc3d009cca4933f5453d39d4c458f820ea9c54b3daad

SHA512
26505961169b681a9034fd1ef7b4f8098fbcd83dfc65a7409c3cabd621e83d74e922398d977f67b4c02edf0c04aafb89f436cbe80880cc7dc18b677bf2b5bb4e

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\fontdrvhost.exe

Filesize
1.6MB

MD5
10291f2ea9876a70088dad813e96c055

SHA1
058dccc6ab0a4b7626dfe2726a008abc173271da

SHA256
34780e376566fb2f2d8afeb3c5ebaf90e75d14b2220f244326bcb4a30973b1eb

SHA512
37e9e7ff9954696eeb3f11a2d9aecb33b93242b428a48deb6a4aab2a571c7a484a19b88b287a6278831bf0e019978887228b449acf9e349b418111eeab53af51

Download Submit
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\upfc.exe

Filesize
1.6MB

MD5
0bf8cbbe0315b17d859ad23c6214d782

SHA1
1fb66cc92f99ffff6d28e7201d31c5dbacc3f2ee

SHA256
9fc44b32f358492621ea52184bf3842355502f48f1757a982d636532bd83e294

SHA512
526cde95868faac5e3efaeefd9bfd23c661439aa7fb1873d2fc448fe7da464380090b6fd073538ae481dc51da23120d28b59cd29bc0a5ed63d2c74e2e28104f3

Download Submit
C:\Program Files\Windows NT\TableTextService\en-US\lsass.exe

Filesize
1.6MB

MD5
cbdf6c8eb84f5daaafcf24a2437f6ed8

SHA1
dfbe3a043030921fc9d857e3190c1c90d2ff23d1

SHA256
38cacd5ae44d590e78514fa751a80354a3630b42569c7fe0134638330e257144

SHA512
8f52a61d57598789e3f53ab363e7993b27a48849727df0f6aad20119abfff439952a965654c5d4dfe3ca95eb2632c2bacef1e942ed909911b04a1d0035118e78

Download Submit
C:\Program Files\Windows Portable Devices\dwm.exe

Filesize
1.6MB

MD5
0daff6f135bad9c799314fc5597841bc

SHA1
ad0c00421ec6de99b792131c3aa4fc11d01d128b

SHA256
8402ef700b6262b20544f7a4329b0170e730fefbce9144c75c02f159745f4d24

SHA512
2add54e74580288d434cd3fdbdb22823d384208c09554ba82e0fb38e1079704d9789c8937aff156fc31f9190f7c9b43abffdb977ad3d5fef5ec5a1af44492548

Download Submit
C:\Recovery\WindowsRE\csrss.exe

Filesize
1.6MB

MD5
6e12b84700c160a5f6404966af7e7885

SHA1
6b54aff41fab2a357d044c7dbf435ea81b73a887

SHA256
5fcf87d01a8df9d45ed7eebb0444bd86d2cf2ad54312377adc70e3a28b9a71c8

SHA512
117b5ce9025dd2ac6e81763b863f51d6e0a89406a32dcc86bb0229168a56be56ceda48ada717bb70ee186b06425ec62f8787ed2c4ef6129923a7666107c5fdc7

Download Submit
C:\Recovery\WindowsRE\dwm.exe

Filesize
1.6MB

MD5
0c0badedbf414f2a7cecbfe4e7037ea9

SHA1
d8ee06532ad5c17ad509f3573d77ed0a089cfb2c

SHA256
4cacd91d93993485bbd10546a265d4552486d704cf555d2968e6366b2c040cc9

SHA512
626f50927a85d73b604f8aa70d813ae56841f8198434185e035357ddd424d83f228079c35d73e36ac6c8a7f9aee3a521bfadfb048f225c5ad1205fe3e26f1754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
12a813ec669d9480f522198c50939fb3

SHA1
8183507eb58e6d4a2681cc13371ab673f92b644f

SHA256
049951a35a57119f9057c912a8ce26ef4aeea74c8442693cc8ba99527c2483fb

SHA512
f02a15dc78a391966f0f7c86c9663469a1c8e47dab6b7b4f47fcf45f4587b66008bec68e598fee9d690e7a749a974e86bde0a3c5b17f0d2e6ca6445816b3983d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dff654d2fbed127380449804d4a2c78d

SHA1
6a68e6e19d57f8a09cd2e8920da303c9af275e00

SHA256
6b0af1827907c64667d6e417d5cb40146a8a7bcc2bdf28f0480ffd3f1d733c94

SHA512
f7a006bad3888cfb4645db49c3547766b6fab5d26aaf3f8b65b5b4073ed2b1be68b4729b1dc19f519691926d449e13227f67042f704c48e484891ce0937edc0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a916b95b9714649f0d8806481dbd66a3

SHA1
5b15c2f9bde7485af1b7f672b5b5e20f6057b6bb

SHA256
785c6ed2d1c5140e69873faf5b3f50dba6d64033d7ed96ce1f2dad397994da05

SHA512
4851894c58d6d109c61847b38b0ff7b3d757698eb2e11771b07642c5e57cacf8ea682a89f2528a6cfe05295c9c7b44163e78e2b047ccbcfebb5175be267b8b8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c21075d78ea168a88c6caeaa1aec46bd

SHA1
a5d4ab29f1f13df9df56efce59161f23f1253186

SHA256
8183acfdaea4c48770f455586097387397ffeb814715c23440db76f8fa67382a

SHA512
c49d315ef5afb14a8ca909610c9bf6b71e6d4505510d5113f29f10e45876f314ec441eed623aefa6d96e5f680cdec06e504066a07c3892f31b1b29ff4fe087b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
19c0fd92bf553d56ae92a92ffb0108a0

SHA1
7a25a2faeb2b8d4c740e03ce6b79024853dcfbe6

SHA256
0921b8ea57b2528df146a13923fb5f64bf5aaada6beead229b08bd48a3a33432

SHA512
67b10e8a6e24c39fc031eeb9b59c35e344fac98aeb23f3580ad62c73f10ea031933c64a245a592234009ffc094f1c858827946ee22b9082513756a2e8fc8c9c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
671f024ee3d98e2b626b1402c95409dd

SHA1
1812e5010fbe6dec548dd57bdcd818ea61798d2d

SHA256
733b36f1e92fe7c44355214b251fc48f79434998fdefde2ccec8e38b1ef6b9d4

SHA512
f15c1f83d1e7d5358c217362432223bc74c771edc74aba7f3b132b2b4016c1be153f3172ff74873cf63e0d257ea96329f1772281d4586214d57e9d9d2ba602f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
987640dcb19a65c220fcacd9ff455748

SHA1
a08dea474ed089d914f9e823fd44a89eb44d4abf

SHA256
37f747acb75c2b79fdfc257447f784a2b82e0d20d34186b6aab61ddaf7ea4cf1

SHA512
1036f0a041ff56481b9b33e9852adfaa4475b042c44dd60bbc0617f2d1f6013b2b32d7085a75742d28cf414a8edb80c542e5d510aef5db87b6221c0bf2d13486

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
49add71c55189b40a43ce7afe96f555e

SHA1
70d2741eeacd1347e4d2d3b939e98bc181be355c

SHA256
d5b11376cf05db2467e425cca4fdd87c665916ff2dd917ee11ea2583cb71572e

SHA512
f6ea1a258be3ea304c905973ec61a5b3db298e9b1ee846263a8d460b6603dbbf3ac9445b234a58dc18afe43be5ba01d326914bf50f3fee46332a8306ed506100

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d1a48306ad925b69ab678080f073c0ff

SHA1
ff01d66e58b9f08dd900449ab5abcb2e3afeb783

SHA256
834f8fe744bbb16c0c86716f153efe7512b8821a894b15b488b81854be2f3d3e

SHA512
bd2edb90abe0bff1907816a5303f2b279d53082f79030828e8edb4aaf86a952d025e432f3e957db229ba8d6910c531f8d21a9d8915168735e7cfd370142929aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e168bca-edb0-4be0-b9e7-83d4d6f2a0e4.vbs

Filesize
758B

MD5
bad277ec15f51d17e6c4c06e38961194

SHA1
e85728369a51117504405923813184a84c59390c

SHA256
d5495064cb999744139fa3b1988a599f567da19f3ec9fb29d8e6d537bc9d7989

SHA512
e47ef44f0ee15b070d4e69bbebb70d1533c61cad8fcca4f49aeeb29686bd54245c69b65b4c4deacc1f00b408334f60cee558a7140680d1a9a106f1f4cf0e1d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e26175d-f6e5-43ed-bff6-ac0a9f62c9b8.vbs

Filesize
535B

MD5
81b26fcc9c0d0a8831082152625a2094

SHA1
e48d3004c7eede23c8165a2b5f12a00745bf545b

SHA256
5294870830e54cf211d982f47006ba22551b6a0cb16ea2304c07eb5c015822d8

SHA512
4ec447a6ef2fa3f82e944a6d8e083afea93b4f1bbe6bde3d37b4f8dc4ea4fd87b2d8a7b76a5b41f4658c7a37d145216f49c1cfcf110f7d6051d9361c586cf361

Download Submit
C:\Users\Admin\AppData\Local\Temp\92462a6c-d3ea-4a0c-a8bc-fcea467dd385.vbs

Filesize
759B

MD5
e654dce0e1ad2c80ae6fd0d8d4c36fb0

SHA1
5a8db59a0e958d200ffa4b9301af5b3a9665f2fe

SHA256
fb7d1864d57215ab4f20596901ac6f3d0393076e7897afd734d0e35baf1404d8

SHA512
ad4228e0dfeb9f18bee5f0e09119bbce659734410113b095bd45f68e7b46807ff99edd7df94c100131a679374c21bdc4aec82ab1be3e4b68446cad7ae93f918a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_031yvwbi.4zl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e74615a8-7a6c-4a22-93cd-8853bdd261a7.vbs

Filesize
759B

MD5
3071e8f086fe6f9f379fc89a0e51dc5c

SHA1
7e83635f1aa63b0bb53d002e7fb0679fbae6862c

SHA256
6804728f6fc81da0870df8ff04b1169fa7f6ac08cb5abde8f74cb996ed32a23c

SHA512
a8c461f0e7ec04b47bfb31ef0fe9b4c262fbd3278d532ca9444f1659fabf129a8aad3cfc63c11332470f2112f7e4b79c1a390e3875d336258b7dcf77aeef3ff6

Download Submit
C:\Users\Default\csrss.exe

Filesize
1.6MB

MD5
78fafaf324b507c08d575b3d0442e62f

SHA1
96cfc2315b7a535a31c647fb4a6170a80c2c2fec

SHA256
85bfbfa2189c6f1fdcb62623e0eb82c16bbaf03ae68d6ab7f87c9c209b3cff68

SHA512
935622a1772184c66bcfdc9f8dda48df9ca3ac8702b97e1d3ae5deb1b0bb5073e6c8c96848bf31c3fbacdf0bac1ef00070e2865b3fe2fda52f8d469a1f993e6a

Download Submit
C:\Windows\TAPI\RuntimeBroker.exe

Filesize
1.6MB

MD5
94a758361579a87ac6a80ef1ef752eee

SHA1
aeb9bac0ce06528e0b57066cda42c89c8410c952

SHA256
b893b252f7d1a2f0374a017f37def9972b8fd4da309dcc50923bd50c3692d3fc

SHA512
03c43fb812c7df09ddf197372e859ecdf7814b75e33e61f8cc5d18bb6a0006ac12ab396ccfa85fe96eee34811581ebe95bc96755d5ad7341961ac7e6fc42c7ee

Download Submit
C:\cd2be074b6f9ceb7c82a5635e25f\SearchApp.exe

Filesize
1.6MB

MD5
daa968e8f9f2fa123372eabceccfefea

SHA1
a8dc38da21376bb8f32774d6dd8bdbb7fa1c6807

SHA256
e428542df63538b3d04d5e4df30627e9b5c8d232a39b612b93c6b22f3763883f

SHA512
783397ad52fe053cc46fcccad6c974ea126b3e98e16907c8cff118d7dbe93c4c1a5df85178499d467436183584a36d46738f862f29f7fa3a694ecb6202396c18

Download Submit
C:\cd2be074b6f9ceb7c82a5635e25f\fontdrvhost.exe

Filesize
1.6MB

MD5
2edee992b9090b37ca5dd8b606414a47

SHA1
14627d7d87b92706f370dd99995ea1d0dc5420f8

SHA256
a89f1eb1f319e17c0f763750ec8060ac2eeded737f39e0a36c6cf7ef58fcd4fd

SHA512
b8f5a7c79aa2dcad62916e7e0d72b9afbd1ed5f9d08652996621f10b0a01b46b2853b93dd49cb6ee0dfcc8f1e96d85edeb80dbc005167faf89c6a7a3390b344d

Download Submit
C:\cd2be074b6f9ceb7c82a5635e25f\sppsvc.exe

Filesize
1.6MB

MD5
ef2088dbb32fc7aa21be5d8938002cd4

SHA1
49bae9163e8ed5a47785a84421cbc019e119f64f

SHA256
b796f0049426b98a15098cedef415fae7988d761d8d55bd3e49d9c1959f64517

SHA512
04af94e29e240c2268d92245e431771d198ec37a979724bdd0b82519d6d94a6de9773164c011d5f524391580d574efad45ab0e219efbcb750791a432bf84b868

Download Submit
memory/2264-16-0x000000001B9B0000-0x000000001B9BA000-memory.dmp

Filesize
40KB

Download
memory/2264-8-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/2264-127-0x00007FFF19013000-0x00007FFF19015000-memory.dmp

Filesize
8KB

Download
memory/2264-17-0x000000001B9C0000-0x000000001B9CC000-memory.dmp

Filesize
48KB

Download
memory/2264-12-0x000000001B970000-0x000000001B97A000-memory.dmp

Filesize
40KB

Download
memory/2264-13-0x000000001B980000-0x000000001B98E000-memory.dmp

Filesize
56KB

Download
memory/2264-1-0x0000000000320000-0x00000000004C2000-memory.dmp

Filesize
1.6MB

Download
memory/2264-404-0x00007FFF19010000-0x00007FFF19AD2000-memory.dmp

Filesize
10.8MB

Download
memory/2264-2-0x00007FFF19010000-0x00007FFF19AD2000-memory.dmp

Filesize
10.8MB

Download
memory/2264-14-0x000000001B990000-0x000000001B998000-memory.dmp

Filesize
32KB

Download
memory/2264-0-0x00007FFF19013000-0x00007FFF19015000-memory.dmp

Filesize
8KB

Download
memory/2264-15-0x000000001B9A0000-0x000000001B9A8000-memory.dmp

Filesize
32KB

Download
memory/2264-9-0x000000001B790000-0x000000001B798000-memory.dmp

Filesize
32KB

Download
memory/2264-10-0x000000001B7A0000-0x000000001B7AC000-memory.dmp

Filesize
48KB

Download
memory/2264-11-0x000000001B960000-0x000000001B96C000-memory.dmp

Filesize
48KB

Download
memory/2264-6-0x0000000002720000-0x0000000002736000-memory.dmp

Filesize
88KB

Download
memory/2264-144-0x00007FFF19010000-0x00007FFF19AD2000-memory.dmp

Filesize
10.8MB

Download
memory/2264-7-0x0000000002740000-0x0000000002748000-memory.dmp

Filesize
32KB

Download
memory/2264-5-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/2264-4-0x000000001B740000-0x000000001B790000-memory.dmp

Filesize
320KB

Download
memory/2264-3-0x0000000000DA0000-0x0000000000DBC000-memory.dmp

Filesize
112KB

Download
memory/2664-403-0x00000000005C0000-0x0000000000762000-memory.dmp

Filesize
1.6MB

Download
memory/3608-226-0x00000283F7770000-0x00000283F7792000-memory.dmp

Filesize
136KB

Download