dcrat | 96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9

Analysis

max time kernel
117s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2024 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
Size

1.1MB
MD5

b1294cc7620c4edf880ebd0410dc8f40
SHA1

e557586de113cb682b6cc5230e81a784e1a9935c
SHA256

96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9
SHA512

bab9a94d9a246c6f7411ef95d4727ca9b7237f4f5378d3c2a6cb6b75cf01339765589ab573594b61d63b9bd22873c430ce8821aed529647795726534977dba5f
SSDEEP

24576:ZxU376C0skFgqIyXFnbCDQgZ8e7FRsWC9ZRHInh4j1Cf6liXwkOmpd:EPkVXFGDQoP7FRCZRonh4hfewhmpd

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3108	4564	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	4564	schtasks.exe	91

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1336-12-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4304	powershell.exe
3696	powershell.exe
1008	powershell.exe
1456	powershell.exe
3652	powershell.exe
3396	powershell.exe
4956	powershell.exe
2152	powershell.exe
2256	powershell.exe
2660	powershell.exe
2204	powershell.exe
852	powershell.exe
3776	powershell.exe
2044	powershell.exe
3168	powershell.exe
3096	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe

Executes dropped EXE 6 IoCs

pid	Process
5632	WmiPrvSE.exe
4632	WmiPrvSE.exe
5248	WmiPrvSE.exe
2192	WmiPrvSE.exe
4476	WmiPrvSE.exe
5784	WmiPrvSE.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1592 set thread context of 1336	1592	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	100
PID 5632 set thread context of 5248	5632	WmiPrvSE.exe	183
PID 2192 set thread context of 4476	2192	WmiPrvSE.exe	191

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files\Java\sihost.exe	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File created	C:\Program Files (x86)\Windows Media Player\uk-UA\c5b4cb5e9653cc	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\RCX780.tmp	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\sihost.exe	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Program Files\Java\RCXE1D.tmp	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\66fc9ff0ee96c2	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File created	C:\Program Files\ModifiableWindowsApps\SppExtComObj.exe	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File created	C:\Program Files (x86)\Windows Media Player\uk-UA\services.exe	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\RCX77F.tmp	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\uk-UA\services.exe	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\sihost.exe	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File created	C:\Program Files\Java\66fc9ff0ee96c2	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Program Files\Java\sihost.exe	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\uk-UA\RCX1032.tmp	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Program Files\Java\RCXE2D.tmp	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\uk-UA\RCX1033.tmp	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\security\cap\9e8d7a4ca61bd9	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Windows\Provisioning\Cosa\MO\RCXF93B.tmp	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Windows\Provisioning\Cosa\MO\RCXF9A9.tmp	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Windows\security\cap\RCXFE30.tmp	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Windows\security\cap\RuntimeBroker.exe	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File created	C:\Windows\Provisioning\Cosa\MO\886983d96e3d3e	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File created	C:\Windows\tracing\RuntimeBroker.exe	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Windows\Provisioning\Cosa\MO\csrss.exe	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Windows\tracing\RuntimeBroker.exe	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Windows\Fonts\WmiPrvSE.exe	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File created	C:\Windows\Provisioning\Cosa\MO\csrss.exe	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Windows\Fonts\RCXC17.tmp	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File created	C:\Windows\tracing\9e8d7a4ca61bd9	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File created	C:\Windows\Fonts\WmiPrvSE.exe	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File created	C:\Windows\Fonts\24dbde2999530e	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Windows\security\cap\RCXFE31.tmp	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Windows\tracing\RCX56A.tmp	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Windows\tracing\RCX56B.tmp	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File opened for modification	C:\Windows\Fonts\RCXC18.tmp	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
File created	C:\Windows\security\cap\RuntimeBroker.exe	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WmiPrvSE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WmiPrvSE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WmiPrvSE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WmiPrvSE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WmiPrvSE.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	WmiPrvSE.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
220	schtasks.exe
3896	schtasks.exe
4716	schtasks.exe
2324	schtasks.exe
3108	schtasks.exe
4068	schtasks.exe
2308	schtasks.exe
2724	schtasks.exe
4700	schtasks.exe
4656	schtasks.exe
4188	schtasks.exe
1828	schtasks.exe
4596	schtasks.exe
3724	schtasks.exe
4300	schtasks.exe
3672	schtasks.exe
4832	schtasks.exe
644	schtasks.exe
5004	schtasks.exe
3096	schtasks.exe
3556	schtasks.exe
1516	schtasks.exe
2136	schtasks.exe
112	schtasks.exe
2540	schtasks.exe
2708	schtasks.exe
2044	schtasks.exe
3116	schtasks.exe
2204	schtasks.exe
4500	schtasks.exe
5024	schtasks.exe
3656	schtasks.exe
3968	schtasks.exe
3480	schtasks.exe
5080	schtasks.exe
668	schtasks.exe
3776	schtasks.exe
4824	schtasks.exe
1460	schtasks.exe
4724	schtasks.exe
5076	schtasks.exe
3156	schtasks.exe
4416	schtasks.exe
4936	schtasks.exe
3936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1592	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
1592	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
1456	powershell.exe
1456	powershell.exe
2044	powershell.exe
2044	powershell.exe
2660	powershell.exe
2660	powershell.exe
3696	powershell.exe
3696	powershell.exe
3776	powershell.exe
3776	powershell.exe
4304	powershell.exe
4304	powershell.exe
852	powershell.exe
852	powershell.exe
3168	powershell.exe
3168	powershell.exe
2152	powershell.exe
2152	powershell.exe
2256	powershell.exe
2256	powershell.exe
1008	powershell.exe
2204	powershell.exe
1008	powershell.exe
2204	powershell.exe
4956	powershell.exe
4956	powershell.exe
3096	powershell.exe
3096	powershell.exe
3396	powershell.exe
3396	powershell.exe
3652	powershell.exe
3652	powershell.exe
2256	powershell.exe
1456	powershell.exe
2044	powershell.exe
3776	powershell.exe
3168	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1592	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
Token: SeDebugPrivilege	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeDebugPrivilege	3776	powershell.exe
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeDebugPrivilege	3096	powershell.exe
Token: SeDebugPrivilege	3396	powershell.exe
Token: SeDebugPrivilege	5632	WmiPrvSE.exe
Token: SeDebugPrivilege	5248	WmiPrvSE.exe
Token: SeDebugPrivilege	4476	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 2948	1592	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	99
PID 1592 wrote to memory of 2948	1592	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	99
PID 1592 wrote to memory of 2948	1592	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	99
PID 1592 wrote to memory of 1336	1592	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	100
PID 1592 wrote to memory of 1336	1592	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	100
PID 1592 wrote to memory of 1336	1592	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	100
PID 1592 wrote to memory of 1336	1592	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	100
PID 1592 wrote to memory of 1336	1592	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	100
PID 1592 wrote to memory of 1336	1592	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	100
PID 1592 wrote to memory of 1336	1592	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	100
PID 1592 wrote to memory of 1336	1592	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	100
PID 1336 wrote to memory of 1456	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	149
PID 1336 wrote to memory of 1456	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	149
PID 1336 wrote to memory of 1456	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	149
PID 1336 wrote to memory of 2256	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	150
PID 1336 wrote to memory of 2256	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	150
PID 1336 wrote to memory of 2256	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	150
PID 1336 wrote to memory of 3168	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	151
PID 1336 wrote to memory of 3168	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	151
PID 1336 wrote to memory of 3168	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	151
PID 1336 wrote to memory of 3652	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	152
PID 1336 wrote to memory of 3652	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	152
PID 1336 wrote to memory of 3652	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	152
PID 1336 wrote to memory of 2152	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	153
PID 1336 wrote to memory of 2152	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	153
PID 1336 wrote to memory of 2152	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	153
PID 1336 wrote to memory of 1008	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	154
PID 1336 wrote to memory of 1008	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	154
PID 1336 wrote to memory of 1008	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	154
PID 1336 wrote to memory of 2044	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	156
PID 1336 wrote to memory of 2044	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	156
PID 1336 wrote to memory of 2044	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	156
PID 1336 wrote to memory of 4304	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	157
PID 1336 wrote to memory of 4304	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	157
PID 1336 wrote to memory of 4304	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	157
PID 1336 wrote to memory of 2660	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	159
PID 1336 wrote to memory of 2660	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	159
PID 1336 wrote to memory of 2660	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	159
PID 1336 wrote to memory of 4956	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	160
PID 1336 wrote to memory of 4956	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	160
PID 1336 wrote to memory of 4956	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	160
PID 1336 wrote to memory of 3396	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	162
PID 1336 wrote to memory of 3396	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	162
PID 1336 wrote to memory of 3396	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	162
PID 1336 wrote to memory of 3776	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	163
PID 1336 wrote to memory of 3776	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	163
PID 1336 wrote to memory of 3776	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	163
PID 1336 wrote to memory of 2204	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	165
PID 1336 wrote to memory of 2204	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	165
PID 1336 wrote to memory of 2204	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	165
PID 1336 wrote to memory of 852	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	166
PID 1336 wrote to memory of 852	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	166
PID 1336 wrote to memory of 852	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	166
PID 1336 wrote to memory of 3096	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	168
PID 1336 wrote to memory of 3096	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	168
PID 1336 wrote to memory of 3096	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	168
PID 1336 wrote to memory of 3696	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	171
PID 1336 wrote to memory of 3696	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	171
PID 1336 wrote to memory of 3696	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	171
PID 1336 wrote to memory of 5632	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	181
PID 1336 wrote to memory of 5632	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	181
PID 1336 wrote to memory of 5632	1336	96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe	181
PID 5632 wrote to memory of 4632	5632	WmiPrvSE.exe	182
PID 5632 wrote to memory of 4632	5632	WmiPrvSE.exe	182

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
"C:\Users\Admin\AppData\Local\Temp\96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Users\Admin\AppData\Local\Temp\96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
  "{path}"
  2⤵
  PID:2948
- C:\Users\Admin\AppData\Local\Temp\96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe
  "{path}"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1456
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\dwm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3168
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Provisioning\Cosa\MO\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3652
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\cap\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1008
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2044
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Registry.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4304
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2660
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\sihost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4956
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3396
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3776
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\sihost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2204
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\uk-UA\services.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:852
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3096
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\Roaming\Microsoft\Registry.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3696
- - C:\Windows\Fonts\WmiPrvSE.exe
    "C:\Windows\Fonts\WmiPrvSE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5632
  - - C:\Windows\Fonts\WmiPrvSE.exe
      "{path}"
      4⤵
      Executes dropped EXE
      PID:4632
  - - C:\Windows\Fonts\WmiPrvSE.exe
      "{path}"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:5248
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9270928-d7f0-463b-a46d-2b0c17db63f8.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5188
      - C:\Windows\Fonts\WmiPrvSE.exe
        
        C:\Windows\Fonts\WmiPrvSE.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\Fonts\WmiPrvSE.exe
        
        "{path}"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f180e2b-31a7-43bb-b84f-5e2984e7a8bb.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\Fonts\WmiPrvSE.exe
        
        C:\Windows\Fonts\WmiPrvSE.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7c8ef17-a192-4fb6-ae94-df4720873ebb.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6008
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b09ec29-ef12-426c-916c-e0e782feb2f3.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\My Documents\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\My Documents\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\My Documents\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Provisioning\Cosa\MO\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Provisioning\Cosa\MO\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Provisioning\Cosa\MO\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\security\cap\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\security\cap\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\security\cap\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\tracing\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Fonts\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\Fonts\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Java\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\wininit.exe

Filesize
1.1MB

MD5
c1dffb14161c826bcaf8daf0228a8605

SHA1
feb018400626597b77f1f97ed815b3a299fc3b58

SHA256
64f4f504ffa7d4064eb05ac7e7a1811bb0a355a53d687b61bd15f23f7687862d

SHA512
087d717efba7c8c3fd56c78605adb2db46136376c2b546aee50b734bc2be3e8674f5564f87fcfcfc396be08e27dffa238d9fd2e81524cd328e88771424577516

Download Submit
C:\Recovery\WindowsRE\winlogon.exe

Filesize
1.1MB

MD5
e953ff94c0a3732063164484d6bbd614

SHA1
44167ecdbbbedade289d2a6eba96cfd5639f3cfc

SHA256
5f7cfc2b5004b766ba0a1434333976acd286667c4c58a8ea54697ab4d21664d8

SHA512
5a7cf6a0cc7b0032d8448b7d31abd431ff2a86eec8287235403b55721bb1b63a8517d2bef41f99c0f2b8f5a4c54a26b97845fbbb23bed44df5b28d90c203bb48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9N.exe.log

Filesize
1KB

MD5
84e77a587d94307c0ac1357eb4d3d46f

SHA1
83cc900f9401f43d181207d64c5adba7a85edc1e

SHA256
e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

SHA512
aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ec2f3cefd77a38b3388df31d91b03ca6

SHA1
4d9263dfeaae00882a1022e1ec85d2a9bfeeeb3e

SHA256
4b3024b71bc0454c7985fde9f8230bc57aa5ba26eac44063a68ab3997dd9e7dc

SHA512
03d4c59921ce3816513004c59259991d73b3561e093c8b72b8db1eb2a65fbbfbb7cdded166765351e8de66c91b3199e71a40b8c50efac7131269c51cbd89bb94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
fd5f505a7f3022837a1c75801468693b

SHA1
36a5e0a581da6cc9672050926fbed7be6782eb0f

SHA256
f66e2ba4a203536f12497583420b3cff60985a309587b2c5550f2819f6f29b11

SHA512
0035daecba06f980564d82bcb0b45b11bf54e96beb464965ed896a2b70d3c121058c8f8ca2c0b4272b69a1b38b4868ffa05fa41fb2c6a9d80ee3dc0e6ef9c2a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
11c60fe243433d85996e8b4bcb0f744f

SHA1
56e427bd5824a25bd80b53b2cb0091f10a91b710

SHA256
089e46b2133d790c507193949082081fe442e274ed0228259ab72d9eee470648

SHA512
28b78ad5070d83666cf7509210f389bebd8cb93abd42cb22251295f02c6da28e2c8012fdf091295bc1e1d94446e691f5ba891f732c9ca3356724d6673b25d49c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e3120a977c371c350987b08746d21093

SHA1
58fb5bdf841d01ca141c4c88758c53f333f9ab05

SHA256
e3cbb7c5c75cea72e8784efdabafa33b79d313c9e6af75c0f565f7521e43503b

SHA512
23247b7e244bd33249c4fb5816b3560c5b27e8be9963542f83f3da2ed69fa43c95f46239635fcc7882f3277e457492f578baffcd7b436e866978b97a0213eb8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
45dbab50b47ab10d017c020826815f60

SHA1
ff6a4b19bbae4a124d74e334245cd485c6171c1a

SHA256
fd9ab07246c958323b0d9a226789041fe440abc08c8a6efe5b38b9181f2ebe51

SHA512
51bff33d9a0a83973099e0ed4c3bc4dc800c6d5974310d3a1ca02d52e38b4c8d0434879deeecad8319eabc191bce83a2bc58c19cfa9e50e3578d5e37f391b5f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
bef58a40117f14d286456b8d8a05f1fe

SHA1
a1a2f09e844e2b0053c90de40628f902136473af

SHA256
9a31740a306c67a0bec5ef7a6171565449e8e6d33d0a4750b5e147899970bca8

SHA512
a9f4a40905e546c75dae5ed880e39827845360ab617c91ee34d2e9d512eb8832deb328223bf73d0aa6133b06e4ec5909f4725fbef7897d59ecc70b51c2005476

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
dbdc96d0a6154abeafd4fa6cf429a51d

SHA1
dbc71f677ddc3257d1e873e4558a41be09ab9e05

SHA256
a7198128f064070e144a06211958ef69660a1de6b7774dabf8077f0d0b715b0b

SHA512
335d8e217cfea3b4a07eeabb87094eb7ec36f8d0d591cd484ab927f1d228bb9d23d89f585ac22ffb85767681976c7993715873a35e949b202d65c8dd20e2e58d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
82039c55d22a209c9064efe096fb4d57

SHA1
a81025d5ea9303285b664c11e1b1428304cf9694

SHA256
1ec457632daa8880767fe22dde194f7031a61011cc7ce4be9dc45b5b267d7c76

SHA512
c3fab0db412963472a8597ac3b2019da7af89ea2e9e53de09f04b88872bde3ede4eec8c842af796bb5a304837961c6e27b11294ef781f4d48b732ad1975b28f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a9e4f854c544008826c6e171f189d00f

SHA1
f35c62661602291c5cea74386504940d5d77512a

SHA256
aa087cbd9585f67d6d3bd946ab6bff5686bd2cb55da62058a6269e8ae8d53157

SHA512
ae6375c55b534443e4de5cdf7ce51623373fd2ca11aa180338c644cec4bb73b803e8fc4ed2943f449bf2b24e4c9434ca54f99129ad2261d5a6f51a62db7b546a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
361c0fc57c0b403b7f21e333fd925513

SHA1
96d83d471395c04b6328246167a75f7da97f25b9

SHA256
ce5db4fee03147b9442d5242dcdadb45cc84dfc18d62f2d0fa07c6837fd83229

SHA512
c664c695f76e0045f497a64476e453fbd34016cc4f3affbeaf85caba17f1d6a8c6ef1de99263dbf02c628a3ebb787b27eb3da9a6365e322281b0d682685f36dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b09ec29-ef12-426c-916c-e0e782feb2f3.vbs

Filesize
481B

MD5
5f9b1c5d74ca819246ca46858504eb73

SHA1
654ce78deea224b76ff8298886e71a53e5261c69

SHA256
6c1f5f1a439b80f79611caea17e3edb71908a6d54e8fb21b24133288000c0f3b

SHA512
f3416510566fd1f59aa39d5775abb49e492a18c5697e7f5940ab27ce366331fbd841822765abaf5617ad13ad6884f7106f0ec07c8a7e0a41710d2775930aea51

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f180e2b-31a7-43bb-b84f-5e2984e7a8bb.vbs

Filesize
705B

MD5
9d3f3e0da85f73b79f76bdf50761c341

SHA1
0cbd7d1d26d99d106dd3cdeee4aa159a61929939

SHA256
a25776fae68a3a211cf2c3bc9a93929f6793d27ce8ba227c70a851a42069f24e

SHA512
cc8dfb0b9aa8cbd2b60b2b9996885cd8630fb623d99ca269710b89072aacb7bb7b98a00604171e5579135708c42e5545e1233550a74b8c6d7db60c42e2e3fda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_33viel2i.lmc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9270928-d7f0-463b-a46d-2b0c17db63f8.vbs

Filesize
705B

MD5
2cfc582a8d0c2f78b95a002babdf6573

SHA1
172045f385f31f1ba93d2458628c97389901fea0

SHA256
44553e33d915e84c4e515fec015fee2e449033bda0e262b97b92c6e49ade49ee

SHA512
72a23242f5b37a303d98e4a0523807604fa9d16e9383aa2b5b570e7c4bcb2733b2a7d959202d311fff8f83fe5e4491866be931e8e0344cc26997ff2d95224369

Download Submit
C:\Users\Default\Documents\dwm.exe

Filesize
1.1MB

MD5
aea2311c104883f168fde95f772cd1a5

SHA1
d9904e5e1bd32bce94815739873bd71569c27613

SHA256
199b7de65189abb3a4ad930219a8814b80eba98ee2a426d10e004013e1c6da25

SHA512
5edf14fcf9853a12e910646eb35aec08a8ec827d067a147434534d3fb85f2efaf3b40e9132f1f3dee75eabc84c1ace4f0595d1e6ca468e3c7189ddf1c3818563

Download Submit
C:\Users\Default\Registry.exe

Filesize
1.1MB

MD5
23995ce146c66d1ddb9774942804083d

SHA1
21a71e212a05cfe0c41e79b4bbc9235ecc35b95f

SHA256
1bec9838b21e3ef1688c588c2e0334bcf949cfa08accb3cb600b224815460cde

SHA512
76561c319df587116360a8f278fed85f494dabb6092a9d2c6737f07535f214a106611905ecc71121878b32d02922e36bc2cf6c2213f4555dac6ab83e4205e37a

Download Submit
C:\Windows\Provisioning\Cosa\MO\csrss.exe

Filesize
1.1MB

MD5
b4e468de23f1832d6d4a85a60618ba9c

SHA1
f1f95a3508d10d48ca96a8f7b1ce73d14d23ed87

SHA256
b2089ac13812f78ea7ac524b1d843a0707c590df74a5b0c7b533d8d0e76eba73

SHA512
eec85999f75c4f95275e501acdd423bd3150fe9e2356938fda30885df7352be888864e1b145291f588da311c26ad6efc0cc94c9be4126c4f80673e3f746f9646

Download Submit
C:\Windows\security\cap\RuntimeBroker.exe

Filesize
1.1MB

MD5
b1294cc7620c4edf880ebd0410dc8f40

SHA1
e557586de113cb682b6cc5230e81a784e1a9935c

SHA256
96a470c9667f4a8b55bbec866dcc8064f39f1c88002c9c11ad0b44bddd6c51c9

SHA512
bab9a94d9a246c6f7411ef95d4727ca9b7237f4f5378d3c2a6cb6b75cf01339765589ab573594b61d63b9bd22873c430ce8821aed529647795726534977dba5f

Download Submit
memory/852-561-0x000000006F630000-0x000000006F67C000-memory.dmp

Filesize
304KB

Download
memory/1008-500-0x000000006F630000-0x000000006F67C000-memory.dmp

Filesize
304KB

Download
memory/1336-27-0x00000000059F0000-0x00000000059FE000-memory.dmp

Filesize
56KB

Download
memory/1336-440-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/1336-21-0x00000000029B0000-0x00000000029C6000-memory.dmp

Filesize
88KB

Download
memory/1336-28-0x0000000005A10000-0x0000000005A1C000-memory.dmp

Filesize
48KB

Download
memory/1336-29-0x0000000005A40000-0x0000000005A4A000-memory.dmp

Filesize
40KB

Download
memory/1336-30-0x0000000005A70000-0x0000000005A7C000-memory.dmp

Filesize
48KB

Download
memory/1336-33-0x0000000007660000-0x00000000076C6000-memory.dmp

Filesize
408KB

Download
memory/1336-25-0x00000000059C0000-0x00000000059CC000-memory.dmp

Filesize
48KB

Download
memory/1336-22-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/1336-26-0x00000000059D0000-0x00000000059DA000-memory.dmp

Filesize
40KB

Download
memory/1336-20-0x0000000002990000-0x00000000029A0000-memory.dmp

Filesize
64KB

Download
memory/1336-19-0x00000000058D0000-0x0000000005920000-memory.dmp

Filesize
320KB

Download
memory/1336-18-0x0000000002960000-0x000000000297C000-memory.dmp

Filesize
112KB

Download
memory/1336-193-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/1336-217-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/1336-17-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/1336-15-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/1336-12-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1336-24-0x0000000007940000-0x0000000007E6C000-memory.dmp

Filesize
5.2MB

Download
memory/1336-23-0x0000000005920000-0x0000000005932000-memory.dmp

Filesize
72KB

Download
memory/1456-560-0x0000000007900000-0x000000000790A000-memory.dmp

Filesize
40KB

Download
memory/1456-476-0x0000000007890000-0x00000000078AA000-memory.dmp

Filesize
104KB

Download
memory/1456-243-0x0000000004F90000-0x0000000004FC6000-memory.dmp

Filesize
216KB

Download
memory/1456-310-0x00000000060D0000-0x0000000006424000-memory.dmp

Filesize
3.3MB

Download
memory/1456-609-0x0000000007AB0000-0x0000000007AC1000-memory.dmp

Filesize
68KB

Download
memory/1456-453-0x0000000006AC0000-0x0000000006ADE000-memory.dmp

Filesize
120KB

Download
memory/1456-443-0x000000006F630000-0x000000006F67C000-memory.dmp

Filesize
304KB

Download
memory/1456-442-0x0000000007760000-0x0000000007792000-memory.dmp

Filesize
200KB

Download
memory/1456-608-0x0000000007B10000-0x0000000007BA6000-memory.dmp

Filesize
600KB

Download
memory/1456-454-0x00000000077A0000-0x0000000007843000-memory.dmp

Filesize
652KB

Download
memory/1456-290-0x0000000005F20000-0x0000000005F42000-memory.dmp

Filesize
136KB

Download
memory/1592-10-0x0000000006180000-0x0000000006276000-memory.dmp

Filesize
984KB

Download
memory/1592-0-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

Filesize
4KB

Download
memory/1592-1-0x00000000001C0000-0x00000000002EC000-memory.dmp

Filesize
1.2MB

Download
memory/1592-2-0x00000000051F0000-0x0000000005794000-memory.dmp

Filesize
5.6MB

Download
memory/1592-3-0x0000000004CE0000-0x0000000004D72000-memory.dmp

Filesize
584KB

Download
memory/1592-4-0x0000000004E20000-0x0000000004EBC000-memory.dmp

Filesize
624KB

Download
memory/1592-5-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/1592-6-0x0000000004DE0000-0x0000000004DEA000-memory.dmp

Filesize
40KB

Download
memory/1592-7-0x0000000005070000-0x0000000005082000-memory.dmp

Filesize
72KB

Download
memory/1592-8-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

Filesize
4KB

Download
memory/1592-9-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/1592-11-0x00000000098B0000-0x00000000099DE000-memory.dmp

Filesize
1.2MB

Download
memory/1592-16-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/2044-611-0x0000000007C10000-0x0000000007C24000-memory.dmp

Filesize
80KB

Download
memory/2044-612-0x0000000007D10000-0x0000000007D2A000-memory.dmp

Filesize
104KB

Download
memory/2044-465-0x000000006F630000-0x000000006F67C000-memory.dmp

Filesize
304KB

Download
memory/2044-610-0x0000000007C00000-0x0000000007C0E000-memory.dmp

Filesize
56KB

Download
memory/2044-613-0x0000000007CF0000-0x0000000007CF8000-memory.dmp

Filesize
32KB

Download
memory/2152-550-0x000000006F630000-0x000000006F67C000-memory.dmp

Filesize
304KB

Download
memory/2204-510-0x000000006F630000-0x000000006F67C000-memory.dmp

Filesize
304KB

Download
memory/2256-428-0x0000000006670000-0x000000000668E000-memory.dmp

Filesize
120KB

Download
memory/2256-244-0x0000000005740000-0x0000000005D68000-memory.dmp

Filesize
6.2MB

Download
memory/2256-429-0x0000000006AE0000-0x0000000006B2C000-memory.dmp

Filesize
304KB

Download
memory/2256-291-0x0000000005FE0000-0x0000000006046000-memory.dmp

Filesize
408KB

Download
memory/2256-475-0x0000000007FE0000-0x000000000865A000-memory.dmp

Filesize
6.5MB

Download
memory/2256-455-0x000000006F630000-0x000000006F67C000-memory.dmp

Filesize
304KB

Download
memory/2660-537-0x000000006F630000-0x000000006F67C000-memory.dmp

Filesize
304KB

Download
memory/3096-598-0x000000006F630000-0x000000006F67C000-memory.dmp

Filesize
304KB

Download
memory/3168-549-0x000000006F630000-0x000000006F67C000-memory.dmp

Filesize
304KB

Download
memory/3396-478-0x000000006F630000-0x000000006F67C000-memory.dmp

Filesize
304KB

Download
memory/3652-497-0x000000006F630000-0x000000006F67C000-memory.dmp

Filesize
304KB

Download
memory/3696-527-0x000000006F630000-0x000000006F67C000-memory.dmp

Filesize
304KB

Download
memory/3776-477-0x000000006F630000-0x000000006F67C000-memory.dmp

Filesize
304KB

Download
memory/4304-548-0x000000006F630000-0x000000006F67C000-memory.dmp

Filesize
304KB

Download
memory/4476-665-0x0000000005140000-0x0000000005152000-memory.dmp

Filesize
72KB

Download
memory/4956-547-0x000000006F630000-0x000000006F67C000-memory.dmp

Filesize
304KB

Download
memory/5248-652-0x0000000005610000-0x0000000005622000-memory.dmp

Filesize
72KB

Download
memory/5632-441-0x0000000005250000-0x0000000005262000-memory.dmp

Filesize
72KB

Download