dcrat | b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
Size

1.7MB
MD5

9dd2bc624ea9c953ff5621fef397066b
SHA1

e4ea9a4db77e4a5b3f062d4a3bbe10aa04913593
SHA256

b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6
SHA512

c63117abd2afa7b97afa1439b44412439bf5c0608fdcd4d45fce397d1a2e30766e2df0a19fafcb43b3cf657abe379848dbed4eaa666474be19ec52b7e7740a12
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:+THUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3108	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	3452	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	3452	schtasks.exe	83

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2372-1-0x0000000000140000-0x0000000000300000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cbd-30.dat	dcrat
behavioral2/files/0x000c000000023ce8-93.dat	dcrat
behavioral2/files/0x0009000000023cb5-104.dat	dcrat
behavioral2/files/0x000c000000023cb9-153.dat	dcrat
behavioral2/files/0x000c000000023ccf-223.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
848	powershell.exe
944	powershell.exe
1836	powershell.exe
1248	powershell.exe
3608	powershell.exe
5032	powershell.exe
4320	powershell.exe
4768	powershell.exe
2060	powershell.exe
1592	powershell.exe
3192	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 9 IoCs

pid	Process
2504	csrss.exe
1208	csrss.exe
3636	csrss.exe
2844	csrss.exe
4012	csrss.exe
3144	csrss.exe
4900	csrss.exe
3020	csrss.exe
4472	csrss.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\MSBuild\services.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX372.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\22eafd247d37c3	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files\MSBuild\c5b4cb5e9653cc	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXFAB0.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files (x86)\Google\Temp\5b884080fd4f94	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\RCXF414.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX3F0.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXFAB1.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RCXFF49.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\StartMenuExperienceHost.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files\Google\Chrome\27d1bcfc3c54e0	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\TextInputHost.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\System.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files (x86)\Windows Defender\System.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\Google\Chrome\RCXF618.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files (x86)\Windows Defender\27d1bcfc3c54e0	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files\7-Zip\Lang\55b276f4edf653	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\MSBuild\RCX15E.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\RCXE87F.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\RCXF403.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\unsecapp.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\29c1c3cc0f7685	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files (x86)\Google\Temp\fontdrvhost.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files\Google\Chrome\System.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files\MSBuild\services.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\TextInputHost.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\Google\Chrome\RCXF687.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\Google\Chrome\System.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\fontdrvhost.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RCXFF48.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\MSBuild\RCX15D.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files\7-Zip\Lang\StartMenuExperienceHost.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\RCXE880.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\unsecapp.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1945310375\TextInputHost.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-tapiservice.resources_31bf3856ad364e35_10.0.19041.1_de-de_9e2abf73c688ce15\fontdrvhost.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5096	schtasks.exe
1436	schtasks.exe
3976	schtasks.exe
3188	schtasks.exe
4984	schtasks.exe
3772	schtasks.exe
1052	schtasks.exe
3116	schtasks.exe
4932	schtasks.exe
3192	schtasks.exe
1044	schtasks.exe
5112	schtasks.exe
3440	schtasks.exe
4148	schtasks.exe
4876	schtasks.exe
4104	schtasks.exe
3992	schtasks.exe
3156	schtasks.exe
404	schtasks.exe
2080	schtasks.exe
3068	schtasks.exe
3676	schtasks.exe
3968	schtasks.exe
3108	schtasks.exe
3400	schtasks.exe
3488	schtasks.exe
3608	schtasks.exe
2592	schtasks.exe
4688	schtasks.exe
2772	schtasks.exe
4240	schtasks.exe
4544	schtasks.exe
4728	schtasks.exe
2060	schtasks.exe
4768	schtasks.exe
3952	schtasks.exe
4580	schtasks.exe
5076	schtasks.exe
2280	schtasks.exe
4708	schtasks.exe
4124	schtasks.exe
1400	schtasks.exe
1388	schtasks.exe
4592	schtasks.exe
2448	schtasks.exe
2860	schtasks.exe
3936	schtasks.exe
2884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
Token: SeDebugPrivilege	4320	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	3192	powershell.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeDebugPrivilege	4768	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	2504	csrss.exe
Token: SeDebugPrivilege	1208	csrss.exe
Token: SeDebugPrivilege	3636	csrss.exe
Token: SeDebugPrivilege	2844	csrss.exe
Token: SeDebugPrivilege	4012	csrss.exe
Token: SeDebugPrivilege	3144	csrss.exe
Token: SeDebugPrivilege	4900	csrss.exe
Token: SeDebugPrivilege	3020	csrss.exe
Token: SeDebugPrivilege	4472	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2060	2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	132
PID 2372 wrote to memory of 2060	2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	132
PID 2372 wrote to memory of 1836	2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	133
PID 2372 wrote to memory of 1836	2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	133
PID 2372 wrote to memory of 944	2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	134
PID 2372 wrote to memory of 944	2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	134
PID 2372 wrote to memory of 848	2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	135
PID 2372 wrote to memory of 848	2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	135
PID 2372 wrote to memory of 4768	2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	136
PID 2372 wrote to memory of 4768	2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	136
PID 2372 wrote to memory of 1248	2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	137
PID 2372 wrote to memory of 1248	2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	137
PID 2372 wrote to memory of 5032	2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	138
PID 2372 wrote to memory of 5032	2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	138
PID 2372 wrote to memory of 3608	2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	139
PID 2372 wrote to memory of 3608	2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	139
PID 2372 wrote to memory of 4320	2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	140
PID 2372 wrote to memory of 4320	2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	140
PID 2372 wrote to memory of 3192	2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	141
PID 2372 wrote to memory of 3192	2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	141
PID 2372 wrote to memory of 1592	2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	142
PID 2372 wrote to memory of 1592	2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	142
PID 2372 wrote to memory of 2504	2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	154
PID 2372 wrote to memory of 2504	2372	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	154
PID 2504 wrote to memory of 4896	2504	csrss.exe	158
PID 2504 wrote to memory of 4896	2504	csrss.exe	158
PID 2504 wrote to memory of 2088	2504	csrss.exe	159
PID 2504 wrote to memory of 2088	2504	csrss.exe	159
PID 4896 wrote to memory of 1208	4896	WScript.exe	171
PID 4896 wrote to memory of 1208	4896	WScript.exe	171
PID 1208 wrote to memory of 3768	1208	csrss.exe	173
PID 1208 wrote to memory of 3768	1208	csrss.exe	173
PID 1208 wrote to memory of 4680	1208	csrss.exe	174
PID 1208 wrote to memory of 4680	1208	csrss.exe	174
PID 3768 wrote to memory of 3636	3768	WScript.exe	176
PID 3768 wrote to memory of 3636	3768	WScript.exe	176
PID 3636 wrote to memory of 4104	3636	csrss.exe	178
PID 3636 wrote to memory of 4104	3636	csrss.exe	178
PID 3636 wrote to memory of 4736	3636	csrss.exe	179
PID 3636 wrote to memory of 4736	3636	csrss.exe	179
PID 4104 wrote to memory of 2844	4104	WScript.exe	180
PID 4104 wrote to memory of 2844	4104	WScript.exe	180
PID 2844 wrote to memory of 4328	2844	csrss.exe	182
PID 2844 wrote to memory of 4328	2844	csrss.exe	182
PID 2844 wrote to memory of 2876	2844	csrss.exe	183
PID 2844 wrote to memory of 2876	2844	csrss.exe	183
PID 4328 wrote to memory of 4012	4328	WScript.exe	185
PID 4328 wrote to memory of 4012	4328	WScript.exe	185
PID 4012 wrote to memory of 3172	4012	csrss.exe	187
PID 4012 wrote to memory of 3172	4012	csrss.exe	187
PID 4012 wrote to memory of 640	4012	csrss.exe	188
PID 4012 wrote to memory of 640	4012	csrss.exe	188
PID 3172 wrote to memory of 3144	3172	WScript.exe	190
PID 3172 wrote to memory of 3144	3172	WScript.exe	190
PID 3144 wrote to memory of 1460	3144	csrss.exe	192
PID 3144 wrote to memory of 1460	3144	csrss.exe	192
PID 3144 wrote to memory of 4480	3144	csrss.exe	193
PID 3144 wrote to memory of 4480	3144	csrss.exe	193
PID 1460 wrote to memory of 4900	1460	WScript.exe	194
PID 1460 wrote to memory of 4900	1460	WScript.exe	194
PID 4900 wrote to memory of 408	4900	csrss.exe	196
PID 4900 wrote to memory of 408	4900	csrss.exe	196
PID 4900 wrote to memory of 4152	4900	csrss.exe	197
PID 4900 wrote to memory of 4152	4900	csrss.exe	197

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
"C:\Users\Admin\AppData\Local\Temp\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Users\Default User\csrss.exe
  "C:\Users\Default User\csrss.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20a8062d-94e7-4a9f-9e6f-dd66f09b745b.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Users\Default User\csrss.exe
      "C:\Users\Default User\csrss.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1208
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75b5eca6-2f98-4d57-9698-18c4c0ce52b7.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3768
      - C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a55cd966-7514-474e-9542-a6285bca86cd.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22b89e39-23da-4eae-84b3-f10a465dab07.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0ff6dd8-8fcb-44d5-a6f7-c07b398cc493.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d5aac83-4ed4-4771-818b-86a6441ccfe5.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df407ce1-bf11-4560-8059-c8de255552a4.vbs"
        15⤵
        
        PID:408
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3edee613-caf3-447b-851a-0fab8df30121.vbs"
        17⤵
        
        PID:376
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c6801f7-b4f0-4b4f-b6dd-aff261558491.vbs"
        19⤵
        
        PID:2416
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        20⤵
        
        PID:4980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2e2de8d-03d3-421a-b8bb-0cd57245c99b.vbs"
        19⤵
        
        PID:216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75c1b5ba-fe4c-46f1-924a-1c288e385ea3.vbs"
        17⤵
        
        PID:5060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b7d9114-e351-4808-af08-f0ddcd3d32c6.vbs"
        15⤵
        
        PID:4152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fa7db5f-26f0-4cfb-adeb-dd7bd00f195a.vbs"
        13⤵
        
        PID:4480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4af584c-b71c-4bf6-a98c-fe4254706291.vbs"
        11⤵
        
        PID:640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1cb333d6-8b65-4dc1-95fd-506c90d8f909.vbs"
        9⤵
        
        PID:2876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8580c4a0-5475-487c-a23d-d4cbbd822cbf.vbs"
        7⤵
        
        PID:4736
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0551d12-1d06-409b-8a03-193049ea765a.vbs"
        5⤵
        
        PID:4680
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1db3f5a-d219-40bf-a9f3-2c187acce077.vbs"
    3⤵
    PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\My Music\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Music\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\plugins\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\plugins\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Temp\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\MSBuild\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\StartMenuExperienceHost.exe

Filesize
1.7MB

MD5
5f5a02def0abd31971dbe4773f95e251

SHA1
acf94ea31a59aafaa43cf6f410fa0c4eed5418d1

SHA256
58edb2d64e4ccf1d99028711698010ea37dbbe04a376264481a627ab5f2c016d

SHA512
dca218428722a49eed119bf88586e69f250a4b8c2d449253944b5f760386137fd0e7686fd9cd524ce02e98034cac2e2ea4d1d3db27615a9a97084f6746aaaaa5

Download Submit
C:\Program Files\Google\Chrome\System.exe

Filesize
1.7MB

MD5
e478e4de9782be94944066b0c5bf4c46

SHA1
7b3074ac778f1027b8af41e39c8880d77d9ffa92

SHA256
73f81ed0250709e9d5edd2233a61ce30c7ed84446ac9571739255c7e5a2d0060

SHA512
351f6800f1f629ffb0611b2f275cffd221cafc49fbdb523d3a0edf03f3cecb59fadc5c7aa03b64524cd124e2b6dbc8a23fd87d87341f027e29193b076ef81a8b

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.7MB

MD5
9dd2bc624ea9c953ff5621fef397066b

SHA1
e4ea9a4db77e4a5b3f062d4a3bbe10aa04913593

SHA256
b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6

SHA512
c63117abd2afa7b97afa1439b44412439bf5c0608fdcd4d45fce397d1a2e30766e2df0a19fafcb43b3cf657abe379848dbed4eaa666474be19ec52b7e7740a12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
35967cf5ed9a95ec4fe527dd96567a02

SHA1
6a7439c241a30ec540d5d204e02a4cbb2a464737

SHA256
4394552922777081d43fb523126cf176d5a676602a5435713320942034f6b3cf

SHA512
419b3c336a67ef964bc166d1267cea146ed5878f98304d6e39fb9a3c0394d75693810a9ddc101cdda5e3196ad7d603df01a3260705cf9ef7cf8d4b252df01f45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
28d4235aa2e6d782751f980ceb6e5021

SHA1
f5d82d56acd642b9fc4b963f684fd6b78f25a140

SHA256
8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

SHA512
dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\20a8062d-94e7-4a9f-9e6f-dd66f09b745b.vbs

Filesize
707B

MD5
74e8d3738662729c632c1369209f868a

SHA1
6c7c1236e826ab0a7124cc0c2b296eb7fdd2106c

SHA256
20dc420a06d7e8c2f93906bfe0ca001095d38e296cf4754fdb26c1351b405192

SHA512
f2011521a8a6366703698e9ff54597c8c06332ec55166ef6bd8cab4100d711e439a7c1ab2f7bd944b5a03c63e62ab9244dbdf8a60c36e166dc7461bb533f7344

Download Submit
C:\Users\Admin\AppData\Local\Temp\22b89e39-23da-4eae-84b3-f10a465dab07.vbs

Filesize
707B

MD5
c4cef6892dea634d34fb5e1e6aaa351b

SHA1
8cb563852c85d2d288189e4357c7ffb1305ea8e3

SHA256
c0d215f795bbd4791ce47b31018224fa91e79edea800441e3c6793384243caf1

SHA512
a312e96b8c360bc3c19a20ddc7a245a6d82e7800ce4968c839a742ecf0290c0db7eb24d5c30efa59c2cdd7eada3b04c7407202239d4cc779411eac9f6ea2df71

Download Submit
C:\Users\Admin\AppData\Local\Temp\3edee613-caf3-447b-851a-0fab8df30121.vbs

Filesize
707B

MD5
84ff4e2c4c484efedfff86e7efe3eb01

SHA1
0fa573d53c21b7a880869af991ceb493ad13442a

SHA256
75a83d8b50d08e07ceb7546bb676272bdcd20c3dc9243028d6e0a8f20ca453a7

SHA512
70c77de1400120b9f251d29a5f133f2b9496d76fd9c5d134434474127595d5ec1820786e6806972da55adc272aab1a409e107b6f04a44957e21db1c57abe2a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c6801f7-b4f0-4b4f-b6dd-aff261558491.vbs

Filesize
707B

MD5
ebed66b9eab474d28837ef3d6c7a8731

SHA1
c18c25f4e706753ee5290a2b073bd5367b869ce3

SHA256
e76cf744cc576d202acd8c04efd3e38db84830bf0b97ecb223922b9b5ab7f238

SHA512
f09b1d73a400b84797c028f89fe40a5c7622db34f7fe9817e0bf3660bba64e407ea02d44720e0eaee519fda602b0ec257f80efbb73a314dd0302a4cd793f26b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\75b5eca6-2f98-4d57-9698-18c4c0ce52b7.vbs

Filesize
707B

MD5
455286c41e2287e47e097b3558b7a68b

SHA1
a6dfac8cda789705272685ab5492a29a9df2e1a1

SHA256
08ab92780071b41e8a8c522193753652f6d951a1bbb4daef591a47bd4e4c89ad

SHA512
503c34f6746e3c9c98c2a5f626ccf0cdfb695123f9a79516b88f7a2b5a0625963bc72fb5962426820b8de0913113d6bc65832ac5cbd5d3c95594f0a638cf17d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7d5aac83-4ed4-4771-818b-86a6441ccfe5.vbs

Filesize
707B

MD5
ef27b7432c22de5d41e6f2e24f5de450

SHA1
18aa107ea204028860bff828a48ec5323913722c

SHA256
5c65d5fc0ad225862c3882b6e67e17915c49aace59ec180978d3f1e36777a58f

SHA512
9880e489f0441989768595cb1b369167ef54f0f5e8c1bfc43cbc35d2189e01734ab9ddab5ef7eb3ca9bcfb7af62b0c6fea54cddb6de7c1ed70c02341e0bf711b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mrqts5fr.rsb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0ff6dd8-8fcb-44d5-a6f7-c07b398cc493.vbs

Filesize
707B

MD5
54c573aa076ff5ccd5e3465c88540d11

SHA1
61e2fb69fff749c63c630327dcb9d2f447274f77

SHA256
1cacf9e18a28628638f87ed2a27f8cace3030946ebe2053b31b65e8880d23b67

SHA512
4e040d0e02774d3c74310f722de50e06e416e5f112fe8f5697980e130d918c3a1236457b9de6f141fc4986416934c6b024660536ce879d6c08e1c21398254980

Download Submit
C:\Users\Admin\AppData\Local\Temp\a55cd966-7514-474e-9542-a6285bca86cd.vbs

Filesize
707B

MD5
39958d29c47d3b2f16ea28976d61ca63

SHA1
8e068894ba447d257338869a37f9cd99d71aa48c

SHA256
8c4ae6fc4acf3e0c28841eee704e116156a816318afb8065fb41d6af8e7c9a70

SHA512
2b7b9b3a20aecaa9a6842fc7143ba7124743a3134440e6fde93d44d324f0ba10a4690df01d5a8cae229624c3e0f13e87a1ebaec5d06a95acede74ffa254408cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\df407ce1-bf11-4560-8059-c8de255552a4.vbs

Filesize
707B

MD5
ca40769444915a9fffb5ce2250bb82c6

SHA1
83fff27db0e7e8c9d83c849f46172f4f5fe861fa

SHA256
d863600796d8ea061eb9f244d92e5a8988cd71e024e58a82af03e33bcb4d2dfb

SHA512
08e929b3c55daa4589d73b10c2a24fdc6b298ccd83576bde77f168f302c511b844e7975bda158c8e0cbe8dea411ea6527f8c9b23b3a17ad7fe1fd3a2e8497b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1db3f5a-d219-40bf-a9f3-2c187acce077.vbs

Filesize
483B

MD5
6467d7b90aaaa1bda0424015ad9ccded

SHA1
0b6206e8d50246e9662ff8575033db980025e4af

SHA256
9d652015c0d517bbf1360a088fcde98d4310f6427d085fb2f7ad72e6c0ec3ba5

SHA512
7aa8a9d153596b25ba4f7f037a955fc722fd9b1d86ac67f4d24901bde3a4990efc1d0a09c7ac190169a5904a061dd048a2c3070aa563f3794b3ca41ee149a62a

Download Submit
C:\Users\Default\fontdrvhost.exe

Filesize
1.7MB

MD5
beffc5fde7230b4f1383fff76110f5dc

SHA1
17e4aece3f4bf39d6434fba790807ddd86b46864

SHA256
003894ab578d1eebe4bf9a9c627d86cb2a11d1bf1a53ee83008303e6a14c109c

SHA512
5d44e75e3029a7f08dbc8555040b6862d93bee26abcd0d5d0ae619b6d96ec23c6fe9416dd0fedac1f3064316216b275eb006cbe19864e47d0ca3f5f207bd6166

Download Submit
C:\Users\Public\Music\System.exe

Filesize
1.7MB

MD5
f14afdbf19787f9e3834c7449b63b1b8

SHA1
16d667c761906af550f7b0af3293b0dbc417a9d4

SHA256
1a8cbe903556650086f06022532c05ffdc5a972f1b4f2c4c638d9b1d71a341cf

SHA512
d179bde428562d7c18a05c7163631dadf39a44e496555316816be3e30ecf0ee237e800926927ae67411f89ac0310310a7591363fdffb048f9632e36ad1b34993

Download Submit
memory/2372-18-0x000000001B960000-0x000000001B96C000-memory.dmp

Filesize
48KB

Download
memory/2372-4-0x000000001B6E0000-0x000000001B730000-memory.dmp

Filesize
320KB

Download
memory/2372-71-0x00007FF8470A3000-0x00007FF8470A5000-memory.dmp

Filesize
8KB

Download
memory/2372-0-0x00007FF8470A3000-0x00007FF8470A5000-memory.dmp

Filesize
8KB

Download
memory/2372-14-0x00000000026C0000-0x00000000026CC000-memory.dmp

Filesize
48KB

Download
memory/2372-132-0x00007FF8470A0000-0x00007FF847B61000-memory.dmp

Filesize
10.8MB

Download
memory/2372-22-0x00007FF8470A0000-0x00007FF847B61000-memory.dmp

Filesize
10.8MB

Download
memory/2372-15-0x000000001B830000-0x000000001B83A000-memory.dmp

Filesize
40KB

Download
memory/2372-1-0x0000000000140000-0x0000000000300000-memory.dmp

Filesize
1.8MB

Download
memory/2372-16-0x000000001B840000-0x000000001B84E000-memory.dmp

Filesize
56KB

Download
memory/2372-411-0x00007FF8470A0000-0x00007FF847B61000-memory.dmp

Filesize
10.8MB

Download
memory/2372-13-0x000000001BC60000-0x000000001C188000-memory.dmp

Filesize
5.2MB

Download
memory/2372-19-0x000000001B970000-0x000000001B97C000-memory.dmp

Filesize
48KB

Download
memory/2372-2-0x00007FF8470A0000-0x00007FF847B61000-memory.dmp

Filesize
10.8MB

Download
memory/2372-23-0x00007FF8470A0000-0x00007FF847B61000-memory.dmp

Filesize
10.8MB

Download
memory/2372-107-0x00007FF8470A0000-0x00007FF847B61000-memory.dmp

Filesize
10.8MB

Download
memory/2372-17-0x000000001B850000-0x000000001B858000-memory.dmp

Filesize
32KB

Download
memory/2372-12-0x00000000026B0000-0x00000000026C2000-memory.dmp

Filesize
72KB

Download
memory/2372-10-0x00000000026A0000-0x00000000026A8000-memory.dmp

Filesize
32KB

Download
memory/2372-9-0x0000000002680000-0x000000000268C000-memory.dmp

Filesize
48KB

Download
memory/2372-8-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/2372-7-0x0000000002650000-0x0000000002666000-memory.dmp

Filesize
88KB

Download
memory/2372-90-0x00007FF8470A0000-0x00007FF847B61000-memory.dmp

Filesize
10.8MB

Download
memory/2372-6-0x0000000002640000-0x0000000002650000-memory.dmp

Filesize
64KB

Download
memory/2372-3-0x0000000002620000-0x000000000263C000-memory.dmp

Filesize
112KB

Download
memory/2372-5-0x0000000000C70000-0x0000000000C78000-memory.dmp

Filesize
32KB

Download
memory/2504-419-0x000000001D840000-0x000000001D852000-memory.dmp

Filesize
72KB

Download
memory/3144-490-0x000000001ADF0000-0x000000001AE02000-memory.dmp

Filesize
72KB

Download
memory/4320-300-0x000001C5C0640000-0x000001C5C0662000-memory.dmp

Filesize
136KB

Download