dcrat | 434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
Size

1.7MB
MD5

88bc360785b47c484011f5eaf67735a2
SHA1

1e868cecddcd99d570efa98d7966a5284d36b2c7
SHA256

434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa
SHA512

c52eae6960c1e499d569a35c961676897738ee844fb557bb46aa6e94f301b3b9305093d5389f3a1d70191c69e4591ce1a12a3e7581f5fe0813b388ca2d5d3509
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	4032	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	4032	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	4032	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	4032	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	4032	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	4032	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	4032	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	4032	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	4032	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	4032	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	4032	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	4032	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	4032	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	4032	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	4032	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	4032	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	4032	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	4032	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	4032	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	4032	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	4032	schtasks.exe	83

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3536-1-0x00000000004C0000-0x0000000000680000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b9d-30.dat	dcrat
behavioral2/files/0x005b000000023ba6-61.dat	dcrat
behavioral2/files/0x000b000000023b9a-95.dat	dcrat
behavioral2/files/0x000c000000023b9d-106.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2816	powershell.exe
2308	powershell.exe
3848	powershell.exe
2100	powershell.exe
3720	powershell.exe
2860	powershell.exe
2476	powershell.exe
3988	powershell.exe
1080	powershell.exe
372	powershell.exe
3756	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	lsass.exe

Executes dropped EXE 10 IoCs

pid	Process
1636	lsass.exe
2036	lsass.exe
3008	lsass.exe
2892	lsass.exe
4692	lsass.exe
1608	lsass.exe
2568	lsass.exe
4932	lsass.exe
1572	lsass.exe
2744	lsass.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsPowerShell\Configuration\Schema\backgroundTaskHost.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files\Windows Defender\ja-JP\lsass.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files\Windows Defender\ja-JP\6203df4a6bafc7	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\RCX8BE9.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\explorer.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Schema\RCX9295.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\RCX9596.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files\Internet Explorer\fr-FR\explorer.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files\Internet Explorer\fr-FR\7a0fd90576e088	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Schema\RCX9313.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\lsass.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Schema\eddb19405b7ce1	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\RCX9528.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\RCX8B7B.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Schema\backgroundTaskHost.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\INF\wsearchidxpi\fontdrvhost.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Windows\INF\wsearchidxpi\fontdrvhost.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Windows\INF\wsearchidxpi\5b884080fd4f94	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Windows\INF\wsearchidxpi\RCX8927.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Windows\INF\wsearchidxpi\RCX8938.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	lsass.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4976	schtasks.exe
4928	schtasks.exe
1908	schtasks.exe
4768	schtasks.exe
400	schtasks.exe
4576	schtasks.exe
756	schtasks.exe
5072	schtasks.exe
1444	schtasks.exe
2456	schtasks.exe
1936	schtasks.exe
4956	schtasks.exe
1540	schtasks.exe
2060	schtasks.exe
2220	schtasks.exe
2984	schtasks.exe
2344	schtasks.exe
2796	schtasks.exe
2144	schtasks.exe
2724	schtasks.exe
3976	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2308	powershell.exe
2308	powershell.exe
3848	powershell.exe
3848	powershell.exe
2816	powershell.exe
2816	powershell.exe
3988	powershell.exe
3988	powershell.exe
3756	powershell.exe
1080	powershell.exe
3756	powershell.exe
1080	powershell.exe
2100	powershell.exe
2100	powershell.exe
2860	powershell.exe
2860	powershell.exe
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2476	powershell.exe
2476	powershell.exe
372	powershell.exe
372	powershell.exe
3720	powershell.exe
3720	powershell.exe
2476	powershell.exe
3848	powershell.exe
2308	powershell.exe
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
3988	powershell.exe
3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
1080	powershell.exe
3756	powershell.exe
2860	powershell.exe
372	powershell.exe
2816	powershell.exe
3720	powershell.exe
2100	powershell.exe
1636	lsass.exe
1636	lsass.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	3720	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeDebugPrivilege	1636	lsass.exe
Token: SeDebugPrivilege	2036	lsass.exe
Token: SeDebugPrivilege	3008	lsass.exe
Token: SeDebugPrivilege	2892	lsass.exe
Token: SeDebugPrivilege	4692	lsass.exe
Token: SeDebugPrivilege	1608	lsass.exe
Token: SeDebugPrivilege	2568	lsass.exe
Token: SeDebugPrivilege	4932	lsass.exe
Token: SeDebugPrivilege	1572	lsass.exe
Token: SeDebugPrivilege	2744	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 2476	3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	106
PID 3536 wrote to memory of 2476	3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	106
PID 3536 wrote to memory of 2816	3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	107
PID 3536 wrote to memory of 2816	3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	107
PID 3536 wrote to memory of 2308	3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	108
PID 3536 wrote to memory of 2308	3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	108
PID 3536 wrote to memory of 3848	3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	109
PID 3536 wrote to memory of 3848	3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	109
PID 3536 wrote to memory of 3988	3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	110
PID 3536 wrote to memory of 3988	3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	110
PID 3536 wrote to memory of 1080	3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	111
PID 3536 wrote to memory of 1080	3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	111
PID 3536 wrote to memory of 372	3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	112
PID 3536 wrote to memory of 372	3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	112
PID 3536 wrote to memory of 3756	3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	113
PID 3536 wrote to memory of 3756	3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	113
PID 3536 wrote to memory of 2100	3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	114
PID 3536 wrote to memory of 2100	3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	114
PID 3536 wrote to memory of 3720	3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	115
PID 3536 wrote to memory of 3720	3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	115
PID 3536 wrote to memory of 2860	3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	116
PID 3536 wrote to memory of 2860	3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	116
PID 3536 wrote to memory of 1636	3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	128
PID 3536 wrote to memory of 1636	3536	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	128
PID 1636 wrote to memory of 3096	1636	lsass.exe	130
PID 1636 wrote to memory of 3096	1636	lsass.exe	130
PID 1636 wrote to memory of 2464	1636	lsass.exe	131
PID 1636 wrote to memory of 2464	1636	lsass.exe	131
PID 3096 wrote to memory of 2036	3096	WScript.exe	143
PID 3096 wrote to memory of 2036	3096	WScript.exe	143
PID 2036 wrote to memory of 4504	2036	lsass.exe	145
PID 2036 wrote to memory of 4504	2036	lsass.exe	145
PID 2036 wrote to memory of 1868	2036	lsass.exe	146
PID 2036 wrote to memory of 1868	2036	lsass.exe	146
PID 4504 wrote to memory of 3008	4504	WScript.exe	150
PID 4504 wrote to memory of 3008	4504	WScript.exe	150
PID 3008 wrote to memory of 3884	3008	lsass.exe	152
PID 3008 wrote to memory of 3884	3008	lsass.exe	152
PID 3008 wrote to memory of 3612	3008	lsass.exe	153
PID 3008 wrote to memory of 3612	3008	lsass.exe	153
PID 3884 wrote to memory of 2892	3884	WScript.exe	155
PID 3884 wrote to memory of 2892	3884	WScript.exe	155
PID 2892 wrote to memory of 4944	2892	lsass.exe	157
PID 2892 wrote to memory of 4944	2892	lsass.exe	157
PID 2892 wrote to memory of 4272	2892	lsass.exe	158
PID 2892 wrote to memory of 4272	2892	lsass.exe	158
PID 4944 wrote to memory of 4692	4944	WScript.exe	160
PID 4944 wrote to memory of 4692	4944	WScript.exe	160
PID 4692 wrote to memory of 4804	4692	lsass.exe	162
PID 4692 wrote to memory of 4804	4692	lsass.exe	162
PID 4692 wrote to memory of 4856	4692	lsass.exe	163
PID 4692 wrote to memory of 4856	4692	lsass.exe	163
PID 4804 wrote to memory of 1608	4804	WScript.exe	164
PID 4804 wrote to memory of 1608	4804	WScript.exe	164
PID 1608 wrote to memory of 740	1608	lsass.exe	166
PID 1608 wrote to memory of 740	1608	lsass.exe	166
PID 1608 wrote to memory of 2064	1608	lsass.exe	167
PID 1608 wrote to memory of 2064	1608	lsass.exe	167
PID 740 wrote to memory of 2568	740	WScript.exe	168
PID 740 wrote to memory of 2568	740	WScript.exe	168
PID 2568 wrote to memory of 3860	2568	lsass.exe	170
PID 2568 wrote to memory of 3860	2568	lsass.exe	170
PID 2568 wrote to memory of 1196	2568	lsass.exe	171
PID 2568 wrote to memory of 1196	2568	lsass.exe	171

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
"C:\Users\Admin\AppData\Local\Temp\434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Recovery\WindowsRE\lsass.exe
  "C:\Recovery\WindowsRE\lsass.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad2b36ac-7b4d-42eb-a0c6-83a39e80d262.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Recovery\WindowsRE\lsass.exe
      C:\Recovery\WindowsRE\lsass.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2036
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d700a94c-74f1-4530-a97c-d492c845d4cd.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4504
      - C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd24e584-3083-4c3f-bb07-88eeaaea8ea0.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c3a551f-ca33-4d5e-bc48-fd7258739fa8.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5d65061-c962-4da3-8c17-45b78e9d3ed7.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a05c21b-9888-407a-b84c-f23590748de0.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f66ff228-e9c5-408b-a7ee-6c46c7cb2564.vbs"
        15⤵
        
        PID:3860
        
        C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfd33868-2330-4efe-812d-21587f0faf2b.vbs"
        17⤵
        
        PID:784
        
        C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a7da115-635d-4466-ace1-fd809074ae32.vbs"
        19⤵
        
        PID:4288
        
        C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2076dc5-0c52-47a3-b125-aa68be0d4a9e.vbs"
        21⤵
        
        PID:3808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b951cea9-d639-4c64-ac15-63f772073319.vbs"
        21⤵
        
        PID:408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab65284c-ffea-48c3-a7ca-d0d21e8b431e.vbs"
        19⤵
        
        PID:3932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae3b248d-55b1-4add-945a-4872cb4ccedb.vbs"
        17⤵
        
        PID:2080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9b42e69-eed4-44b0-b411-11ffcb4d6a5f.vbs"
        15⤵
        
        PID:1196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5d2647b-be7c-4109-9000-0a630cdae061.vbs"
        13⤵
        
        PID:2064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2dd22c6-a520-4728-b238-e555f42235c9.vbs"
        11⤵
        
        PID:4856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\152c11e1-f90e-47be-b7fa-429fd4be5b99.vbs"
        9⤵
        
        PID:4272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3155414-ffe1-44c6-afc4-200401b779f1.vbs"
        7⤵
        
        PID:3612
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91b4c82f-5d05-4d39-b4a4-20e082a14e9e.vbs"
        5⤵
        
        PID:1868
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c704ada-895e-449c-af75-88e8573638ad.vbs"
    3⤵
    PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\INF\wsearchidxpi\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\INF\wsearchidxpi\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\INF\wsearchidxpi\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\fr-FR\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\fr-FR\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\S-1-5-21-940901362-3608833189-1915618603-1000\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\S-1-5-21-940901362-3608833189-1915618603-1000\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\S-1-5-21-940901362-3608833189-1915618603-1000\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\ja-JP\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\ja-JP\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Internet Explorer\fr-FR\explorer.exe

Filesize
1.7MB

MD5
2583ef55040b38df32fb9504cd2af20e

SHA1
070eb32eb3c6da7991a9b62555257bb347a6f59f

SHA256
bf5b739ec2dcec8a3b29b073c928f1971a2ad7b0b9691574f20661b05727bebd

SHA512
d743339675bf881aefab658292167e84c29cac96ac196d7713b50834d68f3f6c135d646ab17fe97519ad0364a4f94fced699518b80c1e9f065c0e07de464cb9c

Download Submit
C:\Program Files\Windows Defender\ja-JP\lsass.exe

Filesize
1.7MB

MD5
0ccf03c529103a38411e0ad665b74d04

SHA1
b5a36aefebb70c9a7b067de2100893d6571d492e

SHA256
a530a6cf840dc93022faf9154418c73142002497b54426fb3f67c95ecc2398c1

SHA512
3a41bdb2481cad8a02b0119b71a01631f3323f5430b064ba46b355b2f286a0a662f93ce9ed64d555224a379b9d8433946dcd8302a1905dfcc3da5c7afd171d46

Download Submit
C:\Program Files\WindowsPowerShell\Configuration\Schema\backgroundTaskHost.exe

Filesize
1.7MB

MD5
88bc360785b47c484011f5eaf67735a2

SHA1
1e868cecddcd99d570efa98d7966a5284d36b2c7

SHA256
434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa

SHA512
c52eae6960c1e499d569a35c961676897738ee844fb557bb46aa6e94f301b3b9305093d5389f3a1d70191c69e4591ce1a12a3e7581f5fe0813b388ca2d5d3509

Download Submit
C:\Program Files\WindowsPowerShell\Configuration\Schema\backgroundTaskHost.exe

Filesize
1.7MB

MD5
ab3df0163712126f94e6884c91ce6125

SHA1
ac55070847ed15ef196bc9b4b2da4799c6535725

SHA256
92315f25dbcacdf825b5d8928eb6534ac9a7f5925dc8ff1cbddfbe583bcb64e5

SHA512
2ce7952e481ffab3f652a26b278dc847b77f3c75cf43e7995baad34e68d0ac70badaae9b968d8362bc314795ed5dc1755cf29cea3e054dc884c229d9d3b094c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a05c21b-9888-407a-b84c-f23590748de0.vbs

Filesize
707B

MD5
b31ad067ec98f0118ef8d6b12b29626d

SHA1
69b3867b5adb0ba0ff3cb2eebe68da3cc97ccd46

SHA256
de396c855691bfd7400182cac2c6aa71079067b8b71230a235589831a66b384a

SHA512
8cd8e202cdbad5bab2fac48b6f61031b59ba054db599e7eaa339a4a5ee8a577cad6076fe2d980560fcb1469024de5322c1ce1420626005b93e9fc5237817ac8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3a7da115-635d-4466-ace1-fd809074ae32.vbs

Filesize
707B

MD5
bf0519052da70c0517be333173a5cd34

SHA1
85b448bc2389e865d299809e1169ea48266d5427

SHA256
f130836c69ed6eade29345c19f7d9b2b9159aca55f5d0710a7993488447a942a

SHA512
88faf4fadc329fafd67e14a2b370059e1c79723a25e1cb280828cc7ea3a832e202361fb8010ff264577c4a2ae2eaf620feeacf6637fbb9c05121e24dfd3182fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c704ada-895e-449c-af75-88e8573638ad.vbs

Filesize
483B

MD5
9054e22e8feefba45e9fda24a7149453

SHA1
e59b1b5878054c990e77a06c79db0d9245665ccc

SHA256
0bc5844991123cc321ead38a3c86cc792b7538021e244ce5fc8a08a6f9008efe

SHA512
ca26230912aee3cee9369f29925193db2128258d6a1cef50c94734b2a3eb6b41f8a4f6c5421c075bec8dd80e0ca98609f42dd0a0d0cc0a3dc4464e34d1760b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c3a551f-ca33-4d5e-bc48-fd7258739fa8.vbs

Filesize
707B

MD5
96703092169a6979dfc52e4933f74768

SHA1
b8ff7de18cd18687ee0cf3aea4139268e8eb68f0

SHA256
a61f8a1e1fb21301ac1c3d5ecf6589f6b3e0237c7222c270f6d8105cb88614e3

SHA512
cc556116a1d4b78e5fc3637e448703dca13014f788937bbe62ea46d178b2d61d6dccac3542a2979524dcb42d4ce2822d66f1406799407d6690d883f23d565ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_45yjsyrj.dwi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2076dc5-0c52-47a3-b125-aa68be0d4a9e.vbs

Filesize
707B

MD5
703f9fee7a5a177a59947c088e855e3a

SHA1
cfe2ededf40702284c379141e061d34a9bf7716f

SHA256
a6d9949664f612c009e06f26da721fe0f6a5dc885e273a6e2c70119e7a91aa78

SHA512
91785f8f1aaef5c0dd31f6a7e2a4a358132ee55b4fcf31573aa7737aa59e83bd17eb35547081bda8d11177ca5b129759f2516fed58ce78abbd27ba57126be8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad2b36ac-7b4d-42eb-a0c6-83a39e80d262.vbs

Filesize
707B

MD5
8f616df9c7ba55448b88296ddf19edb7

SHA1
8e3f3c1fa25a0705cc8274ce1dfbbb25044be55b

SHA256
9b85dab26eff6a9f9e51daf84e1d7715b8d6b7dcca1ad8f38ed0bda2adc6146d

SHA512
b640d6dcc9641543a9242b4fd0edd67cad5cdc691aa19edd0354550b5bf41bb34e8000e57d6da6162b15ae469e0afd4fa41741718f36a23718a298462d5b31cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5d65061-c962-4da3-8c17-45b78e9d3ed7.vbs

Filesize
707B

MD5
0f3589ead211faa99ac5729319531e7b

SHA1
ddc1d5dd434680f5c7780e7b77c13fe7adac5e5e

SHA256
7a41ae03f8a5788c2c0ccdb4f6c819a99b84cdc7d25ec53e74e6d405b34383d5

SHA512
288e3d1c6756945a738def8d721a889e9a6b35f266fd79273a81fda2ed88ddc10c355b9dc633d60d7782bfb2f516449cb128fe46bcb2464c24fd46be88500e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfd33868-2330-4efe-812d-21587f0faf2b.vbs

Filesize
707B

MD5
276e1b5ab9249158638256c1a1966a10

SHA1
94d98c1c2435f41111d393f183e9db1dc14aab64

SHA256
05727e114fe36396a5a9d698bc85a816ba215bc5706935a78366e06d7022fcae

SHA512
61fbaa533d863d87e6e71c14dab854d1e56844aa08c3973d5bafda887c1942e060a9df9f5e4568f975cfc80e8fd2c5d0c69a26acce29bc5fdb9da197325eee08

Download Submit
C:\Users\Admin\AppData\Local\Temp\d700a94c-74f1-4530-a97c-d492c845d4cd.vbs

Filesize
707B

MD5
ce7f22773b8a3293cd8d2d8df8a0b4f6

SHA1
7a69987db038e5f9cc001b6da81602006ceaa483

SHA256
bd350f9e52ad8242e68f8700bf811111d64d4624acab411ccf0f8e3037747b41

SHA512
fd8914fb0dc3946a92d30ff0393be7339bd16edfc526c14bb131a4600a5e0b57080587edd665987deb8f9d31c60d4841ee5f63dd4ed944214fadc226a318fa89

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd24e584-3083-4c3f-bb07-88eeaaea8ea0.vbs

Filesize
707B

MD5
78d0ab064b2fde51689d91ae65576381

SHA1
e1f3295e00d854be031843cab106c6f60b6925b3

SHA256
711b065667c65e38e6341efb32121f07e8b63d603a58de7ed169d74ed4a8c5ca

SHA512
b80213b232a962cc09e7d9ebc0edfc0408a390bad5818f8d09c5ced923763f793b89a849cc08b175938bd390683c7aa654494de060e8f8d36970427f28dabdc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\f66ff228-e9c5-408b-a7ee-6c46c7cb2564.vbs

Filesize
707B

MD5
01be357ac519973b91ece6682e873ba7

SHA1
68d75956c1783e901f7b63c8d3040b9b95ee1ff4

SHA256
4dac8024f90c6e825c1ab802f650060b5883005c0d8d236af0f531969d0b29fb

SHA512
5669927deb349c45fd928e30bbd84aa7e1160be76e92f2719bf160a9ef44f41aa44ff6f83b58658be3669edc38e07d5b5742b66c49f558c89119daef6df2acc2

Download Submit
memory/3536-22-0x00007FF99D840000-0x00007FF99E301000-memory.dmp

Filesize
10.8MB

Download
memory/3536-23-0x00007FF99D840000-0x00007FF99E301000-memory.dmp

Filesize
10.8MB

Download
memory/3536-6-0x00000000027C0000-0x00000000027D0000-memory.dmp

Filesize
64KB

Download
memory/3536-12-0x000000001B970000-0x000000001B982000-memory.dmp

Filesize
72KB

Download
memory/3536-8-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/3536-277-0x00007FF99D843000-0x00007FF99D845000-memory.dmp

Filesize
8KB

Download
memory/3536-281-0x00007FF99D840000-0x00007FF99E301000-memory.dmp

Filesize
10.8MB

Download
memory/3536-5-0x00000000027B0000-0x00000000027B8000-memory.dmp

Filesize
32KB

Download
memory/3536-4-0x0000000002840000-0x0000000002890000-memory.dmp

Filesize
320KB

Download
memory/3536-3-0x0000000002790000-0x00000000027AC000-memory.dmp

Filesize
112KB

Download
memory/3536-2-0x00007FF99D840000-0x00007FF99E301000-memory.dmp

Filesize
10.8MB

Download
memory/3536-0-0x00007FF99D843000-0x00007FF99D845000-memory.dmp

Filesize
8KB

Download
memory/3536-9-0x0000000002800000-0x000000000280C000-memory.dmp

Filesize
48KB

Download
memory/3536-7-0x00000000027D0000-0x00000000027E6000-memory.dmp

Filesize
88KB

Download
memory/3536-1-0x00000000004C0000-0x0000000000680000-memory.dmp

Filesize
1.8MB

Download
memory/3536-10-0x0000000002820000-0x0000000002828000-memory.dmp

Filesize
32KB

Download
memory/3536-19-0x000000001BC30000-0x000000001BC3C000-memory.dmp

Filesize
48KB

Download
memory/3536-15-0x000000001BAB0000-0x000000001BABA000-memory.dmp

Filesize
40KB

Download
memory/3536-16-0x000000001BAC0000-0x000000001BACE000-memory.dmp

Filesize
56KB

Download
memory/3536-17-0x000000001BAD0000-0x000000001BAD8000-memory.dmp

Filesize
32KB

Download
memory/3536-18-0x000000001BBE0000-0x000000001BBEC000-memory.dmp

Filesize
48KB

Download
memory/3536-13-0x000000001BED0000-0x000000001C3F8000-memory.dmp

Filesize
5.2MB

Download
memory/3536-14-0x000000001B9A0000-0x000000001B9AC000-memory.dmp

Filesize
48KB

Download
memory/3848-178-0x00000260C0930000-0x00000260C0952000-memory.dmp

Filesize
136KB

Download
memory/4932-383-0x000000001D140000-0x000000001D152000-memory.dmp

Filesize
72KB

Download