dcrat | 34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6

Analysis

max time kernel
119s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
Size

1.7MB
MD5

588e6b61bedc53cff84d52ded6c201b0
SHA1

48e42d75a1852507a276c6a84f2ab43c750486f0
SHA256

34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6
SHA512

9b91d3c9b442790c16c22b2967fdcde3f6742f42c06304e4e34a6ab93620c6ff0170fddff5d7b447ce95528e4e10dc21cbe975a3b296f08d9d7275dc15c2aa30
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:+THUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	116	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3856	116	schtasks.exe	83

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3252-1-0x0000000000830000-0x00000000009F0000-memory.dmp	dcrat
behavioral2/files/0x000a000000023ba7-30.dat	dcrat
behavioral2/files/0x000200000001e75d-105.dat	dcrat
behavioral2/files/0x000b000000023be8-128.dat	dcrat
behavioral2/files/0x000b000000023bc1-212.dat	dcrat
behavioral2/files/0x000d000000023bef-250.dat	dcrat
behavioral2/memory/4296-413-0x0000000000D90000-0x0000000000F50000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1536	powershell.exe
4052	powershell.exe
4324	powershell.exe
2772	powershell.exe
2636	powershell.exe
3896	powershell.exe
4840	powershell.exe
3628	powershell.exe
1660	powershell.exe
924	powershell.exe
4904	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	smss.exe

Executes dropped EXE 7 IoCs

pid	Process
4296	smss.exe
4920	smss.exe
4620	smss.exe
2036	smss.exe
3716	smss.exe
388	smss.exe
924	smss.exe

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\ea1d8f6d871115	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\explorer.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files\7-Zip\e6c9b481da804f	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\Crashpad\attachments\fontdrvhost.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\7-Zip\RCX9656.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\7-Zip\OfficeClickToRun.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files\Crashpad\attachments\fontdrvhost.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\7a0fd90576e088	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\RCX8658.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\RCXA09E.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXA9ED.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\upfc.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files\Windows Defender\smss.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\c5b4cb5e9653cc	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\Windows Defender\smss.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\7-Zip\RCX9655.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\upfc.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\ea1d8f6d871115	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\RCX8669.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\Crashpad\attachments\RCX886E.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\RCX9440.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\explorer.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\RCXA0AE.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\Windows Defender\RCX8CA8.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\Windows Defender\RCX8D26.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\RCX943F.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\upfc.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files\7-Zip\OfficeClickToRun.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\services.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files\Crashpad\attachments\5b884080fd4f94	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files\Windows Defender\69ddcba757bf72	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\Crashpad\attachments\RCX886F.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\RCX9A7F.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\services.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\upfc.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\5b884080fd4f94	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\RCX9A80.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXAA5B.tmp	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceState\EventLog\Data\winlogon.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
File created	C:\Windows\diagnostics\services.exe	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	smss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4956	schtasks.exe
3856	schtasks.exe
2240	schtasks.exe
408	schtasks.exe
1516	schtasks.exe
2288	schtasks.exe
2224	schtasks.exe
5072	schtasks.exe
2052	schtasks.exe
1980	schtasks.exe
2964	schtasks.exe
1376	schtasks.exe
1968	schtasks.exe
2636	schtasks.exe
3268	schtasks.exe
2616	schtasks.exe
3228	schtasks.exe
3016	schtasks.exe
4060	schtasks.exe
2948	schtasks.exe
3424	schtasks.exe
4124	schtasks.exe
1592	schtasks.exe
1432	schtasks.exe
4896	schtasks.exe
2736	schtasks.exe
4052	schtasks.exe
1040	schtasks.exe
1532	schtasks.exe
868	schtasks.exe
112	schtasks.exe
3628	schtasks.exe
4624	schtasks.exe
436	schtasks.exe
716	schtasks.exe
2504	schtasks.exe
1736	schtasks.exe
2772	schtasks.exe
432	schtasks.exe
2388	schtasks.exe
2060	schtasks.exe
2028	schtasks.exe
1092	schtasks.exe
4952	schtasks.exe
4900	schtasks.exe
924	schtasks.exe
3676	schtasks.exe
5000	schtasks.exe
1208	schtasks.exe
636	schtasks.exe
2972	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	4840	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	4296	smss.exe
Token: SeDebugPrivilege	4920	smss.exe
Token: SeDebugPrivilege	4620	smss.exe
Token: SeDebugPrivilege	2036	smss.exe
Token: SeDebugPrivilege	3716	smss.exe
Token: SeDebugPrivilege	388	smss.exe
Token: SeDebugPrivilege	924	smss.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 3628	3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	143
PID 3252 wrote to memory of 3628	3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	143
PID 3252 wrote to memory of 4840	3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	144
PID 3252 wrote to memory of 4840	3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	144
PID 3252 wrote to memory of 2772	3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	145
PID 3252 wrote to memory of 2772	3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	145
PID 3252 wrote to memory of 3896	3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	146
PID 3252 wrote to memory of 3896	3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	146
PID 3252 wrote to memory of 4324	3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	147
PID 3252 wrote to memory of 4324	3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	147
PID 3252 wrote to memory of 4052	3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	148
PID 3252 wrote to memory of 4052	3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	148
PID 3252 wrote to memory of 1536	3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	149
PID 3252 wrote to memory of 1536	3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	149
PID 3252 wrote to memory of 2636	3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	150
PID 3252 wrote to memory of 2636	3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	150
PID 3252 wrote to memory of 4904	3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	151
PID 3252 wrote to memory of 4904	3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	151
PID 3252 wrote to memory of 924	3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	153
PID 3252 wrote to memory of 924	3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	153
PID 3252 wrote to memory of 1660	3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	154
PID 3252 wrote to memory of 1660	3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	154
PID 3252 wrote to memory of 4296	3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	167
PID 3252 wrote to memory of 4296	3252	34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe	167
PID 4296 wrote to memory of 2440	4296	smss.exe	171
PID 4296 wrote to memory of 2440	4296	smss.exe	171
PID 4296 wrote to memory of 4652	4296	smss.exe	172
PID 4296 wrote to memory of 4652	4296	smss.exe	172
PID 2440 wrote to memory of 4920	2440	WScript.exe	175
PID 2440 wrote to memory of 4920	2440	WScript.exe	175
PID 4920 wrote to memory of 1656	4920	smss.exe	178
PID 4920 wrote to memory of 1656	4920	smss.exe	178
PID 4920 wrote to memory of 2224	4920	smss.exe	179
PID 4920 wrote to memory of 2224	4920	smss.exe	179
PID 1656 wrote to memory of 4620	1656	WScript.exe	181
PID 1656 wrote to memory of 4620	1656	WScript.exe	181
PID 4620 wrote to memory of 760	4620	smss.exe	183
PID 4620 wrote to memory of 760	4620	smss.exe	183
PID 4620 wrote to memory of 3412	4620	smss.exe	184
PID 4620 wrote to memory of 3412	4620	smss.exe	184
PID 760 wrote to memory of 2036	760	WScript.exe	186
PID 760 wrote to memory of 2036	760	WScript.exe	186
PID 2036 wrote to memory of 5000	2036	smss.exe	188
PID 2036 wrote to memory of 5000	2036	smss.exe	188
PID 2036 wrote to memory of 4508	2036	smss.exe	189
PID 2036 wrote to memory of 4508	2036	smss.exe	189
PID 5000 wrote to memory of 3716	5000	WScript.exe	190
PID 5000 wrote to memory of 3716	5000	WScript.exe	190
PID 3716 wrote to memory of 2664	3716	smss.exe	192
PID 3716 wrote to memory of 2664	3716	smss.exe	192
PID 3716 wrote to memory of 1616	3716	smss.exe	193
PID 3716 wrote to memory of 1616	3716	smss.exe	193
PID 2664 wrote to memory of 388	2664	WScript.exe	194
PID 2664 wrote to memory of 388	2664	WScript.exe	194
PID 388 wrote to memory of 4396	388	smss.exe	196
PID 388 wrote to memory of 4396	388	smss.exe	196
PID 388 wrote to memory of 4624	388	smss.exe	197
PID 388 wrote to memory of 4624	388	smss.exe	197
PID 924 wrote to memory of 3620	924	smss.exe	200
PID 924 wrote to memory of 3620	924	smss.exe	200
PID 924 wrote to memory of 4156	924	smss.exe	201
PID 924 wrote to memory of 4156	924	smss.exe	201

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe
"C:\Users\Admin\AppData\Local\Temp\34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6N.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Program Files\Windows Defender\smss.exe
  "C:\Program Files\Windows Defender\smss.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff675f37-b6d2-4e58-9aae-4b4c4715bf30.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Program Files\Windows Defender\smss.exe
      "C:\Program Files\Windows Defender\smss.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4920
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de3bd72b-57a5-4993-aa12-e2f52ce3f697.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1656
      - C:\Program Files\Windows Defender\smss.exe
        
        "C:\Program Files\Windows Defender\smss.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d0a4c2a-e644-4fd3-9627-8d970532213a.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Program Files\Windows Defender\smss.exe
        
        "C:\Program Files\Windows Defender\smss.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32653b5d-d153-4210-8798-6473738c3fa6.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Program Files\Windows Defender\smss.exe
        
        "C:\Program Files\Windows Defender\smss.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e20c7f0e-c976-4ff0-bb34-036bf5118c60.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Program Files\Windows Defender\smss.exe
        
        "C:\Program Files\Windows Defender\smss.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16196cd0-33c5-48a2-b67c-f1e5487a8fe4.vbs"
        13⤵
        
        PID:4396
        
        C:\Program Files\Windows Defender\smss.exe
        
        "C:\Program Files\Windows Defender\smss.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41ddfa9c-af15-4042-a1aa-11c308010914.vbs"
        15⤵
        
        PID:3620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b3de436-bcd6-4ca2-a169-a87d61c1081e.vbs"
        15⤵
        
        PID:4156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39173706-2155-4132-b60a-4a59a669cb88.vbs"
        13⤵
        
        PID:4624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5576ec04-cc98-4081-bcc6-1e89c9360f5f.vbs"
        11⤵
        
        PID:1616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00ed3f17-fb1e-4352-a4b2-a95502cddca6.vbs"
        9⤵
        
        PID:4508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34dfbb67-d7fd-4088-b8e5-5516d89b0352.vbs"
        7⤵
        
        PID:3412
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22528f35-e5c1-4774-8502-f35f81b6d390.vbs"
        5⤵
        
        PID:2224
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9795dae8-fd0c-4c0e-b070-3c5ef684a363.vbs"
    3⤵
    PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\123.0.6312.123\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Crashpad\attachments\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Crashpad\attachments\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Cookies\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Cookies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Cookies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\7-Zip\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\browser\features\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\browser\features\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft OneDrive\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft OneDrive\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe

Filesize
1.7MB

MD5
c6c3f64a14a562cfefc64f8b215569ce

SHA1
d323518d352808d519227b2d45520659f499ffc1

SHA256
11baae27dcc46ea206a6985a0f476d8367ed7bc8902ac6c5ac528c379201e9f1

SHA512
0f788ff90021d59f49e9537c529fdd7ee145a81614fd63bda5fee83cba2c164b2956510347984c975cce3dcc4c280b9c9fbe9e6413b226f9a13203b74e33c89d

Download Submit
C:\Program Files\Windows Defender\smss.exe

Filesize
1.7MB

MD5
b7b66b49f01fe734f409a308df462a07

SHA1
2b16286cf9e5179262c09ea0b02037ee396b8b6f

SHA256
91488a4237e7ff8e3db742822d70d1e03a5004164c9ed8d56cee9d53fc211efb

SHA512
d21dd8b93823514f794950c94d76ea8bf7569bfd319d8f8f140a5519ccc5cefaf2f338332a715bf89147537d5b10c0ee13a807914e4aca93665cd9fe882d294d

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.7MB

MD5
588e6b61bedc53cff84d52ded6c201b0

SHA1
48e42d75a1852507a276c6a84f2ab43c750486f0

SHA256
34ae6dd84f3f38d8e03e76c28b3ab734a8b806f6f5544b7d42ce14e1775463f6

SHA512
9b91d3c9b442790c16c22b2967fdcde3f6742f42c06304e4e34a6ab93620c6ff0170fddff5d7b447ce95528e4e10dc21cbe975a3b296f08d9d7275dc15c2aa30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2979eabc783eaca50de7be23dd4eafcf

SHA1
d709ce5f3a06b7958a67e20870bfd95b83cad2ea

SHA256
006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

SHA512
92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
293a5e452e148112857e22e746feff34

SHA1
7a5018bf98a3e38970809531288a7e3efb979532

SHA256
05e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551

SHA512
7332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\32653b5d-d153-4210-8798-6473738c3fa6.vbs

Filesize
718B

MD5
20bbe9ce1b645ba98552700551913156

SHA1
670f7e03e5fbe076532cf1e4b7ef12aced2cdc66

SHA256
28e6ff3571679bde1ff9e95d9d18f214d16366cffc2c6802a175e189550588a7

SHA512
5b0647b6f66674d93ace9d6563443c1c48272a801ff53111b54ab59c650094e07921bdfc6e4aa0762eae70e2b4e80bdb21956bce3e41851814b4a8287851bb23

Download Submit
C:\Users\Admin\AppData\Local\Temp\41ddfa9c-af15-4042-a1aa-11c308010914.vbs

Filesize
717B

MD5
5c91190823e1d9ca4f3cfab7b3873640

SHA1
a8915711a24f5407acec7e91e214362dfddeab3e

SHA256
9e6a936a58b229e4b57e29feb89776e6b30f6bbac84de39aeb0e2d6ee5f2e391

SHA512
ce137113d5e55a1bd8dda3ddf0f2ec2fda36f25eccf98af50f29f7f8eaaa78cb254772be6d5273ede3e329a276a5d7421b8f343d911abe2e3bb22add9e5d9b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d0a4c2a-e644-4fd3-9627-8d970532213a.vbs

Filesize
718B

MD5
39e2a359e12a8cb872eb640cf64b0123

SHA1
4afd07c312e5e74f2f6580f1185be069389d7c57

SHA256
e0306878cea9d44d24a5de92e36d1860ed186b73333bdfda1677eb3d9979854f

SHA512
39f6df4faeb79f8f4cfba437dda5deabe3714e5378251cd8536a5c25b8963b16aad47735516d6ac9e91f89b25ea457a3d57df8743dbdb420426a7caaacadc8ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\9795dae8-fd0c-4c0e-b070-3c5ef684a363.vbs

Filesize
494B

MD5
cf0a78bc36f0f029aa3c4cbc1e5abf11

SHA1
767c828582a12dfc962264c5504a19f784476b73

SHA256
a3b21b0bad461470d013e923fc891e0e596f1df44d313d4f631fe1f2f3d93b9d

SHA512
7cf92d995cecd2d3059f447aea7cb097e4cbd500cd2b6a66974ebe5264a8bed9b981814dca60e7fe0a350f768b962ce56a37e0f07c963c640e55b76b8de04384

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_54byhy52.5yw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\de3bd72b-57a5-4993-aa12-e2f52ce3f697.vbs

Filesize
718B

MD5
13fb22bc344754c32100282d6ff95117

SHA1
729708414b9af600f85391235f5d198f1738cab5

SHA256
88200ad339087da2ced3eba1ccc617ebcdcd120071277b690edef9e2f9dcd9c5

SHA512
4fef882487221ef9c019cc9b7e1d6d81737985e326b0f179d7c2f43eac3472723c1eefc9a0e1b00c6bda35c81050a04b38b0a27378cb30cb81934c3284631226

Download Submit
C:\Users\Admin\AppData\Local\Temp\e20c7f0e-c976-4ff0-bb34-036bf5118c60.vbs

Filesize
718B

MD5
0cefb78fcb48abcf7fc8fa41ac910dfe

SHA1
0597c278f156ab9f709d5b7e12ff6b5cbaeedd5b

SHA256
6007f64d378aa2e72c6095acff0ab45c2c06dcebc041d57f51d4a380aed1cd3b

SHA512
1af6beaf32be6ec76c77debbb6c81f8f14d520b09b9ac612393f52c98be1aba78c900b11535fffdeaf10dc661e57a057a53b814b2860f2234c27d9f723c83403

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff675f37-b6d2-4e58-9aae-4b4c4715bf30.vbs

Filesize
718B

MD5
e91e99f7717cfe53e671938d5bfbc6a3

SHA1
c3e19b05728c9ff0ff34a3e1a053d4aea351aa58

SHA256
af42a45497d7ccc4e2222b105fd10191c658268166d768ce2f892122e69f1892

SHA512
e639f452df9de18a00963cc31b86483b41079369f5b07c1517ad6ac7f78fab1b8859808e76b7141ea1ec2746ba96041574145eec6655d35302558e9ec5fc4699

Download Submit
C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\fontdrvhost.exe

Filesize
1.7MB

MD5
01a1cb4d8a1deea2d7385f05f0615680

SHA1
0ecf723810a9a6855b4a6b60d45f84bf4ff16434

SHA256
d3cd0f7e4bc988af3dc12b83073e445847222814131178461df17abdcd17c143

SHA512
d4d0cf6509f2dcaa3cbb127ac2f2ca852b88c791dc4b096a397b2ee6b06edc1be8c1857d85b82e29408d5b4add02c83ed14ef03f6537ae665560d00444db4912

Download Submit
C:\Users\Public\Pictures\dllhost.exe

Filesize
1.7MB

MD5
53a27694135f0631ff66d2658b0331e3

SHA1
9cf72383ffebe72c6486e1d85df32c84d0ab3f73

SHA256
4f7f696d5913829c4a65612b8c1ed1ed8cb36a90abab44cc6de2fbe4f892b55b

SHA512
db3e70d91cecbd7bb9d9ad74bf9e8da4446033dc2e7d9d2bd7d2b22b0f3befb2d014bf213fdefbcddf6da25756d33680fc45477d3948b17b559b53b7316584d8

Download Submit
memory/3252-13-0x000000001C240000-0x000000001C768000-memory.dmp

Filesize
5.2MB

Download
memory/3252-4-0x000000001B580000-0x000000001B5D0000-memory.dmp

Filesize
320KB

Download
memory/3252-167-0x00007FFA38393000-0x00007FFA38395000-memory.dmp

Filesize
8KB

Download
memory/3252-192-0x00007FFA38390000-0x00007FFA38E51000-memory.dmp

Filesize
10.8MB

Download
memory/3252-22-0x00007FFA38390000-0x00007FFA38E51000-memory.dmp

Filesize
10.8MB

Download
memory/3252-217-0x00007FFA38390000-0x00007FFA38E51000-memory.dmp

Filesize
10.8MB

Download
memory/3252-14-0x000000001BD10000-0x000000001BD1C000-memory.dmp

Filesize
48KB

Download
memory/3252-16-0x000000001BF30000-0x000000001BF3E000-memory.dmp

Filesize
56KB

Download
memory/3252-1-0x0000000000830000-0x00000000009F0000-memory.dmp

Filesize
1.8MB

Download
memory/3252-2-0x00007FFA38390000-0x00007FFA38E51000-memory.dmp

Filesize
10.8MB

Download
memory/3252-414-0x00007FFA38390000-0x00007FFA38E51000-memory.dmp

Filesize
10.8MB

Download
memory/3252-3-0x0000000002A60000-0x0000000002A7C000-memory.dmp

Filesize
112KB

Download
memory/3252-19-0x000000001BFA0000-0x000000001BFAC000-memory.dmp

Filesize
48KB

Download
memory/3252-17-0x000000001BF40000-0x000000001BF48000-memory.dmp

Filesize
32KB

Download
memory/3252-18-0x000000001BF50000-0x000000001BF5C000-memory.dmp

Filesize
48KB

Download
memory/3252-15-0x000000001BF20000-0x000000001BF2A000-memory.dmp

Filesize
40KB

Download
memory/3252-0-0x00007FFA38393000-0x00007FFA38395000-memory.dmp

Filesize
8KB

Download
memory/3252-12-0x000000001B5D0000-0x000000001B5E2000-memory.dmp

Filesize
72KB

Download
memory/3252-10-0x000000001B570000-0x000000001B578000-memory.dmp

Filesize
32KB

Download
memory/3252-9-0x000000001B560000-0x000000001B56C000-memory.dmp

Filesize
48KB

Download
memory/3252-7-0x000000001B530000-0x000000001B546000-memory.dmp

Filesize
88KB

Download
memory/3252-8-0x000000001B550000-0x000000001B560000-memory.dmp

Filesize
64KB

Download
memory/3252-23-0x00007FFA38390000-0x00007FFA38E51000-memory.dmp

Filesize
10.8MB

Download
memory/3252-6-0x0000000002B40000-0x0000000002B50000-memory.dmp

Filesize
64KB

Download
memory/3252-5-0x0000000002B30000-0x0000000002B38000-memory.dmp

Filesize
32KB

Download
memory/4296-415-0x000000001D3F0000-0x000000001D402000-memory.dmp

Filesize
72KB

Download
memory/4296-413-0x0000000000D90000-0x0000000000F50000-memory.dmp

Filesize
1.8MB

Download
memory/4324-311-0x00000266B31D0000-0x00000266B31F2000-memory.dmp

Filesize
136KB

Download
memory/4920-451-0x000000001BF10000-0x000000001BF22000-memory.dmp

Filesize
72KB

Download