dcrat | 114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2025 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Size

1.7MB
MD5

4dec414f4409cea7c8b90fd730649803
SHA1

46ed1cf8ddcf4736aba57c1f46cacbaec2c09ecb
SHA256

114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c
SHA512

c9674bed0a92ea973c7b7b6cc2812c7dadf390c3a18cff0dca9b658760fe6b4015141ff93a7b0df7bdd2cc90bbe3c8077388db493831ee0385b6a4025689e573
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	312	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3260	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3784	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	876	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	876	schtasks.exe	83

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2736-1-0x0000000000AE0000-0x0000000000CA0000-memory.dmp	dcrat
behavioral2/files/0x0008000000023c05-30.dat	dcrat
behavioral2/files/0x0009000000023c68-61.dat	dcrat
behavioral2/files/0x0015000000023ba9-154.dat	dcrat
behavioral2/files/0x0011000000023bfb-203.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4300	powershell.exe
4292	powershell.exe
4900	powershell.exe
4592	powershell.exe
2752	powershell.exe
4688	powershell.exe
3676	powershell.exe
4448	powershell.exe
1504	powershell.exe
4964	powershell.exe
808	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe

Executes dropped EXE 9 IoCs

pid	Process
1972	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2068	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
3444	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2740	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1908	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
224	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
4960	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1032	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
3836	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Updates\sihost.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\sihost.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\RCXCB1C.tmp	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File created	C:\Program Files\Google\Chrome\Application\StartMenuExperienceHost.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File created	C:\Program Files\Microsoft Office\Updates\66fc9ff0ee96c2	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\StartMenuExperienceHost.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Program Files\Crashpad\reports\RCXB481.tmp	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\RCXC1EB.tmp	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File created	C:\Program Files\Crashpad\reports\spoolsv.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCXB26D.tmp	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\backgroundTaskHost.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File created	C:\Program Files\Crashpad\reports\f3b6ecef712a24	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\backgroundTaskHost.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\eddb19405b7ce1	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCXB25C.tmp	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Program Files\Crashpad\reports\RCXB492.tmp	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Program Files\Crashpad\reports\spoolsv.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\RCXC259.tmp	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\RCXCA9E.tmp	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File created	C:\Program Files\Google\Chrome\Application\55b276f4edf653	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Performance\WinSAT\dllhost.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File created	C:\Windows\DigitalLocker\en-US\winlogon.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Windows\DiagTrack\Settings\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Windows\Performance\WinSAT\RCXC888.tmp	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Windows\Performance\WinSAT\RCXC889.tmp	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File created	C:\Windows\DiagTrack\Settings\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File created	C:\Windows\DiagTrack\Settings\96a467520d05ca	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File created	C:\Windows\Performance\WinSAT\5940a34987c991	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Windows\DiagTrack\Settings\RCXB714.tmp	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\winlogon.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Windows\Performance\WinSAT\dllhost.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File created	C:\Windows\DigitalLocker\en-US\cc11b995f2a76d	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Windows\DiagTrack\Settings\RCXB713.tmp	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\RCXC45E.tmp	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\RCXC45F.tmp	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3260	schtasks.exe
4484	schtasks.exe
2816	schtasks.exe
2456	schtasks.exe
4800	schtasks.exe
1316	schtasks.exe
2056	schtasks.exe
624	schtasks.exe
2828	schtasks.exe
4216	schtasks.exe
4948	schtasks.exe
4872	schtasks.exe
4728	schtasks.exe
3564	schtasks.exe
3636	schtasks.exe
1956	schtasks.exe
312	schtasks.exe
4000	schtasks.exe
1688	schtasks.exe
4436	schtasks.exe
2636	schtasks.exe
4604	schtasks.exe
3784	schtasks.exe
224	schtasks.exe
1580	schtasks.exe
3148	schtasks.exe
3448	schtasks.exe
4952	schtasks.exe
764	schtasks.exe
1968	schtasks.exe
4876	schtasks.exe
3460	schtasks.exe
1604	schtasks.exe
4736	schtasks.exe
3064	schtasks.exe
2188	schtasks.exe
2180	schtasks.exe
4312	schtasks.exe
4068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
4592	powershell.exe
4592	powershell.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
4292	powershell.exe
4292	powershell.exe
2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
4300	powershell.exe
4300	powershell.exe
4964	powershell.exe
4964	powershell.exe
1504	powershell.exe
1504	powershell.exe
2752	powershell.exe
2752	powershell.exe
808	powershell.exe
808	powershell.exe
4292	powershell.exe
4448	powershell.exe
4448	powershell.exe
808	powershell.exe
3676	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	1972	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Token: SeDebugPrivilege	2068	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Token: SeDebugPrivilege	3444	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Token: SeDebugPrivilege	2740	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Token: SeDebugPrivilege	1908	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Token: SeDebugPrivilege	224	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Token: SeDebugPrivilege	4960	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Token: SeDebugPrivilege	1032	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Token: SeDebugPrivilege	3836	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2752	2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	124
PID 2736 wrote to memory of 2752	2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	124
PID 2736 wrote to memory of 1504	2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	125
PID 2736 wrote to memory of 1504	2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	125
PID 2736 wrote to memory of 4964	2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	126
PID 2736 wrote to memory of 4964	2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	126
PID 2736 wrote to memory of 4592	2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	127
PID 2736 wrote to memory of 4592	2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	127
PID 2736 wrote to memory of 808	2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	128
PID 2736 wrote to memory of 808	2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	128
PID 2736 wrote to memory of 4900	2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	129
PID 2736 wrote to memory of 4900	2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	129
PID 2736 wrote to memory of 4292	2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	130
PID 2736 wrote to memory of 4292	2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	130
PID 2736 wrote to memory of 4300	2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	131
PID 2736 wrote to memory of 4300	2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	131
PID 2736 wrote to memory of 4448	2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	132
PID 2736 wrote to memory of 4448	2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	132
PID 2736 wrote to memory of 3676	2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	133
PID 2736 wrote to memory of 3676	2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	133
PID 2736 wrote to memory of 4688	2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	134
PID 2736 wrote to memory of 4688	2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	134
PID 2736 wrote to memory of 1972	2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	146
PID 2736 wrote to memory of 1972	2736	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	146
PID 1972 wrote to memory of 112	1972	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	150
PID 1972 wrote to memory of 112	1972	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	150
PID 1972 wrote to memory of 1768	1972	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	151
PID 1972 wrote to memory of 1768	1972	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	151
PID 112 wrote to memory of 2068	112	WScript.exe	163
PID 112 wrote to memory of 2068	112	WScript.exe	163
PID 2068 wrote to memory of 4092	2068	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	166
PID 2068 wrote to memory of 4092	2068	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	166
PID 2068 wrote to memory of 4624	2068	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	167
PID 2068 wrote to memory of 4624	2068	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	167
PID 4092 wrote to memory of 3444	4092	WScript.exe	169
PID 4092 wrote to memory of 3444	4092	WScript.exe	169
PID 3444 wrote to memory of 4084	3444	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	171
PID 3444 wrote to memory of 4084	3444	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	171
PID 3444 wrote to memory of 1580	3444	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	172
PID 3444 wrote to memory of 1580	3444	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	172
PID 4084 wrote to memory of 2740	4084	WScript.exe	173
PID 4084 wrote to memory of 2740	4084	WScript.exe	173
PID 2740 wrote to memory of 4344	2740	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	175
PID 2740 wrote to memory of 4344	2740	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	175
PID 2740 wrote to memory of 2472	2740	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	176
PID 2740 wrote to memory of 2472	2740	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	176
PID 4344 wrote to memory of 1908	4344	WScript.exe	177
PID 4344 wrote to memory of 1908	4344	WScript.exe	177
PID 1908 wrote to memory of 3692	1908	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	179
PID 1908 wrote to memory of 3692	1908	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	179
PID 1908 wrote to memory of 4508	1908	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	180
PID 1908 wrote to memory of 4508	1908	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	180
PID 3692 wrote to memory of 224	3692	WScript.exe	182
PID 3692 wrote to memory of 224	3692	WScript.exe	182
PID 224 wrote to memory of 112	224	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	184
PID 224 wrote to memory of 112	224	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	184
PID 224 wrote to memory of 4968	224	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	185
PID 224 wrote to memory of 4968	224	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	185
PID 112 wrote to memory of 4960	112	WScript.exe	187
PID 112 wrote to memory of 4960	112	WScript.exe	187
PID 4960 wrote to memory of 4324	4960	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	189
PID 4960 wrote to memory of 4324	4960	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	189
PID 4960 wrote to memory of 2968	4960	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	190
PID 4960 wrote to memory of 2968	4960	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	190

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
"C:\Users\Admin\AppData\Local\Temp\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4688
- C:\Windows\DiagTrack\Settings\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
  "C:\Windows\DiagTrack\Settings\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb2c992a-6cc8-4fc4-bb88-0055f7f2b064.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:112
  - - C:\Windows\DiagTrack\Settings\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
      C:\Windows\DiagTrack\Settings\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2068
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e728d03-a044-4309-9645-21a40f2e832e.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4092
      - C:\Windows\DiagTrack\Settings\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
        
        C:\Windows\DiagTrack\Settings\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c04624a2-55e0-4b8f-8d87-002bddd6890f.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\DiagTrack\Settings\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
        
        C:\Windows\DiagTrack\Settings\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee5a30f0-207c-40a6-ae13-5bb00510f34f.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\DiagTrack\Settings\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
        
        C:\Windows\DiagTrack\Settings\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3dfdfc46-b715-4c58-bdbd-163c5555778c.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\DiagTrack\Settings\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
        
        C:\Windows\DiagTrack\Settings\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\521810b0-bc80-448d-80cd-7f9a3944b78f.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\DiagTrack\Settings\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
        
        C:\Windows\DiagTrack\Settings\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a13341d-8ee9-4a2c-a794-84dbab1db419.vbs"
        15⤵
        
        PID:4324
        
        C:\Windows\DiagTrack\Settings\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
        
        C:\Windows\DiagTrack\Settings\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0d9d5e1-5cc8-4cfe-aa20-99302023ba02.vbs"
        17⤵
        
        PID:1568
        
        C:\Windows\DiagTrack\Settings\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
        
        C:\Windows\DiagTrack\Settings\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7303188e-f2ec-4e9d-b063-d69f09e7f7d4.vbs"
        19⤵
        
        PID:3640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b58300c-eb80-46c8-b457-e3754d9c2283.vbs"
        19⤵
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f3740b4-8419-4ecf-a6b9-718f3c4ae4fc.vbs"
        17⤵
        
        PID:4904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b90989b-0cc6-4d08-a103-a48a4d19da91.vbs"
        15⤵
        
        PID:2968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a3fa10e-0a84-44b4-b815-d7d2fb5e327a.vbs"
        13⤵
        
        PID:4968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b662580-3b75-4264-a852-51a8f0ee1c24.vbs"
        11⤵
        
        PID:4508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76dbcdfa-ec59-43ba-84e7-b1c78afb3afb.vbs"
        9⤵
        
        PID:2472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ee2852d-a31a-4d93-9318-30fc353773ed.vbs"
        7⤵
        
        PID:1580
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41035f7b-458f-4b90-bdb8-4b3f11c2b58b.vbs"
        5⤵
        
        PID:4624
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3884cd8b-c8e7-48c0-a579-11628a237ead.vbs"
    3⤵
    PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Crashpad\reports\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Crashpad\reports\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c1" /sc MINUTE /mo 12 /tr "'C:\Windows\DiagTrack\Settings\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Settings\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c1" /sc MINUTE /mo 14 /tr "'C:\Windows\DiagTrack\Settings\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Updates\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Updates\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\en-US\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\DigitalLocker\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Start Menu\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Start Menu\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Performance\WinSAT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Performance\WinSAT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Photo Viewer\en-US\backgroundTaskHost.exe

Filesize
1.7MB

MD5
12b203e5c47e2ef0791357e4aa0a0b6e

SHA1
de2316e6fc545b2d1ac6d48428b7dfc4154d199e

SHA256
0e02e32cdcbd769cf7a626771a619cf090b42aa2b307ded6b48aa0a2aafa31d0

SHA512
d2fc1c68a3395d07cf43d659136a47b3cfe987fe814ae8e3abdd69d85914fe219f87f6d9d846f285fd04fad4e980393de3fe9dc28ec9b7dda544623be84b22a9

Download Submit
C:\Program Files\Microsoft Office\Updates\sihost.exe

Filesize
1.7MB

MD5
66e551d41f3a4d1e177f7bd4beaf8375

SHA1
085a33b27aa13d3772b17a606d77be3db6baebfb

SHA256
62f0359978b1496f485a5c105bfd23f286269cc7d38bd68180edb7e0a1c41252

SHA512
19d752a9352867bfc98b3af937e00318379729bc7534dd70d481f0128dda5df5fe452b159bee972c53e8f6f654899a0965beaddded6227c862e60a3ea985b612

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\3884cd8b-c8e7-48c0-a579-11628a237ead.vbs

Filesize
550B

MD5
a5c7e47f8d8cf0cd570768c1f6e818c3

SHA1
014c6652fc6e3abb9ac426f8f4319ef46a8e12cc

SHA256
2451b742004e9ef24751a77473afd9de1572fb82b75c8f1ba1850b3ac75942b7

SHA512
11c3b223595c8c2708d49eb636ae2b17a7fa306d02e6c965136af8e9b2046602089cdd07b28864b365bbb5f25236911719b4ad224c3bc15cd81b566716c6e4f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3dfdfc46-b715-4c58-bdbd-163c5555778c.vbs

Filesize
774B

MD5
2d7973802a248507e0427943bb8660f3

SHA1
c2b2ee3e93d5a467901a808a39b5391215fcb7b4

SHA256
fc52ed63cd918ec8528920684bcbfe0384c4fc508e3d9379ddcd6d6618c66d31

SHA512
2955f0075efbc262157a46d8674ad15f1ef9919748c371ad267adc514e41dc125f4ebc5061e331441cdf539b0449596a32309c84fd0c2aac7d99121826709873

Download Submit
C:\Users\Admin\AppData\Local\Temp\521810b0-bc80-448d-80cd-7f9a3944b78f.vbs

Filesize
773B

MD5
98328621910ff02b09b439577e90d849

SHA1
c3f56596178766afa8320f9ef726f979a87c981a

SHA256
0c65ab6c526d218cf4e1534cfcc2c2e92860485b5970247119d4d1d7aadb3226

SHA512
7a58a37dad635ee2d6b5252edfadbb87417febb3e1a311b49d039e409294dc3d952ca9ddbd681abfcff3b394a276f49a4b80f36a5087edb559b5e4019c96f2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a13341d-8ee9-4a2c-a794-84dbab1db419.vbs

Filesize
774B

MD5
c69a60da7dbb8f754c6716d43efe1e3a

SHA1
f3ac0ff1361eed8e86cb0d04ffd2456e31df991b

SHA256
e9a2b3d31590ac896f4ce2d8beb2081082a40ecb8ea1a6fb9eb7da4272521a96

SHA512
f1fd86eb617cd5f524f3886c0b874fa5a28281875fb4381a92468c20ea4c8bd45a679e5756f6daeb70ab559a41f4e4918a61f24e328ba4909cea1de2097ea5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7303188e-f2ec-4e9d-b063-d69f09e7f7d4.vbs

Filesize
774B

MD5
4d4805ab99a2e2bb225f134de3bb2899

SHA1
c894d90a93fbcfdd6f52e269d32120bf67c1c722

SHA256
a8bc59728ad1606161ddbe5c206e456d6568ac7ace3ac3be076d9c1173d7d147

SHA512
ad7202a446bb3e5021aa8a2c022fc9f6287323667efb3d580605b96c569958aee2b5c90ce219daa98426b17f46293b6c81adcd0d9b27c4a2a07fc7e88b1c8c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e728d03-a044-4309-9645-21a40f2e832e.vbs

Filesize
774B

MD5
77410ee38091158291be6037fab29f61

SHA1
9bf3779abe3e98e6d80834f52abe8f6996391352

SHA256
4428680d6c40d78bedc78030384876a264013fa6a06d91d74d6f5650ea884ce8

SHA512
e6c18f760114588cd0a2a7de0a257b2ffb49ead8b85995c549b369d427f3c5aab48516d7bccb1cab1d1d6a2500c8e107b2e3357270e19178d72987af42e49610

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g5rwfg2a.kpb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb2c992a-6cc8-4fc4-bb88-0055f7f2b064.vbs

Filesize
774B

MD5
b7a97f2ad4371f42f1fe21eb49231b90

SHA1
16abd39d68f42372905584fa1fab58f512f3e2b3

SHA256
5386afa57e319fb07a1a20fab40ac7d050cbd6fe7792d0af00976a765f3895a5

SHA512
51a0f52217e525d87643fd4b7985a10facca4e281b19abd6b8f62da4d2f861d5486e68ec697aac5058b88b4f78eba12f28835e6620a7d1934ed8509adedc2efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\c04624a2-55e0-4b8f-8d87-002bddd6890f.vbs

Filesize
774B

MD5
2604f6e9888e6969e9a866c3469f1ffb

SHA1
f6c8f09b54c4b4669bcfa156cf3090839db61777

SHA256
bcafb083c68e0e71c32b054bf0b73bbaf92b7029287f129ce86ccb9e14b5e558

SHA512
5c311c5f7c7c3d28d2cb99df4e37d15c9c6c7964ccb1dfef07d0cf7aa813940e5c7ad47c6f4b01dd38b1a273e34594a5fd963c0138ac637aeebee089c78be948

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0d9d5e1-5cc8-4cfe-aa20-99302023ba02.vbs

Filesize
774B

MD5
ce6146285fa1cfa23a54f5f954554297

SHA1
7a1812fbf59942cffe1e96f19c97a80dde8653c0

SHA256
a2f9b64cb44ba13983e5315f2da57b6194214397f52ca5d81fca49d3228437c5

SHA512
77a9e5b627d2110a0df3736ebe2eb6c0768107c6ee47e8ebd22cadae8f3dd59fdd365e4fe68b4bf5bb1bd932b5633ae46e60d74926ed69404811bf5f8a1fabb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee5a30f0-207c-40a6-ae13-5bb00510f34f.vbs

Filesize
774B

MD5
0815c30b93fa965a2e3fae0d8fd636d0

SHA1
74a118b1664984c1df7d8a461d363b008d1efa8b

SHA256
8e5439487ef43706a621a06a55cd59e0db1bc9ffd93bc35b637d4c698bbe42c2

SHA512
3dbdce0f5d1756480b1d61dfd5b6bc2e71476c5f4ab19e9bfac3b3a023a642b64b7eb5a38dfafa99e3018e9647be1d0e4f2dbc58ebcf147457c6ca00fc000c9d

Download Submit
C:\Users\Admin\winlogon.exe

Filesize
1.7MB

MD5
dbb552921387976afcf9ce0e78104979

SHA1
a69da30da382df0a0a0711b37b61428c3896e76a

SHA256
740f5a6efd9b378bb0590ea19d94a55c333ced91cab547f9aacabc8cd200cff3

SHA512
3871ded509b716ebb6d06845a2398ed109c656e61380f705bef3a00a834b31109e20b81300a483cc35dddc183a65a37c7a3c47fb23e061f83a8090953273d9a0

Download Submit
C:\Users\Default\dwm.exe

Filesize
1.7MB

MD5
4dec414f4409cea7c8b90fd730649803

SHA1
46ed1cf8ddcf4736aba57c1f46cacbaec2c09ecb

SHA256
114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c

SHA512
c9674bed0a92ea973c7b7b6cc2812c7dadf390c3a18cff0dca9b658760fe6b4015141ff93a7b0df7bdd2cc90bbe3c8077388db493831ee0385b6a4025689e573

Download Submit
memory/1032-460-0x0000000002840000-0x0000000002852000-memory.dmp

Filesize
72KB

Download
memory/2736-13-0x000000001C600000-0x000000001CB28000-memory.dmp

Filesize
5.2MB

Download
memory/2736-14-0x000000001B8A0000-0x000000001B8AC000-memory.dmp

Filesize
48KB

Download
memory/2736-157-0x00007FF83CB53000-0x00007FF83CB55000-memory.dmp

Filesize
8KB

Download
memory/2736-182-0x00007FF83CB50000-0x00007FF83D611000-memory.dmp

Filesize
10.8MB

Download
memory/2736-22-0x00007FF83CB50000-0x00007FF83D611000-memory.dmp

Filesize
10.8MB

Download
memory/2736-19-0x000000001BA00000-0x000000001BA0C000-memory.dmp

Filesize
48KB

Download
memory/2736-1-0x0000000000AE0000-0x0000000000CA0000-memory.dmp

Filesize
1.8MB

Download
memory/2736-346-0x00007FF83CB50000-0x00007FF83D611000-memory.dmp

Filesize
10.8MB

Download
memory/2736-360-0x00007FF83CB50000-0x00007FF83D611000-memory.dmp

Filesize
10.8MB

Download
memory/2736-15-0x000000001B8B0000-0x000000001B8BA000-memory.dmp

Filesize
40KB

Download
memory/2736-16-0x000000001B8C0000-0x000000001B8CE000-memory.dmp

Filesize
56KB

Download
memory/2736-17-0x000000001B8D0000-0x000000001B8D8000-memory.dmp

Filesize
32KB

Download
memory/2736-18-0x000000001B9F0000-0x000000001B9FC000-memory.dmp

Filesize
48KB

Download
memory/2736-23-0x00007FF83CB50000-0x00007FF83D611000-memory.dmp

Filesize
10.8MB

Download
memory/2736-0-0x00007FF83CB53000-0x00007FF83CB55000-memory.dmp

Filesize
8KB

Download
memory/2736-12-0x000000001B870000-0x000000001B882000-memory.dmp

Filesize
72KB

Download
memory/2736-10-0x000000001B860000-0x000000001B868000-memory.dmp

Filesize
32KB

Download
memory/2736-9-0x0000000003030000-0x000000000303C000-memory.dmp

Filesize
48KB

Download
memory/2736-4-0x000000001B810000-0x000000001B860000-memory.dmp

Filesize
320KB

Download
memory/2736-2-0x00007FF83CB50000-0x00007FF83D611000-memory.dmp

Filesize
10.8MB

Download
memory/2736-5-0x0000000002FE0000-0x0000000002FE8000-memory.dmp

Filesize
32KB

Download
memory/2736-7-0x0000000003000000-0x0000000003016000-memory.dmp

Filesize
88KB

Download
memory/2736-8-0x0000000003020000-0x0000000003030000-memory.dmp

Filesize
64KB

Download
memory/2736-3-0x0000000002FC0000-0x0000000002FDC000-memory.dmp

Filesize
112KB

Download
memory/2736-6-0x0000000002FF0000-0x0000000003000000-memory.dmp

Filesize
64KB

Download
memory/3444-412-0x00007FF85A5A0000-0x00007FF85A63B000-memory.dmp

Filesize
620KB

Download
memory/4592-265-0x000001A45CED0000-0x000001A45CEF2000-memory.dmp

Filesize
136KB

Download
memory/4960-448-0x0000000003540000-0x0000000003552000-memory.dmp

Filesize
72KB

Download