dcrat | 5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8

Analysis

max time kernel
120s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
Size

1.7MB
MD5

64a7d53536484c80f3816ac58f6561f0
SHA1

65ed3b9c78a1412f99fd3b760bba46cb33e109e0
SHA256

5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8
SHA512

722e81ebd97480de4a29fc1a5322076a160d3a332b59a7aaaf99797f7d9d558e6a5fd45aa0146c9504d8c4dcc725d33429b25fccd2289a316896297e1e4ce3ce
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:OTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3824	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4064	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	320	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	320	schtasks.exe	83

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1248-1-0x0000000000D50000-0x0000000000F10000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cbf-30.dat	dcrat
behavioral2/files/0x000e000000023cae-136.dat	dcrat
behavioral2/files/0x0008000000023cd1-181.dat	dcrat
behavioral2/files/0x0009000000023cd5-191.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4468	powershell.exe
4516	powershell.exe
4648	powershell.exe
4304	powershell.exe
4152	powershell.exe
3784	powershell.exe
4428	powershell.exe
4636	powershell.exe
2260	powershell.exe
1072	powershell.exe
2020	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe

Executes dropped EXE 8 IoCs

pid	Process
1908	backgroundTaskHost.exe
1968	backgroundTaskHost.exe
2536	backgroundTaskHost.exe
4560	backgroundTaskHost.exe
4388	backgroundTaskHost.exe
3716	backgroundTaskHost.exe
4896	backgroundTaskHost.exe
4404	backgroundTaskHost.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\sppsvc.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXC717.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCXD50C.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\56085415360792	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXC2FC.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\spoolsv.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXC795.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Program Files (x86)\Google\9e8d7a4ca61bd9	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\RCXBC01.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCXD4FC.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\0a1fd5f707cd16	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Program Files\Windows Portable Devices\TextInputHost.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Program Files\Windows Portable Devices\22eafd247d37c3	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXB9FC.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files (x86)\Google\RCXD712.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Program Files\Reference Assemblies\backgroundTaskHost.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\sppsvc.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXC2FD.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\TextInputHost.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files\Reference Assemblies\backgroundTaskHost.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Program Files (x86)\Windows Media Player\spoolsv.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Program Files (x86)\Windows Media Player\f3b6ecef712a24	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Program Files (x86)\Google\RuntimeBroker.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXB9CC.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Program Files\Reference Assemblies\eddb19405b7ce1	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\RCXBC11.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files (x86)\Google\RCXD711.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Program Files (x86)\Google\RuntimeBroker.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\security\Idle.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Windows\ja-JP\RCXD0B5.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Windows\ja-JP\29c1c3cc0f7685	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Windows\WaaS\services\sppsvc.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Windows\security\6ccacd8608530f	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Windows\ja-JP\RCXD047.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Windows\ja-JP\unsecapp.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Windows\security\RCXD984.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Windows\security\RCXD9C4.tmp	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File opened for modification	C:\Windows\security\Idle.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Windows\Boot\Fonts\dwm.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
File created	C:\Windows\ja-JP\unsecapp.exe	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	backgroundTaskHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2368	schtasks.exe
5000	schtasks.exe
3284	schtasks.exe
3088	schtasks.exe
1112	schtasks.exe
4064	schtasks.exe
2912	schtasks.exe
448	schtasks.exe
4648	schtasks.exe
3648	schtasks.exe
4052	schtasks.exe
4900	schtasks.exe
112	schtasks.exe
1532	schtasks.exe
3732	schtasks.exe
3132	schtasks.exe
2432	schtasks.exe
536	schtasks.exe
2468	schtasks.exe
4496	schtasks.exe
4700	schtasks.exe
3664	schtasks.exe
4316	schtasks.exe
4032	schtasks.exe
3008	schtasks.exe
2780	schtasks.exe
4516	schtasks.exe
4144	schtasks.exe
1588	schtasks.exe
3092	schtasks.exe
1224	schtasks.exe
2796	schtasks.exe
836	schtasks.exe
3824	schtasks.exe
5040	schtasks.exe
5016	schtasks.exe
4948	schtasks.exe
860	schtasks.exe
2948	schtasks.exe
4368	schtasks.exe
4300	schtasks.exe
3156	schtasks.exe
2672	schtasks.exe
2212	schtasks.exe
1612	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	4152	powershell.exe
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	1908	backgroundTaskHost.exe
Token: SeDebugPrivilege	1968	backgroundTaskHost.exe
Token: SeDebugPrivilege	2536	backgroundTaskHost.exe
Token: SeDebugPrivilege	4560	backgroundTaskHost.exe
Token: SeDebugPrivilege	4388	backgroundTaskHost.exe
Token: SeDebugPrivilege	3716	backgroundTaskHost.exe
Token: SeDebugPrivilege	4896	backgroundTaskHost.exe
Token: SeDebugPrivilege	4404	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 2260	1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	135
PID 1248 wrote to memory of 2260	1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	135
PID 1248 wrote to memory of 1072	1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	136
PID 1248 wrote to memory of 1072	1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	136
PID 1248 wrote to memory of 4304	1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	137
PID 1248 wrote to memory of 4304	1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	137
PID 1248 wrote to memory of 4636	1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	138
PID 1248 wrote to memory of 4636	1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	138
PID 1248 wrote to memory of 4648	1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	139
PID 1248 wrote to memory of 4648	1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	139
PID 1248 wrote to memory of 2020	1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	140
PID 1248 wrote to memory of 2020	1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	140
PID 1248 wrote to memory of 4516	1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	141
PID 1248 wrote to memory of 4516	1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	141
PID 1248 wrote to memory of 4468	1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	142
PID 1248 wrote to memory of 4468	1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	142
PID 1248 wrote to memory of 3784	1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	143
PID 1248 wrote to memory of 3784	1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	143
PID 1248 wrote to memory of 4428	1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	145
PID 1248 wrote to memory of 4428	1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	145
PID 1248 wrote to memory of 4152	1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	146
PID 1248 wrote to memory of 4152	1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	146
PID 1248 wrote to memory of 1908	1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	158
PID 1248 wrote to memory of 1908	1248	5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe	158
PID 1908 wrote to memory of 1648	1908	backgroundTaskHost.exe	162
PID 1908 wrote to memory of 1648	1908	backgroundTaskHost.exe	162
PID 1908 wrote to memory of 5028	1908	backgroundTaskHost.exe	163
PID 1908 wrote to memory of 5028	1908	backgroundTaskHost.exe	163
PID 1648 wrote to memory of 1968	1648	WScript.exe	165
PID 1648 wrote to memory of 1968	1648	WScript.exe	165
PID 1968 wrote to memory of 4524	1968	backgroundTaskHost.exe	167
PID 1968 wrote to memory of 4524	1968	backgroundTaskHost.exe	167
PID 1968 wrote to memory of 4820	1968	backgroundTaskHost.exe	168
PID 1968 wrote to memory of 4820	1968	backgroundTaskHost.exe	168
PID 4524 wrote to memory of 2536	4524	WScript.exe	172
PID 4524 wrote to memory of 2536	4524	WScript.exe	172
PID 2536 wrote to memory of 2820	2536	backgroundTaskHost.exe	174
PID 2536 wrote to memory of 2820	2536	backgroundTaskHost.exe	174
PID 2536 wrote to memory of 860	2536	backgroundTaskHost.exe	175
PID 2536 wrote to memory of 860	2536	backgroundTaskHost.exe	175
PID 2820 wrote to memory of 4560	2820	WScript.exe	176
PID 2820 wrote to memory of 4560	2820	WScript.exe	176
PID 4560 wrote to memory of 1868	4560	backgroundTaskHost.exe	178
PID 4560 wrote to memory of 1868	4560	backgroundTaskHost.exe	178
PID 4560 wrote to memory of 3204	4560	backgroundTaskHost.exe	179
PID 4560 wrote to memory of 3204	4560	backgroundTaskHost.exe	179
PID 1868 wrote to memory of 4388	1868	WScript.exe	180
PID 1868 wrote to memory of 4388	1868	WScript.exe	180
PID 4388 wrote to memory of 3824	4388	backgroundTaskHost.exe	182
PID 4388 wrote to memory of 3824	4388	backgroundTaskHost.exe	182
PID 4388 wrote to memory of 2992	4388	backgroundTaskHost.exe	183
PID 4388 wrote to memory of 2992	4388	backgroundTaskHost.exe	183
PID 3824 wrote to memory of 3716	3824	WScript.exe	184
PID 3824 wrote to memory of 3716	3824	WScript.exe	184
PID 3716 wrote to memory of 1712	3716	backgroundTaskHost.exe	186
PID 3716 wrote to memory of 1712	3716	backgroundTaskHost.exe	186
PID 3716 wrote to memory of 2880	3716	backgroundTaskHost.exe	187
PID 3716 wrote to memory of 2880	3716	backgroundTaskHost.exe	187
PID 1712 wrote to memory of 4896	1712	WScript.exe	188
PID 1712 wrote to memory of 4896	1712	WScript.exe	188
PID 4896 wrote to memory of 1088	4896	backgroundTaskHost.exe	190
PID 4896 wrote to memory of 1088	4896	backgroundTaskHost.exe	190
PID 4896 wrote to memory of 5096	4896	backgroundTaskHost.exe	191
PID 4896 wrote to memory of 5096	4896	backgroundTaskHost.exe	191

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe
"C:\Users\Admin\AppData\Local\Temp\5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8N.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4152
- C:\Program Files\Reference Assemblies\backgroundTaskHost.exe
  "C:\Program Files\Reference Assemblies\backgroundTaskHost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74edc3af-cabd-42dd-a258-b17d8b0ee221.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Program Files\Reference Assemblies\backgroundTaskHost.exe
      "C:\Program Files\Reference Assemblies\backgroundTaskHost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1968
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7939523f-6b16-4227-a059-d0f9979beb76.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4524
      - C:\Program Files\Reference Assemblies\backgroundTaskHost.exe
        
        "C:\Program Files\Reference Assemblies\backgroundTaskHost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5aba608a-93db-4703-a678-33eab714c9ec.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Program Files\Reference Assemblies\backgroundTaskHost.exe
        
        "C:\Program Files\Reference Assemblies\backgroundTaskHost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1159713-afc9-4727-bff8-730090b56afb.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Program Files\Reference Assemblies\backgroundTaskHost.exe
        
        "C:\Program Files\Reference Assemblies\backgroundTaskHost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a4ae956-de6f-4072-8865-ab019f9d2e39.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Program Files\Reference Assemblies\backgroundTaskHost.exe
        
        "C:\Program Files\Reference Assemblies\backgroundTaskHost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4524c41c-46eb-47f2-abd7-ea9b88320b26.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Program Files\Reference Assemblies\backgroundTaskHost.exe
        
        "C:\Program Files\Reference Assemblies\backgroundTaskHost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4943214c-e9fd-4e18-9052-500db263e810.vbs"
        15⤵
        
        PID:1088
        
        C:\Program Files\Reference Assemblies\backgroundTaskHost.exe
        
        "C:\Program Files\Reference Assemblies\backgroundTaskHost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8de25969-c1b5-4d5a-bea9-3f959ed4ad63.vbs"
        17⤵
        
        PID:5080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3f69cc3-e0f6-4d45-95ff-bb568d32149c.vbs"
        17⤵
        
        PID:2572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c5d1aa6-b18d-4f46-8563-49ce8ec9bcf7.vbs"
        15⤵
        
        PID:5096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a41a67f0-a4b7-4ae7-9a51-af419e1deaad.vbs"
        13⤵
        
        PID:2880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\987ace48-ef1c-4ef1-a3c5-51f962b02577.vbs"
        11⤵
        
        PID:2992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3be13aaa-2775-4d9d-a0d4-f34284c092a0.vbs"
        9⤵
        
        PID:3204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4089263-5c0d-4c64-b6ac-1b05fc8d272a.vbs"
        7⤵
        
        PID:860
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bf16be1-b2bb-4e35-a316-0d298fb1fa5f.vbs"
        5⤵
        
        PID:4820
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f359e209-dba1-4950-b003-b7420217d0f4.vbs"
    3⤵
    PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Desktop\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\All Users\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Windows\ja-JP\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\ja-JP\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\security\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\security\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\security\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Templates\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default\Templates\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Templates\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Media Player\spoolsv.exe

Filesize
1.7MB

MD5
64a7d53536484c80f3816ac58f6561f0

SHA1
65ed3b9c78a1412f99fd3b760bba46cb33e109e0

SHA256
5e0f73566b5c6d171393cdc5d2cbec8ae6f8c7afd37e0bac19aed41e556174d8

SHA512
722e81ebd97480de4a29fc1a5322076a160d3a332b59a7aaaf99797f7d9d558e6a5fd45aa0146c9504d8c4dcc725d33429b25fccd2289a316896297e1e4ce3ce

Download Submit
C:\Program Files\Reference Assemblies\RCXD4FC.tmp

Filesize
1.7MB

MD5
4435313e110ac95db070a2b47d883a10

SHA1
e6974061eeda556ce2bee7260f52f0cd2a2418b4

SHA256
56b550ebf04114de7a010654fe1f22cb4ef672bf9b10d728c5c4d4b74f83cb86

SHA512
09d6f0b9ac338a3370518b6626c9d7bf270f4af6a52f5c3b363a78c5655448e5cd2ed144eb7ae7dfe9aac2ca4b1165079bb82bec9b74b7e27bdd3070c61ca2bd

Download Submit
C:\Program Files\Windows Portable Devices\TextInputHost.exe

Filesize
1.7MB

MD5
021c32064727285ba5e362f086ff5279

SHA1
d933a481e7dcd8c4515f78e71ef13a2bd052b0dc

SHA256
9975c366f890b1dd94adcff82e275739cdbb2914d021ed96477853c76eac162b

SHA512
7b96c8473956101eb74ed7505901cf91e4093ec864bd0a0db41cbc5a608aee409cf13b6a89d7ab70fe2e0d5c41c88ed1c4ff9ebde025f86f06487d8e388533e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\backgroundTaskHost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a4ae956-de6f-4072-8865-ab019f9d2e39.vbs

Filesize
736B

MD5
257f61daaef7ea117b78f3e19c6232b7

SHA1
c016908fc83f9511cd15abed7a075d1826d10238

SHA256
431ded38b1df7e37a49603cefeaefb8e6cca1163c239d4365cfb6c51e44611bf

SHA512
6ca93e2ebfbea7178ec31f9bea80a181966fc336cc6ba0907d5ac14b8c9dbc35e0c5b2543e080ef2d565b1506fff27334b1d44533a35a63dee60113391cb3772

Download Submit
C:\Users\Admin\AppData\Local\Temp\4524c41c-46eb-47f2-abd7-ea9b88320b26.vbs

Filesize
736B

MD5
8d99b8d8c8f577fee39e6e15b5b3e05c

SHA1
af7d857b93557fa9f10e30a786f4f8b0c6f0797b

SHA256
173dda0317cecc8f5526f01b6c27fa4111064bbca1e2bae4f76c62c01bd681da

SHA512
c91180a74a6f5278ba9d5becbb233b34a0eb6bef17c372a8f42693c56a71ece37549f72c7e15e301a19bd6384f66266e66ccf46ca8e9d775c05bab5b7ab0b09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4943214c-e9fd-4e18-9052-500db263e810.vbs

Filesize
736B

MD5
5f813af7310d798d63b60fb57a01b306

SHA1
33ccf670f49647ad912d7532d56dc69c939763f4

SHA256
9d0f9d0204643d85273d11955476ae0de7946b9db16d0fd29ccb622352eb7f97

SHA512
cffb07d1e0f263cb81c13c13674241084fb440ac86249f1b7c661c4bd0707c42a89be5f18921c9d4d621a432d16a4205f0f3e2513843120f17048c750c215a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5aba608a-93db-4703-a678-33eab714c9ec.vbs

Filesize
736B

MD5
a5339c82a9cc97ae5bfe38c096b0ca12

SHA1
e0b6b9ba42e718b5ba542330ff7b3332b3d4bf59

SHA256
a633a1f1f2ecbd2d8f7206af0c8d591231ed51d587c5a3a01f025445aab822cc

SHA512
ec6ab2a8bd516bf020fd5d52798c20ccb5581a474f24be554af71d1f1cf6b700c02381eb6be31180725794d87c0eae2241e81d72d07850544e35505030020889

Download Submit
C:\Users\Admin\AppData\Local\Temp\74edc3af-cabd-42dd-a258-b17d8b0ee221.vbs

Filesize
736B

MD5
f651663257e8d2401c29f224965506f9

SHA1
60f0725baaf5020387a5d43b027edb820f86e78f

SHA256
2a7a6c16dd7783af68cd0bea408fcbcb62fdcd049b010b593e3276be489d3d00

SHA512
4a9814b4c29885102c3142e047fe1573a72c8ad4dcaa851dbb4a6d857fbd1b36bad9afeed94ce7468b9154d3c0712966fdedb14e3b31193df1a93010fa8255b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7939523f-6b16-4227-a059-d0f9979beb76.vbs

Filesize
736B

MD5
42027fe0dfb42027cec23bb19b5b6aa1

SHA1
30d8f26f1fb50b7e99eadf872f4dd77e410349de

SHA256
95d268c113ef0747be2eab76fa10515658f82bea1b0c11c1d0b25e01a04c05a3

SHA512
6fbfc1fd240c1339ebcac3ea5d5b2f77c72bd29a8ed1223b706f6f4ee51c688b1265370fb0067f84ed842f970224d1ef9cd3bce916e443ee0f273c9bb9607624

Download Submit
C:\Users\Admin\AppData\Local\Temp\8de25969-c1b5-4d5a-bea9-3f959ed4ad63.vbs

Filesize
736B

MD5
8dd4fb2fe515087f1ce38481ff7b0450

SHA1
4e0e79716089954e0bb8abc52762335056de69d9

SHA256
51387ab2067c72c08efb1b5a4a98b2089b32cc1c3e3a1112781ef2a48a2c42dc

SHA512
1dc6b6387806795b8b2c20c8846f6c29a9ca03cfd5adf5e9cdf50ac109793e4253529bb7e25922a0bd73ba9ca3e1333f684d98e14ab3d6456551ecc7d1075d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nfz3xtpk.m2q.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1159713-afc9-4727-bff8-730090b56afb.vbs

Filesize
736B

MD5
7f6c9c1e7128df9c9ba7d1f4701c8935

SHA1
cc03d9ae2f1b3b09dc7fab7aeabdbe0e5e3e0120

SHA256
48bd61195d8ba568c310643d12e6a8f9d4c1b9b0a8b49a9aae5e97f48b0a13ee

SHA512
74d1991def3f8f2357038396e4cff0a46737291e1bd4c3a271229d3102a0e2455cffa6057034c98fd1d8bbed42e2027c635d90fc1373a33f74910277e346a2bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\f359e209-dba1-4950-b003-b7420217d0f4.vbs

Filesize
512B

MD5
215e252c9de23c3df6403f39e58942de

SHA1
a77db5beaae88e506d607eaee620ce83d36e823c

SHA256
a067c3480eac5e996aa6ca48d4f11dafb0be19e6739600efccd29ce352898aea

SHA512
3a9aae192ae5a4d68d7b0429c4feaf336f8cacefaca89e3fdb0a6a3a239217766e3b4ab12c7f49378732bbb3980f56470a18e500f3a9dd556a388a7c1f2647fa

Download Submit
C:\Windows\ja-JP\unsecapp.exe

Filesize
1.7MB

MD5
ff31442e810aa7e264b4d587188a37f9

SHA1
14fd56f41f29c5d516791ed7e56176c671d11589

SHA256
3224b7c3af471279d134edccefc5c750de4c019c8590797bb4c40abe19981cba

SHA512
d381c5a283bf1ba28dbb87ce7d27587d508909c9a59e0f4e2321cce03e7d3b0a2a26bcd766290212032cdb72bbfef3ac3ee8aa2f3428ca91102c5c3fa3d7e9bd

Download Submit
memory/1248-17-0x000000001BD30000-0x000000001BD38000-memory.dmp

Filesize
32KB

Download
memory/1248-15-0x000000001C4B0000-0x000000001C4BA000-memory.dmp

Filesize
40KB

Download
memory/1248-5-0x0000000003040000-0x0000000003048000-memory.dmp

Filesize
32KB

Download
memory/1248-4-0x000000001BB70000-0x000000001BBC0000-memory.dmp

Filesize
320KB

Download
memory/1248-163-0x00007FFF75D53000-0x00007FFF75D55000-memory.dmp

Filesize
8KB

Download
memory/1248-22-0x00007FFF75D50000-0x00007FFF76811000-memory.dmp

Filesize
10.8MB

Download
memory/1248-186-0x00007FFF75D50000-0x00007FFF76811000-memory.dmp

Filesize
10.8MB

Download
memory/1248-187-0x00007FFF75D50000-0x00007FFF76811000-memory.dmp

Filesize
10.8MB

Download
memory/1248-3-0x00000000015C0000-0x00000000015DC000-memory.dmp

Filesize
112KB

Download
memory/1248-211-0x00007FFF75D50000-0x00007FFF76811000-memory.dmp

Filesize
10.8MB

Download
memory/1248-7-0x0000000003060000-0x0000000003076000-memory.dmp

Filesize
88KB

Download
memory/1248-19-0x000000001BD60000-0x000000001BD6C000-memory.dmp

Filesize
48KB

Download
memory/1248-396-0x00007FFF75D50000-0x00007FFF76811000-memory.dmp

Filesize
10.8MB

Download
memory/1248-8-0x0000000003080000-0x0000000003090000-memory.dmp

Filesize
64KB

Download
memory/1248-0-0x00007FFF75D53000-0x00007FFF75D55000-memory.dmp

Filesize
8KB

Download
memory/1248-2-0x00007FFF75D50000-0x00007FFF76811000-memory.dmp

Filesize
10.8MB

Download
memory/1248-16-0x000000001BD40000-0x000000001BD4E000-memory.dmp

Filesize
56KB

Download
memory/1248-6-0x0000000003050000-0x0000000003060000-memory.dmp

Filesize
64KB

Download
memory/1248-18-0x000000001BD50000-0x000000001BD5C000-memory.dmp

Filesize
48KB

Download
memory/1248-23-0x00007FFF75D50000-0x00007FFF76811000-memory.dmp

Filesize
10.8MB

Download
memory/1248-1-0x0000000000D50000-0x0000000000F10000-memory.dmp

Filesize
1.8MB

Download
memory/1248-14-0x000000001BD20000-0x000000001BD2C000-memory.dmp

Filesize
48KB

Download
memory/1248-13-0x000000001C7E0000-0x000000001CD08000-memory.dmp

Filesize
5.2MB

Download
memory/1248-12-0x000000001BBE0000-0x000000001BBF2000-memory.dmp

Filesize
72KB

Download
memory/1248-10-0x000000001BBD0000-0x000000001BBD8000-memory.dmp

Filesize
32KB

Download
memory/1248-9-0x000000001BBC0000-0x000000001BBCC000-memory.dmp

Filesize
48KB

Download
memory/1908-397-0x000000001B7B0000-0x000000001B7C2000-memory.dmp

Filesize
72KB

Download
memory/3784-294-0x000002875F320000-0x000002875F342000-memory.dmp

Filesize
136KB

Download