dcrat | 894a461e0d709023ba6ec45f748b38a79ae12cf398702244ef2ffa93dd644133

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
Size

1.6MB
MD5

ea4af16c25f7941503efcfb413ecb310
SHA1

dddca77691de109f0dc9c9680d3680950b4bfa51
SHA256

ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947
SHA512

08354124b35e61ff4b153bcf1615cc1e9320f8fb9e92e0ee56eb5e2e29d2153386822d4131a34488304b8073a697afb2a46952ea819511199b1a010ae20123e8
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5908	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5928	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5160	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5724	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5232	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	4804	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	4804	schtasks.exe	86

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral14/memory/1660-1-0x00000000003C0000-0x0000000000562000-memory.dmp	dcrat
behavioral14/files/0x0007000000024298-26.dat	dcrat
behavioral14/files/0x000c0000000242ba-103.dat	dcrat
behavioral14/files/0x000a000000024298-116.dat	dcrat
behavioral14/files/0x00090000000242be-138.dat	dcrat
behavioral14/files/0x000b0000000242a3-171.dat	dcrat
behavioral14/files/0x000a0000000242af-193.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1268	powershell.exe
3644	powershell.exe
1104	powershell.exe
1088	powershell.exe
3136	powershell.exe
2304	powershell.exe
5624	powershell.exe
5428	powershell.exe
4292	powershell.exe
4300	powershell.exe
5980	powershell.exe
3624	powershell.exe
5000	powershell.exe
2624	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wininit.exe

Executes dropped EXE 13 IoCs

pid	Process
2896	wininit.exe
2396	wininit.exe
1408	wininit.exe
5896	wininit.exe
1548	wininit.exe
6084	wininit.exe
1396	wininit.exe
3100	wininit.exe
5252	wininit.exe
5312	wininit.exe
540	wininit.exe
5572	wininit.exe
2444	wininit.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\121e5b5079f7c0	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCXA7BE.tmp	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCXAB3B.tmp	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\sysmon.exe	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\unsecapp.exe	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\29c1c3cc0f7685	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\RCXA326.tmp	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\RCXA3A4.tmp	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\sysmon.exe	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Program Files\Windows Sidebar\TextInputHost.exe	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\unsecapp.exe	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File created	C:\Program Files\Windows Sidebar\TextInputHost.exe	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File created	C:\Program Files\Windows Sidebar\22eafd247d37c3	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCXA83C.tmp	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCXAABD.tmp	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\debug\eddb19405b7ce1	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File created	C:\Windows\appcompat\appraiser\Telemetry\csrss.exe	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File created	C:\Windows\SystemResources\Windows.UI.PCShell\pris\5940a34987c991	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\RCX9E9F.tmp	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File created	C:\Windows\appcompat\appraiser\Telemetry\886983d96e3d3e	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File created	C:\Windows\SystemResources\Windows.UI.PCShell\pris\dllhost.exe	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Windows\debug\RCX9784.tmp	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Windows\de-DE\RCX9998.tmp	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File created	C:\Windows\debug\backgroundTaskHost.exe	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Windows\debug\RCX9783.tmp	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Windows\de-DE\RCX9999.tmp	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Windows\de-DE\fontdrvhost.exe	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\RCX9E21.tmp	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Windows\appcompat\appraiser\Telemetry\csrss.exe	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.PCShell\pris\dllhost.exe	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File created	C:\Windows\de-DE\fontdrvhost.exe	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File created	C:\Windows\de-DE\5b884080fd4f94	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Windows\debug\backgroundTaskHost.exe	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.PCShell\pris\RCXA0A3.tmp	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.PCShell\pris\RCXA121.tmp	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	wininit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4676	schtasks.exe
4772	schtasks.exe
5908	schtasks.exe
4700	schtasks.exe
1524	schtasks.exe
5232	schtasks.exe
2044	schtasks.exe
1172	schtasks.exe
1036	schtasks.exe
4480	schtasks.exe
4788	schtasks.exe
4856	schtasks.exe
2504	schtasks.exe
4484	schtasks.exe
4736	schtasks.exe
4456	schtasks.exe
4532	schtasks.exe
4448	schtasks.exe
2100	schtasks.exe
5724	schtasks.exe
4872	schtasks.exe
1084	schtasks.exe
4404	schtasks.exe
5928	schtasks.exe
60	schtasks.exe
5160	schtasks.exe
788	schtasks.exe
4688	schtasks.exe
4832	schtasks.exe
2756	schtasks.exe
4940	schtasks.exe
3828	schtasks.exe
4424	schtasks.exe
4520	schtasks.exe
4864	schtasks.exe
4780	schtasks.exe
4884	schtasks.exe
4584	schtasks.exe
4488	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
3136	powershell.exe
3136	powershell.exe
5000	powershell.exe
5000	powershell.exe
3624	powershell.exe
3624	powershell.exe
2304	powershell.exe
2304	powershell.exe
1088	powershell.exe
1088	powershell.exe
5980	powershell.exe
5980	powershell.exe
2624	powershell.exe
2624	powershell.exe
5624	powershell.exe
1104	powershell.exe
1104	powershell.exe
5624	powershell.exe
1268	powershell.exe
1268	powershell.exe
5428	powershell.exe
5428	powershell.exe
4292	powershell.exe
4292	powershell.exe
3644	powershell.exe
3644	powershell.exe
4300	powershell.exe
4300	powershell.exe
1088	powershell.exe
3136	powershell.exe
3136	powershell.exe
3624	powershell.exe
5000	powershell.exe
5000	powershell.exe
4292	powershell.exe
2304	powershell.exe
5980	powershell.exe
2624	powershell.exe
1104	powershell.exe
1268	powershell.exe
3644	powershell.exe
5624	powershell.exe
4300	powershell.exe
5428	powershell.exe
2896	wininit.exe
2896	wininit.exe
2396	wininit.exe
1408	wininit.exe
5896	wininit.exe
1548	wininit.exe
1548	wininit.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
Token: SeDebugPrivilege	3136	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeDebugPrivilege	5980	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	5624	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	5428	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	2896	wininit.exe
Token: SeDebugPrivilege	2396	wininit.exe
Token: SeDebugPrivilege	1408	wininit.exe
Token: SeDebugPrivilege	5896	wininit.exe
Token: SeDebugPrivilege	1548	wininit.exe
Token: SeDebugPrivilege	6084	wininit.exe
Token: SeDebugPrivilege	1396	wininit.exe
Token: SeDebugPrivilege	3100	wininit.exe
Token: SeDebugPrivilege	5252	wininit.exe
Token: SeDebugPrivilege	5312	wininit.exe
Token: SeDebugPrivilege	540	wininit.exe
Token: SeDebugPrivilege	5572	wininit.exe
Token: SeDebugPrivilege	2444	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 3624	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	126
PID 1660 wrote to memory of 3624	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	126
PID 1660 wrote to memory of 5980	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	127
PID 1660 wrote to memory of 5980	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	127
PID 1660 wrote to memory of 2304	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	128
PID 1660 wrote to memory of 2304	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	128
PID 1660 wrote to memory of 3136	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	130
PID 1660 wrote to memory of 3136	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	130
PID 1660 wrote to memory of 5000	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	131
PID 1660 wrote to memory of 5000	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	131
PID 1660 wrote to memory of 1088	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	134
PID 1660 wrote to memory of 1088	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	134
PID 1660 wrote to memory of 1104	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	136
PID 1660 wrote to memory of 1104	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	136
PID 1660 wrote to memory of 3644	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	137
PID 1660 wrote to memory of 3644	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	137
PID 1660 wrote to memory of 1268	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	138
PID 1660 wrote to memory of 1268	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	138
PID 1660 wrote to memory of 2624	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	139
PID 1660 wrote to memory of 2624	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	139
PID 1660 wrote to memory of 4300	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	140
PID 1660 wrote to memory of 4300	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	140
PID 1660 wrote to memory of 4292	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	141
PID 1660 wrote to memory of 4292	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	141
PID 1660 wrote to memory of 5428	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	147
PID 1660 wrote to memory of 5428	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	147
PID 1660 wrote to memory of 5624	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	151
PID 1660 wrote to memory of 5624	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	151
PID 1660 wrote to memory of 2896	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	154
PID 1660 wrote to memory of 2896	1660	ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe	154
PID 2896 wrote to memory of 5440	2896	wininit.exe	157
PID 2896 wrote to memory of 5440	2896	wininit.exe	157
PID 2896 wrote to memory of 5268	2896	wininit.exe	158
PID 2896 wrote to memory of 5268	2896	wininit.exe	158
PID 5440 wrote to memory of 2396	5440	WScript.exe	161
PID 5440 wrote to memory of 2396	5440	WScript.exe	161
PID 2396 wrote to memory of 4716	2396	wininit.exe	163
PID 2396 wrote to memory of 4716	2396	wininit.exe	163
PID 2396 wrote to memory of 2872	2396	wininit.exe	164
PID 2396 wrote to memory of 2872	2396	wininit.exe	164
PID 4716 wrote to memory of 1408	4716	WScript.exe	166
PID 4716 wrote to memory of 1408	4716	WScript.exe	166
PID 1408 wrote to memory of 4824	1408	wininit.exe	167
PID 1408 wrote to memory of 4824	1408	wininit.exe	167
PID 1408 wrote to memory of 3656	1408	wininit.exe	168
PID 1408 wrote to memory of 3656	1408	wininit.exe	168
PID 4824 wrote to memory of 5896	4824	WScript.exe	170
PID 4824 wrote to memory of 5896	4824	WScript.exe	170
PID 5896 wrote to memory of 1244	5896	wininit.exe	172
PID 5896 wrote to memory of 1244	5896	wininit.exe	172
PID 5896 wrote to memory of 6020	5896	wininit.exe	173
PID 5896 wrote to memory of 6020	5896	wininit.exe	173
PID 1244 wrote to memory of 1548	1244	WScript.exe	176
PID 1244 wrote to memory of 1548	1244	WScript.exe	176
PID 1548 wrote to memory of 5908	1548	wininit.exe	177
PID 1548 wrote to memory of 5908	1548	wininit.exe	177
PID 1548 wrote to memory of 2232	1548	wininit.exe	178
PID 1548 wrote to memory of 2232	1548	wininit.exe	178
PID 5908 wrote to memory of 6084	5908	WScript.exe	179
PID 5908 wrote to memory of 6084	5908	WScript.exe	179
PID 6084 wrote to memory of 3412	6084	wininit.exe	180
PID 6084 wrote to memory of 3412	6084	wininit.exe	180
PID 6084 wrote to memory of 1628	6084	wininit.exe	181
PID 6084 wrote to memory of 1628	6084	wininit.exe	181

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe
"C:\Users\Admin\AppData\Local\Temp\ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\appcompat\appraiser\Telemetry\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemResources\Windows.UI.PCShell\pris\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5624
- C:\Users\Public\wininit.exe
  "C:\Users\Public\wininit.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9d34d01-0e03-484b-9822-6a9b89e3f818.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5440
  - - C:\Users\Public\wininit.exe
      C:\Users\Public\wininit.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12b87b8c-4854-46bb-bf5c-7513f0fb0de4.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4716
      - C:\Users\Public\wininit.exe
        
        C:\Users\Public\wininit.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1eb45bd-4d73-4dfc-a6c1-f2032a0fddbf.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Users\Public\wininit.exe
        
        C:\Users\Public\wininit.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4b96137-9723-48d9-bdd1-97a1a04d80b0.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Users\Public\wininit.exe
        
        C:\Users\Public\wininit.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76674bb1-e947-4c71-874a-665f69f72356.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:5908
        
        C:\Users\Public\wininit.exe
        
        C:\Users\Public\wininit.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f2544cb-ca6e-47bb-a1c8-9cd9d438cc1b.vbs"
        13⤵
        
        PID:3412
        
        C:\Users\Public\wininit.exe
        
        C:\Users\Public\wininit.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef8e7fcc-746c-431e-b41f-95beff870786.vbs"
        15⤵
        
        PID:788
        
        C:\Users\Public\wininit.exe
        
        C:\Users\Public\wininit.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85f439cd-126a-4ed0-9b87-346619f8a7cb.vbs"
        17⤵
        
        PID:3856
        
        C:\Users\Public\wininit.exe
        
        C:\Users\Public\wininit.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\734b04c0-80f9-4290-92af-8dac8ff36483.vbs"
        19⤵
        
        PID:3496
        
        C:\Users\Public\wininit.exe
        
        C:\Users\Public\wininit.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6055e56-de58-4f91-983e-ee8a45719a1d.vbs"
        21⤵
        
        PID:2496
        
        C:\Users\Public\wininit.exe
        
        C:\Users\Public\wininit.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a83ad7d0-010d-4cb1-93df-6e75c0bb1fd7.vbs"
        23⤵
        
        PID:2268
        
        C:\Users\Public\wininit.exe
        
        C:\Users\Public\wininit.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27105c50-0b49-4cdd-a88c-f71270436534.vbs"
        25⤵
        
        PID:2336
        
        C:\Users\Public\wininit.exe
        
        C:\Users\Public\wininit.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1be5bbdb-f120-4425-a43f-d58012a8b0e4.vbs"
        27⤵
        
        PID:5788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f418a52-1fce-4b5e-bed9-19967be3a1b8.vbs"
        27⤵
        
        PID:5812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb0b039f-d24e-4781-aa53-aaa5efd4ebfc.vbs"
        25⤵
        
        PID:924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7c80345-af68-482a-9e03-b51d7aceb4aa.vbs"
        23⤵
        
        PID:1752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85656241-bf88-4f95-9612-0b1e2882f980.vbs"
        21⤵
        
        PID:5712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc194178-3505-4394-900f-d1fbb146cd1e.vbs"
        19⤵
        
        PID:4328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6e1abe5-6b5b-4fa8-ab24-e9ef517c156d.vbs"
        17⤵
        
        PID:2492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e43d8861-10b6-4db3-8bbd-98fe57b760f3.vbs"
        15⤵
        
        PID:4756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4851966-2bd3-4736-9f2c-cceebad89d28.vbs"
        13⤵
        
        PID:1628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f4891d1-1aed-4181-b053-a8970f4f3916.vbs"
        11⤵
        
        PID:2232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f13742bf-6270-49a1-838b-e2c0d892dd12.vbs"
        9⤵
        
        PID:6020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b2715ed-1169-4890-8da8-e54a725bc903.vbs"
        7⤵
        
        PID:3656
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b663dab4-2a13-4475-b863-c5e5f855f26c.vbs"
        5⤵
        
        PID:2872
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ceaf38f-7f91-4cd2-b3f7-b3c4f29896c2.vbs"
    3⤵
    PID:5268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\7330c8a20692d0b35002ea5a\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\7330c8a20692d0b35002ea5a\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Windows\debug\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\debug\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\appcompat\appraiser\Telemetry\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\appcompat\appraiser\Telemetry\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\appcompat\appraiser\Telemetry\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\SystemResources\Windows.UI.PCShell\pris\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.PCShell\pris\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\SystemResources\Windows.UI.PCShell\pris\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\7330c8a20692d0b35002ea5a\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\7330c8a20692d0b35002ea5a\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\7330c8a20692d0b35002ea5a\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\7330c8a20692d0b35002ea5a\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\7330c8a20692d0b35002ea5a\winlogon.exe

Filesize
1.6MB

MD5
d0f6936a5120e6b93b333d57329a2df7

SHA1
60b0c8c4311b1b9b7830a5f0364b58c3b94e773e

SHA256
750c1ea6d147f1b3d5f35e1f6189d6e532e19c45532746a8d8a5fa39bf5adef8

SHA512
7d96708e7ec38f7468eca834048f5dd368241125fda72d83f9481c26c7d3f6907ae59fca0d22703228145836ba4eec46f487151fb954d148e4caf66466f1650d

Download Submit
C:\Program Files (x86)\Windows Defender\ja-JP\unsecapp.exe

Filesize
1.6MB

MD5
af42d11f170dbecd9e5f0f28d5c19848

SHA1
fb18fee7fda3505be441ff55eefb528f27dd9ba0

SHA256
ac38bb72e798ca65a693fbb15a472a0b1fd9cfa6640abeb96b9070254e72aca6

SHA512
01d30f530032a512ac4112435f5306e70b3030b3a58c841f0a5b55e11a78bac7bf3587e7b9d7d934100ecd9d366613740ad289b6d100fba0b867fdbbf0aae86e

Download Submit
C:\Program Files\Windows Sidebar\TextInputHost.exe

Filesize
1.6MB

MD5
baf0eb34cd60387d1fb3b6a4c6fbfce7

SHA1
556e71ae3cc4b7016c04f5f1aebc21b383ac5fc4

SHA256
f6f186ef434533f8e905cb06c1e95c92aefb896fa673838bce0175e0f8fa5cc2

SHA512
ca2e6425ae3d24be4cddf73ac8537592f4f8d9f7c2a02be0f4d4930917f94fe73a1a4079c3db5456ec8d8c012698c06227cc765825a70bdeec25a445c0e54f83

Download Submit
C:\Recovery\WindowsRE\spoolsv.exe

Filesize
1.6MB

MD5
ea4af16c25f7941503efcfb413ecb310

SHA1
dddca77691de109f0dc9c9680d3680950b4bfa51

SHA256
ac0a0426d73f90b06d108d12d985c40a819ff8cc91de78bd8e4c6045249b2947

SHA512
08354124b35e61ff4b153bcf1615cc1e9320f8fb9e92e0ee56eb5e2e29d2153386822d4131a34488304b8073a697afb2a46952ea819511199b1a010ae20123e8

Download Submit
C:\Recovery\WindowsRE\spoolsv.exe

Filesize
1.6MB

MD5
9bd3f51aefe8813fdcce8487d7306178

SHA1
38e4c0f808febb9eb1cc06d72c079614465f0003

SHA256
ed400c54426b14cedd74c143a9c174731758387d4f667404c66f28ed39c135af

SHA512
b6b13c4ff22a55540e11ff2b7197ae2b4cad4093a036b430708fbcf83270d5319344c392a095dfdaddc392087b906f6546fd30806e76401177ee86b31e646684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba4e21ecb1da461b16fb5e959dd38709

SHA1
67736c22801adc11c6f7fcb0f590d55206e92a7b

SHA256
1436ac482c3aac03015aff9df65906a1ab313aee4a63fcc2d6ef2556b8913baa

SHA512
983d441d9a9369b8b9cd427410d90f8e1042a35e1a2738fd8f6b5576da497c503f770d1232d9962bb7a30c3ef543c1a8be648f48336499bce4a985513c1ce087

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
57366c231de00746064dfc343609469e

SHA1
d0d9eba222fe7063cb8ff5684a513a0519cf8716

SHA256
6f0b61076b750e5aa238970758c9a1b5389bde8bd94c4a367e00b32d414238c9

SHA512
acc3612494d35a63fe2e110296dad850aaafd3c8327c89468a2573535ba0664350d3bfdf45338e4677dcc0553fd9cb84c81b2f88b3ce2e4836458c234db817ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a822dfe702436e366414e8ddb6fb41d0

SHA1
db35e49e01a1baf69d51d52375fb26da32b12ddf

SHA256
929a0a2762a94d0f949b0bec034d141a00c1653d8dec84ff994d32e6e115a3b2

SHA512
67d023275898ba86b0f1bc67b0868b0a31038ce366b1ade6e433c1785d4150c8b630462afd2af2479d2268351d1e7dd5a6e99042020cfbfa1490d04420bd296c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
001f81f763ebc3f7926c3835567069f1

SHA1
fe1c924ca3ddd061f1725654518a4c22856488e4

SHA256
8d717486dee617b16e6c9690fdce46e461327584598d674f7fd82f40ce6d5f81

SHA512
58b6632616d68e49ef7133d26e815382d002e98589de47175d5f05172e5efe2c35f952feaeeb944528bf3c94ed6fbc95cee51b901815654d969b0a133dbbf2e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
79a11bc629c54beffe541507473ca6c5

SHA1
7d1d78c10bfdb5e338ae4831f32a571a1362e3f6

SHA256
b75463c0765737425c2000412d88de89e64c69594cdbf48914b7973b32d4d919

SHA512
dcdf2dcfd3063a72096e3486bdd11b6a76a126320e3fc859543cac30e4d628b6bb873367d9c537657494d84ed3531cff355373a51af1ccda0c9be7b23356770a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
400965c5c8206c7b519873fb3aa3aebf

SHA1
0764aa4c62cc242ede7ec00e36539c20e17e5565

SHA256
e8a339e9d5f5699e83419d2fb336577a101a4cd31df7ddd8c71a88dec1593b04

SHA512
32b7c0f5745c3cbb291642e96ce907d0d71f986f0fb1f55f2c5f56dd76d9243d8ca936a7e81c0ef3962d5daf25d51bd93c5de77cdf9c3ed74101e3056e510369

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4b25365534f6e80f784bf0e0d4059973

SHA1
c599ef0f1d9ba1265eeb3bb02db8ea30eebee19c

SHA256
ea3d1a91d3248163412b2df35c0fcafbdc2ad4754c82e202b8f3b142af2b760c

SHA512
96deef1eba434a1784105a51888ca0cedd460bf05743e91e06a2b3dfff690099a5c3aad8b15297d3f84a10d8ddc24cfafa622217139ac1356fe40f18fd410c5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
efd2dfedf7e67764ce4dc0c1475d5543

SHA1
be775a500ecf6c234153afad0b8ec07e56ad74fa

SHA256
662c4f869810ea7f43ce3ccbeccc5b80c443161c56a346fb9054fb1fa613a7ad

SHA512
b167fa92f6d63b18e6247445b1c532a2a229a0fc6dcd26c9d1526749f80c7ec01524b7ce497ab94a3df814f9ce4b7394d872d85555323ddcd08798d565f3211e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9ea4fdbf8bad883929456091a1e50194

SHA1
fc3b6026729ad36729c2cc4349b8e7a94255ad71

SHA256
ca2f5b4e41b386c2f09fb10d2cf78cd395b614ea6c7c11ec155b415550262e2e

SHA512
27bdd15bf73b9fe22005834e083c1e05919532a4f3eb4c4c41727f8175f35ab2119625ee7d8cc0ab86e00631393c8c839f05dcd3cdcd6644b83de41649472211

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3c9a06205efb4ec6b1ca25ba605f9f6d

SHA1
53f4cbc7a0b1f493e53f99d49c08c56c2ac912f8

SHA256
4ef4ffb0f743afc2ee1bb8edcc10ec450439a82dbbbb9cbdebeee633db4cc61a

SHA512
e936041f7fe2278a939290bc2b5409a01ae070abc58df4e4bb938e4a406d0c96b19a1fa4db21b9f158efcfbe956f3ddbd97cb670215f2d6f2c1328fa4e455657

Download Submit
C:\Users\Admin\AppData\Local\Temp\12b87b8c-4854-46bb-bf5c-7513f0fb0de4.vbs

Filesize
703B

MD5
d8ebc04c05b3f2134338d099be5d14b0

SHA1
9fb2c1bd086833d37a510aaee1ddeda0fbc98a69

SHA256
bfc9bf46e8ca8dd496e217cf8da0ab8de8240a6f496218b7563d9d0a84ebe1c1

SHA512
e28d0a465f7d18dea38b6b5ef9492f70f02498491b41cf953be31962ecb3f2bbb744b3b6d421b322e0fa67537118deffa5a0d021a09288e12ae755944f769243

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ceaf38f-7f91-4cd2-b3f7-b3c4f29896c2.vbs

Filesize
479B

MD5
005722bab423b7b2359c9b92398968da

SHA1
c381941c0c4fb0534fadad79db28b95be60d61e5

SHA256
87c1987e184a0fb8a60589f173e28f6e6140290d01c5d13ad4833655413f85d7

SHA512
89b3fcdeb688022a8277cdbeba85a5519ec3aafb2001ddeb388b3f41678b1d0dd43d0817847c34622afa1f117de56dc1575cb349f8e0b1c3097dc5a591406ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\27105c50-0b49-4cdd-a88c-f71270436534.vbs

Filesize
703B

MD5
6f99700fc3b219c3f0cb29f21e4f190e

SHA1
b882932e10cfb25fadd8965c845bc820f3b031b4

SHA256
4ea6edc7cc3354eae7c0bdc9f7eba1b478477dff917724244e9335feeb7ff83f

SHA512
f4bc1d53339a830e921d62626cae50311236b62a33818c09db812b273fe10037431cc0ccdc75a65f6353d6c8f65c7b04b8989b3c5e8d8a5b355751d91128c2fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f2544cb-ca6e-47bb-a1c8-9cd9d438cc1b.vbs

Filesize
703B

MD5
fbf19d05da66c9046bf69a1ee23c62a0

SHA1
0d9d4cdfefffad12a20b1753e6c02298301b0308

SHA256
8d7d46b042c77bca3180b3ff73c248781d726640332c9ca32ee67156defa61ed

SHA512
e42bd39e16c4a223d19dfadb26b26d072c20202a90930089314086efb865ab4ca5202a213c9a64dac1b0ea33b53b882a67a36ee1acbad0543c44a7f0681afc24

Download Submit
C:\Users\Admin\AppData\Local\Temp\734b04c0-80f9-4290-92af-8dac8ff36483.vbs

Filesize
703B

MD5
bea6906f6ea75d412ed9f0f581a62823

SHA1
dcb1ae4a779475232674f9d09e9e1b8e7762354e

SHA256
aca760f8eac12dd23a03f136950886b300404860db104a613ce04dd853c6b4e0

SHA512
daee229489e42734e33f3113bae526f916d4b7fdbac3d4312f369370915dd9cf7cff4faf5de56d4df2204d92b1323af434c9b8d06cd6fdae49e60884cc192513

Download Submit
C:\Users\Admin\AppData\Local\Temp\76674bb1-e947-4c71-874a-665f69f72356.vbs

Filesize
703B

MD5
deef613f0cfdff670488254f9cf778f9

SHA1
8d18ab133e528e825ae678e214b40e1913449556

SHA256
ac26b15c2e10b9795d0172535f581536e06cf736ede24e44ef4be4d3c4c945b3

SHA512
81b0daa5a86df75d7321bd6ba104bb5cc69c168f04e6903c029e60fbd74e8ebe88cddf8c8fe347c49f7f68868a2fdcf2f6fd1aafdc6701bfb0677afdce42ebd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\85f439cd-126a-4ed0-9b87-346619f8a7cb.vbs

Filesize
703B

MD5
dadb1ad5339f242dfa7b7a7434f59b44

SHA1
e32e26db7591771dcc5dc9ab7ad29029e66bc3cf

SHA256
662a534d87ff7c197edec5ad2a082aaef30b45ef8b8f70954751734987d0483f

SHA512
09600fbd5fdb93b1ef806dc1f6bac761aed2eeea387b23bd9fa6a20713b6cd2169435d5b8ef01b1fe879646d3175148ab4a969d0e165d82a24dcca0a5d98892e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pf3hu4if.pew.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1eb45bd-4d73-4dfc-a6c1-f2032a0fddbf.vbs

Filesize
703B

MD5
d1b48bb8a428a9e0cd2f607560fb1090

SHA1
f4eb92f7f6201f9de528f8b7faa56d2e41ee984c

SHA256
a151fe51d902e1eefc716143da71b364f551b4bad425cac06cd727cdece3317e

SHA512
192edf064f890af7124bf010718bfdd8c159152973bffc69a6a91db4eeb5d98bb8ccb42697ed1958252d77c3b750bcb6f2fdaa5ee2b163cbdf36a6640335374e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a6055e56-de58-4f91-983e-ee8a45719a1d.vbs

Filesize
703B

MD5
ee5b8d49fbcb1cda7ae4c5745bfd97cb

SHA1
c5ad0f618c8e4fba96ce796f48dc8d21c700ea78

SHA256
a8c60fe898d5dcdc3c69ce999756fa9a9f2ca0dd5ed075081930966da0e66eb7

SHA512
1daaa6d5bc9b1e0b8bd68c18d34a9f43a8634e516bff4f8c50e32bd739c29eae9c34707aa5695c9b53d0f6c0c12ba8e28abac857db8ece05957c96c6c3187b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\a83ad7d0-010d-4cb1-93df-6e75c0bb1fd7.vbs

Filesize
702B

MD5
f517b997d0ba9072baadc864f5b5dba7

SHA1
4f9b15a80dd98683fa87a031374056de89bd0067

SHA256
03cca7be7185b1ddfbaa138fa9e973a3bfed88d917213358142e2707901a3f02

SHA512
0e2a4be50e05d429e674cc673ec074d5ed0f8e9d601097b16642dfdd8bd52296d2d3eda1775f01805917f854b3cebb8215e9f0036a80023037c7112baecb3069

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4b96137-9723-48d9-bdd1-97a1a04d80b0.vbs

Filesize
703B

MD5
c30db83767d5a30c32191c914852c6b7

SHA1
751b8f02a9b3a1bdab43346c6ad2eba7b6b3d561

SHA256
6f73945e20cd0e28c8ca513961ec2d292607957d608a8ddf1747540d8decb5d0

SHA512
a810c2e542e0f01a3390e92513a090aa2a60c2f7f2da1111b1b4d9468d5b24ab1d43c4681c0a5058dd564b33f8e2a97ca155701b8c92a4e063895ca21ffa6888

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef8e7fcc-746c-431e-b41f-95beff870786.vbs

Filesize
703B

MD5
1073480bc592ae9140738b1e93b7db52

SHA1
71cdd4eb32ab1a66ffa67aff1a5877437d84dc38

SHA256
6834b4445773ba45e47d5488f1a24d42824042bad0ca567b1b6fc9bfe64b4ff3

SHA512
c154b4fb97e1ff6a6e5f3acbc8c3b99af62f0bd0d9c5f89502ab578d02b87612c9f903ae3c3459e7b93cf15d7f8b70ad031e4f8592cb04b3387cf63c415cf5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9d34d01-0e03-484b-9822-6a9b89e3f818.vbs

Filesize
703B

MD5
53285bf6686b0cb4c183733c07a2cd5d

SHA1
f5f1ebbc749ba8eecea6fb4588e3c4beb2c209c5

SHA256
34a82921dc7e293815a87b8c6e23250bc38fe8c9d94b0ebdd64210ad10427bbe

SHA512
b3fcd4c28e4a272b2614a7be84ac3904383c3cd98872b1ca43ad62ffd7af28a23e8ee584cfb5e023043e2698d9c0fb41ef95d9bf090d044d931c4d4380082443

Download Submit
C:\Windows\appcompat\appraiser\Telemetry\csrss.exe

Filesize
1.6MB

MD5
8f88604122219b81f77009b776f72070

SHA1
a64c9d6a3c364bd9bd1a4f66b7e64e71440b76f7

SHA256
01c2b2026a7528a7666a674fec6c3d4f6cc6ae208de6501334f0bbd4f8bfe27d

SHA512
d3992d05071f985fe073f485e7f84251bc917f10aadb23181ad9924fdec055684167a21ff750633bdcd81e83397e988fb03e80f7be785953175574d19414e1a8

Download Submit
memory/1660-12-0x000000001B810000-0x000000001B81A000-memory.dmp

Filesize
40KB

Download
memory/1660-15-0x000000001BA40000-0x000000001BA48000-memory.dmp

Filesize
32KB

Download
memory/1660-0-0x00007FF8AC0E3000-0x00007FF8AC0E5000-memory.dmp

Filesize
8KB

Download
memory/1660-247-0x00007FF8AC0E0000-0x00007FF8ACBA1000-memory.dmp

Filesize
10.8MB

Download
memory/1660-186-0x00007FF8AC0E3000-0x00007FF8AC0E5000-memory.dmp

Filesize
8KB

Download
memory/1660-6-0x0000000002690000-0x00000000026A6000-memory.dmp

Filesize
88KB

Download
memory/1660-9-0x00000000026B0000-0x00000000026B8000-memory.dmp

Filesize
32KB

Download
memory/1660-10-0x000000001B7E0000-0x000000001B7EC000-memory.dmp

Filesize
48KB

Download
memory/1660-11-0x000000001B800000-0x000000001B80C000-memory.dmp

Filesize
48KB

Download
memory/1660-1-0x00000000003C0000-0x0000000000562000-memory.dmp

Filesize
1.6MB

Download
memory/1660-14-0x000000001BA30000-0x000000001BA38000-memory.dmp

Filesize
32KB

Download
memory/1660-386-0x00007FF8AC0E0000-0x00007FF8ACBA1000-memory.dmp

Filesize
10.8MB

Download
memory/1660-16-0x000000001BA50000-0x000000001BA5A000-memory.dmp

Filesize
40KB

Download
memory/1660-17-0x000000001BA60000-0x000000001BA6C000-memory.dmp

Filesize
48KB

Download
memory/1660-13-0x000000001B820000-0x000000001B82E000-memory.dmp

Filesize
56KB

Download
memory/1660-7-0x0000000002670000-0x0000000002678000-memory.dmp

Filesize
32KB

Download
memory/1660-8-0x000000001B7F0000-0x000000001B800000-memory.dmp

Filesize
64KB

Download
memory/1660-3-0x0000000002640000-0x000000000265C000-memory.dmp

Filesize
112KB

Download
memory/1660-4-0x000000001B830000-0x000000001B880000-memory.dmp

Filesize
320KB

Download
memory/1660-5-0x0000000000E30000-0x0000000000E40000-memory.dmp

Filesize
64KB

Download
memory/1660-2-0x00007FF8AC0E0000-0x00007FF8ACBA1000-memory.dmp

Filesize
10.8MB

Download
memory/3624-262-0x000001D1AFFB0000-0x000001D1AFFD2000-memory.dmp

Filesize
136KB

Download