dcrat | a1ddae9574bbeadd40b789fc8c7719b47c0d4bd8ed93abbd1d07f7e866ac40a6

Analysis

max time kernel
49s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
Size

1.6MB
MD5

1537a2448a3278776c0ad106d583bf42
SHA1

3374a83147189b932096d99e2f34c5c185611242
SHA256

9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a
SHA512

51dab8150cfc0f8c830a3d583e53e6a89a9f05c95daf84dee27cabcd43e03ee2953391d25b366a4a902e6cae6e8b1d05a4eae832d4d51f9e47869ca984e9d10a
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3808	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	4980	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	4980	schtasks.exe	86

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral30/memory/3796-1-0x0000000000680000-0x0000000000822000-memory.dmp	dcrat
behavioral30/files/0x00070000000240ce-26.dat	dcrat
behavioral30/files/0x000800000001dab1-132.dat	dcrat
behavioral30/files/0x000400000001e582-207.dat	dcrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
60	3092	fontdrvhost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2364	powershell.exe
2548	powershell.exe
2772	powershell.exe
3092	powershell.exe
4144	powershell.exe
3188	powershell.exe
3124	powershell.exe
4568	powershell.exe
652	powershell.exe
2552	powershell.exe
408	powershell.exe
676	powershell.exe
1676	powershell.exe
4184	powershell.exe
536	powershell.exe
4796	powershell.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 4 IoCs

pid	Process
3820	fontdrvhost.exe
5368	fontdrvhost.exe
3092	fontdrvhost.exe
5672	fontdrvhost.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\MSBuild\RuntimeBroker.exe	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File created	C:\Program Files\MSBuild\RuntimeBroker.exe	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\6203df4a6bafc7	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File created	C:\Program Files\VideoLAN\VLC\skins\5b884080fd4f94	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\sysmon.exe	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Program Files\Google\Chrome\RCXBDD8.tmp	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Program Files\Google\Chrome\RCXBDD9.tmp	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Program Files\Google\Chrome\csrss.exe	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File created	C:\Program Files\ModifiableWindowsApps\SearchApp.exe	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File created	C:\Program Files\MSBuild\9e8d7a4ca61bd9	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\lsass.exe	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\RCXCBA0.tmp	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\RCXDA70.tmp	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\RCXDA71.tmp	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\sysmon.exe	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Program Files\MSBuild\RCXBBB3.tmp	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File created	C:\Program Files\Google\Chrome\886983d96e3d3e	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\lsass.exe	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\121e5b5079f7c0	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCXC98B.tmp	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File created	C:\Program Files\Google\Chrome\csrss.exe	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Program Files\MSBuild\RCXBBB4.tmp	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCXC98A.tmp	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\RCXCB9F.tmp	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Globalization\Sorting\RCXC28F.tmp	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCXC4C4.tmp	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File created	C:\Windows\Globalization\Sorting\taskhostw.exe	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File created	C:\Windows\Downloaded Program Files\9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File created	C:\Windows\PLA\Reports\fr-FR\backgroundTaskHost.exe	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File created	C:\Windows\Tasks\sysmon.exe	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Windows\Globalization\Sorting\RCXC29F.tmp	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Windows\Globalization\Sorting\taskhostw.exe	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Windows\PLA\Reports\fr-FR\backgroundTaskHost.exe	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Windows\Tasks\RCXD2BB.tmp	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File created	C:\Windows\Globalization\Sorting\ea9f0e6c9e2dcd	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File created	C:\Windows\Downloaded Program Files\d6580cddd16b40	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File created	C:\Windows\Tasks\121e5b5079f7c0	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Windows\Downloaded Program Files\9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Windows\PLA\Reports\fr-FR\RCXCE23.tmp	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Windows\Tasks\RCXD2BA.tmp	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Windows\Tasks\sysmon.exe	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File created	C:\Windows\PLA\Reports\fr-FR\eddb19405b7ce1	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCXC4C3.tmp	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Windows\PLA\Reports\fr-FR\RCXCE22.tmp	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	fontdrvhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2736	schtasks.exe
2288	schtasks.exe
3092	schtasks.exe
4988	schtasks.exe
652	schtasks.exe
848	schtasks.exe
1756	schtasks.exe
3352	schtasks.exe
3228	schtasks.exe
1332	schtasks.exe
1892	schtasks.exe
408	schtasks.exe
5044	schtasks.exe
1812	schtasks.exe
3316	schtasks.exe
2840	schtasks.exe
3252	schtasks.exe
2592	schtasks.exe
232	schtasks.exe
3416	schtasks.exe
1192	schtasks.exe
2548	schtasks.exe
2348	schtasks.exe
216	schtasks.exe
4768	schtasks.exe
4308	schtasks.exe
3948	schtasks.exe
4796	schtasks.exe
1676	schtasks.exe
1584	schtasks.exe
1936	schtasks.exe
1728	schtasks.exe
1188	schtasks.exe
4032	schtasks.exe
3712	schtasks.exe
4628	schtasks.exe
3348	schtasks.exe
1956	schtasks.exe
1804	schtasks.exe
924	schtasks.exe
2280	schtasks.exe
2248	schtasks.exe
2468	schtasks.exe
2748	schtasks.exe
3808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
3092	powershell.exe
3092	powershell.exe
3188	powershell.exe
3188	powershell.exe
2552	powershell.exe
2552	powershell.exe
4144	powershell.exe
4144	powershell.exe
536	powershell.exe
536	powershell.exe
4568	powershell.exe
4568	powershell.exe
4184	powershell.exe
4184	powershell.exe
3124	powershell.exe
3124	powershell.exe
408	powershell.exe
408	powershell.exe
652	powershell.exe
652	powershell.exe
676	powershell.exe
676	powershell.exe
1676	powershell.exe
1676	powershell.exe
2772	powershell.exe
2772	powershell.exe
2364	powershell.exe
2364	powershell.exe
2548	powershell.exe
2548	powershell.exe
4796	powershell.exe
4796	powershell.exe
408	powershell.exe
1676	powershell.exe
2548	powershell.exe
2552	powershell.exe
2552	powershell.exe
3188	powershell.exe
3188	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	4144	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	3820	fontdrvhost.exe
Token: SeDebugPrivilege	5368	fontdrvhost.exe
Token: SeDebugPrivilege	3092	fontdrvhost.exe
Token: SeDebugPrivilege	5672	fontdrvhost.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 3796 wrote to memory of 3092	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	137
PID 3796 wrote to memory of 3092	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	137
PID 3796 wrote to memory of 4184	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	138
PID 3796 wrote to memory of 4184	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	138
PID 3796 wrote to memory of 536	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	139
PID 3796 wrote to memory of 536	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	139
PID 3796 wrote to memory of 4144	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	140
PID 3796 wrote to memory of 4144	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	140
PID 3796 wrote to memory of 3188	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	141
PID 3796 wrote to memory of 3188	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	141
PID 3796 wrote to memory of 2552	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	142
PID 3796 wrote to memory of 2552	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	142
PID 3796 wrote to memory of 4796	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	143
PID 3796 wrote to memory of 4796	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	143
PID 3796 wrote to memory of 2364	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	144
PID 3796 wrote to memory of 2364	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	144
PID 3796 wrote to memory of 408	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	145
PID 3796 wrote to memory of 408	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	145
PID 3796 wrote to memory of 3124	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	146
PID 3796 wrote to memory of 3124	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	146
PID 3796 wrote to memory of 4568	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	147
PID 3796 wrote to memory of 4568	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	147
PID 3796 wrote to memory of 652	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	148
PID 3796 wrote to memory of 652	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	148
PID 3796 wrote to memory of 676	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	149
PID 3796 wrote to memory of 676	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	149
PID 3796 wrote to memory of 1676	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	150
PID 3796 wrote to memory of 1676	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	150
PID 3796 wrote to memory of 2772	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	151
PID 3796 wrote to memory of 2772	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	151
PID 3796 wrote to memory of 2548	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	152
PID 3796 wrote to memory of 2548	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	152
PID 3796 wrote to memory of 3048	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	169
PID 3796 wrote to memory of 3048	3796	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	169
PID 3048 wrote to memory of 5576	3048	cmd.exe	171
PID 3048 wrote to memory of 5576	3048	cmd.exe	171
PID 3048 wrote to memory of 3820	3048	cmd.exe	173
PID 3048 wrote to memory of 3820	3048	cmd.exe	173
PID 3820 wrote to memory of 5160	3820	fontdrvhost.exe	174
PID 3820 wrote to memory of 5160	3820	fontdrvhost.exe	174
PID 3820 wrote to memory of 5260	3820	fontdrvhost.exe	175
PID 3820 wrote to memory of 5260	3820	fontdrvhost.exe	175
PID 5160 wrote to memory of 5368	5160	WScript.exe	176
PID 5160 wrote to memory of 5368	5160	WScript.exe	176
PID 5368 wrote to memory of 5400	5368	fontdrvhost.exe	177
PID 5368 wrote to memory of 5400	5368	fontdrvhost.exe	177
PID 5368 wrote to memory of 3220	5368	fontdrvhost.exe	178
PID 5368 wrote to memory of 3220	5368	fontdrvhost.exe	178
PID 5400 wrote to memory of 3092	5400	WScript.exe	211
PID 5400 wrote to memory of 3092	5400	WScript.exe	211
PID 3092 wrote to memory of 5744	3092	fontdrvhost.exe	185
PID 3092 wrote to memory of 5744	3092	fontdrvhost.exe	185
PID 3092 wrote to memory of 1060	3092	fontdrvhost.exe	186
PID 3092 wrote to memory of 1060	3092	fontdrvhost.exe	186
PID 5744 wrote to memory of 5672	5744	WScript.exe	191
PID 5744 wrote to memory of 5672	5744	WScript.exe	191
PID 5672 wrote to memory of 2536	5672	fontdrvhost.exe	192
PID 5672 wrote to memory of 2536	5672	fontdrvhost.exe	192
PID 5672 wrote to memory of 3388	5672	fontdrvhost.exe	193
PID 5672 wrote to memory of 3388	5672	fontdrvhost.exe	193

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
"C:\Users\Admin\AppData\Local\Temp\9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\Sorting\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\3ac54ddf2ad44faa6035cf\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Reports\fr-FR\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\uninstall\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9LsWxqGeQz.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5576
- - C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe
    "C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3820
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad864412-1d0b-40e6-b7a8-3dcba908c246.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5160
    - - C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5368
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec2d0873-c796-4c2a-a251-43ebbe3b0ff3.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5400
        
        C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe"
        7⤵
        Blocklisted process makes network request
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1912e1f-8b6b-40ce-8f05-f851fe9530f2.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5744
        
        C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f425322-e580-4881-9740-b2fa959d8b37.vbs"
        10⤵
        
        PID:2536
        
        C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe"
        11⤵
        
        PID:776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea5dd2c6-2f60-4101-a4c6-cfbee4effa34.vbs"
        12⤵
        
        PID:6108
        
        C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe"
        13⤵
        
        PID:5220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\143d88f3-d615-45db-8915-d15e65c2229b.vbs"
        14⤵
        
        PID:5328
        
        C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe"
        15⤵
        
        PID:5392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2c4297f-2f16-4267-abb0-a5a7ca02f7c1.vbs"
        16⤵
        
        PID:5444
        
        C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe"
        17⤵
        
        PID:3760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5ee2f3e-07d2-41ff-acfd-7ada995b38a8.vbs"
        18⤵
        
        PID:5048
        
        C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe"
        19⤵
        
        PID:5864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2cc13ca-020c-432d-be79-d6c1110c215d.vbs"
        20⤵
        
        PID:4276
        
        C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe"
        21⤵
        
        PID:5784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c21cb71-0225-402e-a6b4-78c049389884.vbs"
        22⤵
        
        PID:3092
        
        C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe"
        23⤵
        
        PID:2208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0750f6b5-5fc5-4f6b-b7bc-376ed543d541.vbs"
        24⤵
        
        PID:2744
        
        C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe"
        25⤵
        
        PID:2384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8d0dbba-97e5-434b-b91a-c63ff14cd654.vbs"
        26⤵
        
        PID:1520
        
        C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe"
        27⤵
        
        PID:2400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\daa34029-69b9-4988-9909-64de54e69cdf.vbs"
        28⤵
        
        PID:3596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fc269ec-a9d6-4ee4-9b3c-e526897eb671.vbs"
        28⤵
        
        PID:432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da19d123-8a01-49c4-b4cf-372eccee2585.vbs"
        26⤵
        
        PID:3076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8932ff6c-3f62-4300-8a55-72cea4e2fbda.vbs"
        24⤵
        
        PID:2088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\433decd5-24de-4f88-96db-dd7ebc1e6b20.vbs"
        22⤵
        
        PID:2424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8c78d7e-3db0-4934-87a6-25373f483d5d.vbs"
        20⤵
        
        PID:1572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07c83612-8151-463d-92d7-c1f5ffcd2edd.vbs"
        18⤵
        
        PID:2780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1c8ec38-0465-4250-9c3f-4ed352c9ea94.vbs"
        16⤵
        
        PID:3988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3f7db39-d31d-4fd6-8357-af22d368d036.vbs"
        14⤵
        
        PID:5288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a05d6f8-035c-45f4-995c-233800f1d025.vbs"
        12⤵
        
        PID:3004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3d06bd6-d8a2-486a-a79c-acf7c6eed99d.vbs"
        10⤵
        
        PID:3388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82d7454b-9b63-4359-8b25-aceaf183a8d4.vbs"
        8⤵
        
        PID:1060
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a24a6a3-0ff9-4047-9892-1e71b52da37c.vbs"
        6⤵
        
        PID:3220
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d47d0623-ffa7-4a2b-82c4-063dbfdf6706.vbs"
      4⤵
      PID:5260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\0154351536fc379faee1\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\0154351536fc379faee1\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\0154351536fc379faee1\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\0154351536fc379faee1\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\0154351536fc379faee1\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\0154351536fc379faee1\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Windows\Globalization\Sorting\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\Globalization\Sorting\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Windows\Globalization\Sorting\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a9" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a9" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\3ac54ddf2ad44faa6035cf\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\3ac54ddf2ad44faa6035cf\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\skins\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\Reports\fr-FR\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\fr-FR\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Windows\PLA\Reports\fr-FR\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\0154351536fc379faee1\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\0154351536fc379faee1\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\0154351536fc379faee1\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Tasks\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\0154351536fc379faee1\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\0154351536fc379faee1\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\0154351536fc379faee1\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\uninstall\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\uninstall\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\0154351536fc379faee1\RCXD7BF.tmp

Filesize
1.6MB

MD5
7f8694303ee286c1cfaa46d0cd4472ca

SHA1
a9f2f2f154140c5a201fd8770791fd6ab388abe4

SHA256
7f7d0b8649539adb7141369ba1e30edf9ec7d8ac0b9c44c092624df4d7315644

SHA512
2263f7412e6615e9dd6faca053b04706411a97d66898541ba166ea11a0dcfbf62c4af19b2539f8c4f1e4c5a75ecc5245c24f8f8fbf7813cb16bd72fbdc922247

Download Submit
C:\3ac54ddf2ad44faa6035cf\taskhostw.exe

Filesize
1.6MB

MD5
112a3c51199bae5f6bb72705a5ffcf08

SHA1
c8db321b15f062d21744906e3c2101f99f655c8b

SHA256
3171e367425ba974a84976b3fdcf7bd3637bf76329f3c7dfca9fac8eb056b822

SHA512
79c95044b67219bb6b5f311a8a1e93a2b0da5ff5e57f7c086c7081ee7de26d4c150606a166f9b0b79351d01d6402e611cb306f1ebc7595e5780de898883e5654

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9191187d695b2965f2ceb651f0b37ee8

SHA1
b50a4038fb94c8aa7cff8d6941a4329b5b2ae8c7

SHA256
654a46452391ae3310ff9c6a4c820774e950276014fea044c41f007f6c335833

SHA512
90094f44f83470c88c4fcecb239f70e8e791b3b3da628c00676e3c4791766808b4e31c12beef2a7bc7d6a12d05bd8150888461ed1ef7e9eebc8697f6955d63bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6b097b3e3e3911971243ad921c41967f

SHA1
006f7002f8aadf9c6ef2753b7d89d35899924a2e

SHA256
e7ca42d3072d5fb73ed8abdce1332805bbb5ab4c4c1359c1ebfbebd7317dc390

SHA512
069faeccf5c6ab83594d43b6ae553c2c8ded4ce672d9dd99fbc21e90f9829427d0f32536d874529dc3a2d246c0efe3aab50940a796b97632d66d3a169d91e0bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
82da496008a09abc336bf9adbe6453dd

SHA1
a57df6c2432c6bf7ab549a4333e636f9d9dfebd2

SHA256
69def38d01c34269e4e7be79130fc62befb01815c783fef6d4dc116672306810

SHA512
86d1efaf512d5ffc0af6a4508e63ffaa646971192762461957c0a544e77f9f24bbd0576927a6a996a87f147bcd6562bdc27a57caac6aad64354f485a7a7a7197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a16aff60eb3c3e35753a259b050c8a27

SHA1
85196d5dfb23d0c8b32b186325e2d58315a11287

SHA256
a057f85fa5358fac25f1337c1fbabeffb1ca1908b352208038293ec575dfc206

SHA512
13e6514cddaafba8f4fe3b08f6d6e118823ad454aac4efcb71a82438de50f97cd9570f44d594db27e4c534912a12ed066ea098b95505a6994f854f8349f2f5b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0c87ff349c47ae6e678ea72feb4bb181

SHA1
0668dc890d29354fbb86cfaeae5363d9f2c1fdc8

SHA256
68decb0f61e56ef1ad4a9c69e0c496ac30ead7bdb15ae2830a01a21cb4c243fc

SHA512
32a9a76ddc1de0612c74ce170e86e716fde003306c202c68573ce4dcbb58e2ff59b7bdff77e4c259c869f4443e2c6aa023d1fcae6857ea36e4bf8a3110b58fbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0c3cddab7d289f65843ac7ee436ff50d

SHA1
19046a0dc416df364c3be08b72166becf7ed9ca9

SHA256
c94ea9a9d0877a48ade47f77733be15871512f7aded45a211eb636bdcf7e45a1

SHA512
45c710a959f67ed05c25709c24887a4d5e5909e94f2012bd1cad64b32729fafea6f6628b2552f36c9d98bf8a1ddf50bb84d92d6e1cb15f20b2a74739ff19c9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\0750f6b5-5fc5-4f6b-b7bc-376ed543d541.vbs

Filesize
727B

MD5
278e5e8a50b22ec2808ded53012598a4

SHA1
2987b86215b02d75fdbbcc5215d667474ddcd630

SHA256
4d5681609bcfd56784eb7de61bca38cae974272d58d54fdc093092c8b43b2250

SHA512
c434314f14f92c883f51cb5480dc2acce35c140ab306dc2a595075d1dc96eadd52556eff28d098b1f15b9b6cedb7200b847aefe838e5cbc732f3122582ee8641

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f425322-e580-4881-9740-b2fa959d8b37.vbs

Filesize
727B

MD5
aa3c941d9ca545bc0c2e38f57ec88efe

SHA1
21b46a98df0be2e1319469a7786f3c2fb8c7da69

SHA256
3e7fd9dc9a3bbf3066a5890dd797d7b55171cee15681116fe6fbbc43c8edbd48

SHA512
9e03abc060ae3f362152672129653b3145b197dab621e76476bc2a56f68dc7bb827c3163fd8e05c18881ec1f9748d78aead6b73f429900439cf5a73d05620995

Download Submit
C:\Users\Admin\AppData\Local\Temp\143d88f3-d615-45db-8915-d15e65c2229b.vbs

Filesize
727B

MD5
a64f42a3c3be95bd7dac7221001c7ba3

SHA1
edeaaf6b2e559394d41f1972f57437c560e3c7f6

SHA256
5f1ce76ff4a924cb4789a05d247fa7cb8ee14eae5e3b97fb588ce69110550e1a

SHA512
8e45af1a844e063e83369bdf13685e0e09116cbefe9367bd42c32899012ea9ed34560bf27188a1706503cd413ca5abcc4320de1e6741e6aa8aa95d6f8963f340

Download Submit
C:\Users\Admin\AppData\Local\Temp\9LsWxqGeQz.bat

Filesize
216B

MD5
18ec006330fc148a4c3b4cc6c1ce2787

SHA1
7129404ff9e9a7141e59b7de37650a4cfd22449a

SHA256
2ac20eeacf9a01de2a505be3d20c0641303c25713574be340023d04b45a09ae5

SHA512
da7903cde7dba5eb5cdbd4587c615bec69c13dd2fee9ec217b3727a56122a3964659e3be1d170ce2db68b6ce9754f4bddfe48bd636b9f16c58a7fb921250e30e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c21cb71-0225-402e-a6b4-78c049389884.vbs

Filesize
727B

MD5
dfcda554f3205c624b47289d82065e0f

SHA1
7f33b4efbf5368ca7e5346c99a35ec1a2a9fd8f6

SHA256
a3b692d84848ff90a9d35abceaf59ce0d80f9ac78ffe78803bc3d4c59a316a37

SHA512
4f30c70d71bb14591074428d727e8ffccb35589d8d69ef23f9b9c4dc0b22efb3a272ce984a5a34c410fb7c5ef7438aa26772d7b8d484d608ae84d517ab74ea36

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nfy1iwhr.exa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2cc13ca-020c-432d-be79-d6c1110c215d.vbs

Filesize
727B

MD5
9ca260e6c6e5fb58354b027f4721d242

SHA1
fca4e7432bbed25a453eb5445e3f7ced7f5a95ee

SHA256
9fd6321e25ad6371794dbe2447ee8b1d035e39b1ecf9e005821591c14a3ed036

SHA512
01c4ad69848462183b12f0e62cb0071c7931f911c6bef1a876585389a0244acee3ae5eea7dc2bb8f9246c762537c108a06de9e2e93ba634e703f772e97cc3b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8d0dbba-97e5-434b-b91a-c63ff14cd654.vbs

Filesize
727B

MD5
140120676bfe6b9e24c060669ff6a2ab

SHA1
b53e3f37f10d3a83d3a44a33fff5aecaeddb2890

SHA256
19592ed719a931caf727417acd47343e52caa505b9bb29730f3b0abd6a8deff6

SHA512
7020d59c754136aa4ee9bc2340f455a5702d13103428bbd1c74cc518bf6776c0fa56e6121d3ff7382a6867988105cf50f970affee3523fc0893a7a2e5a24bec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad864412-1d0b-40e6-b7a8-3dcba908c246.vbs

Filesize
727B

MD5
5024abf9b3ce834c1ebcc39f53f27a94

SHA1
34f54134543d932232f675c97bcf7dcdd86ba019

SHA256
c0d46bffa9e2e6d842754372c108406199b0045143f84b844b50565e8d6b5734

SHA512
9fe1da16ac9c35f61ae15565a8f1e0742512e8ea4309f0b933413c7c65c35a7d4577549a9a1acfd72d9fe0f63a9efa9d98b6f49db68387c66e0719edfcf6edc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1912e1f-8b6b-40ce-8f05-f851fe9530f2.vbs

Filesize
727B

MD5
120af05685c878681f55b8674216bf32

SHA1
01c843783e1f498eb5af4da5bad2c9570947a698

SHA256
939cb72e04da4321fb09948659cf3afeae9841179e0a424cb721a6c3891e5f44

SHA512
7681e4a8c7810212da8f6de28fb6134fa5e454ed30d164abb7e63245ead8cdb23cdda607ccca3b4efbff61710b043ba8e2b37ffaf98662b2f3a03f82b9693c61

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2c4297f-2f16-4267-abb0-a5a7ca02f7c1.vbs

Filesize
727B

MD5
89eb0d04206b6b9cee2ccf40e5aaadab

SHA1
3ea80283a024636acadef6ebb643d5384f961cce

SHA256
5d742c0cb2c26cffb8b81350ef4c165e624e1bce73eba0521592188128f80dad

SHA512
6e1969e9a13c07317438e5feb859603fa40271b723b9f94380f076fca6f47ebbaf9b349a82f933218a5e130055951e78381ddeb4c2eb6d0f1ab822f1e0271f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d47d0623-ffa7-4a2b-82c4-063dbfdf6706.vbs

Filesize
503B

MD5
f4df08bb118332f57e4b12666debd596

SHA1
e6efb311401d7b67e237c4622fa06d5b904e362a

SHA256
0753d6a1e8e53ac446c13522aa5ba2c1e72c48ffd33600de242245486aed9e34

SHA512
e3dfc08e194458d909022f69134965da56a4e0a385876db9cac22349890c300ed8c10f6fc7872d9e9f9bf12b66feb26b9b2e64ea1f980fa5ac47a0fadc74aaed

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5ee2f3e-07d2-41ff-acfd-7ada995b38a8.vbs

Filesize
727B

MD5
7ae3f732e10d2ab453196f08e5eb2bff

SHA1
af92cc6eb69d8d26c5283d22a7e37e1d5b563cdd

SHA256
f23e7d759db127f5b8ae0caafaab5db0700b41ea70ef180e1848ceb76be2ab13

SHA512
e6dcd6ddc781e955050ae75a3400af08165276badbcac8ce1aa77320f7a236e7c6eab71880f135c44ae5f81b1e4e280e572ee903d1b8630696fe7ce21540c9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea5dd2c6-2f60-4101-a4c6-cfbee4effa34.vbs

Filesize
726B

MD5
f21be0a1864712db39b2de0e77941d7c

SHA1
b288673b775a25edbad301ebaf87976927681709

SHA256
e678182aa718bbf49174691364deaef7c414c6543e7059377b3959d05c0cd1f6

SHA512
1264076ca3a781b0008846af4805aa47e54ac005f12458866c138bc1fcb5233b6c59d44719529fe857ff4469b2eed91e634a22f03d0be4318f51338d1520f7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec2d0873-c796-4c2a-a251-43ebbe3b0ff3.vbs

Filesize
727B

MD5
e5cd827a58d50c7a7e67d2cb2de923d5

SHA1
a78236d6d5f223d3bf9875423f25191d04ef7c0e

SHA256
27cbfb5f77116a604b13b46928f2ee3df01b480859a7d4e7469343ed1f715684

SHA512
8c57993f19321403fb31cfa58df2c8992f5db14cb34e9b54624588412d1198227a895fdfc778a89738e509ad679a6178f0becd34ad11f294a1ea7449a4041ea9

Download Submit
C:\Windows\Globalization\Sorting\taskhostw.exe

Filesize
1.6MB

MD5
1537a2448a3278776c0ad106d583bf42

SHA1
3374a83147189b932096d99e2f34c5c185611242

SHA256
9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a

SHA512
51dab8150cfc0f8c830a3d583e53e6a89a9f05c95daf84dee27cabcd43e03ee2953391d25b366a4a902e6cae6e8b1d05a4eae832d4d51f9e47869ca984e9d10a

Download Submit
memory/3188-243-0x0000022FE7290000-0x0000022FE72B2000-memory.dmp

Filesize
136KB

Download
memory/3796-0-0x00007FFAA5E13000-0x00007FFAA5E15000-memory.dmp

Filesize
8KB

Download
memory/3796-13-0x000000001BCE0000-0x000000001BCEE000-memory.dmp

Filesize
56KB

Download
memory/3796-10-0x000000001B3A0000-0x000000001B3AC000-memory.dmp

Filesize
48KB

Download
memory/3796-9-0x0000000002A60000-0x0000000002A68000-memory.dmp

Filesize
32KB

Download
memory/3796-6-0x0000000002A30000-0x0000000002A46000-memory.dmp

Filesize
88KB

Download
memory/3796-8-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/3796-7-0x0000000001070000-0x0000000001078000-memory.dmp

Filesize
32KB

Download
memory/3796-17-0x000000001BD20000-0x000000001BD2C000-memory.dmp

Filesize
48KB

Download
memory/3796-15-0x000000001BD00000-0x000000001BD08000-memory.dmp

Filesize
32KB

Download
memory/3796-3-0x0000000001050000-0x000000000106C000-memory.dmp

Filesize
112KB

Download
memory/3796-262-0x00007FFAA5E10000-0x00007FFAA68D1000-memory.dmp

Filesize
10.8MB

Download
memory/3796-11-0x000000001BCC0000-0x000000001BCCC000-memory.dmp

Filesize
48KB

Download
memory/3796-5-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

Filesize
64KB

Download
memory/3796-215-0x00007FFAA5E10000-0x00007FFAA68D1000-memory.dmp

Filesize
10.8MB

Download
memory/3796-4-0x000000001BB30000-0x000000001BB80000-memory.dmp

Filesize
320KB

Download
memory/3796-14-0x000000001BCF0000-0x000000001BCF8000-memory.dmp

Filesize
32KB

Download
memory/3796-192-0x00007FFAA5E13000-0x00007FFAA5E15000-memory.dmp

Filesize
8KB

Download
memory/3796-16-0x000000001BD10000-0x000000001BD1A000-memory.dmp

Filesize
40KB

Download
memory/3796-2-0x00007FFAA5E10000-0x00007FFAA68D1000-memory.dmp

Filesize
10.8MB

Download
memory/3796-1-0x0000000000680000-0x0000000000822000-memory.dmp

Filesize
1.6MB

Download
memory/3796-12-0x000000001BCD0000-0x000000001BCDA000-memory.dmp

Filesize
40KB

Download