dcrat | b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
Size

1.7MB
MD5

9dd2bc624ea9c953ff5621fef397066b
SHA1

e4ea9a4db77e4a5b3f062d4a3bbe10aa04913593
SHA256

b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6
SHA512

c63117abd2afa7b97afa1439b44412439bf5c0608fdcd4d45fce397d1a2e30766e2df0a19fafcb43b3cf657abe379848dbed4eaa666474be19ec52b7e7740a12
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:+THUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	1408	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	1408	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	1408	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	1408	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	1408	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	1408	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	1408	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	1408	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	1408	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	1408	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	1408	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	1408	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	1408	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	1408	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	1408	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	1408	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	1408	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	1408	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	488	1408	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	1408	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	1408	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	1408	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4256	1408	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	1408	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	1408	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	1408	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	1408	schtasks.exe	83

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4000-1-0x00000000008A0000-0x0000000000A60000-memory.dmp	dcrat
behavioral2/files/0x000b000000023b8c-33.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1208	powershell.exe
3172	powershell.exe
3744	powershell.exe
1072	powershell.exe
1860	powershell.exe
4532	powershell.exe
5072	powershell.exe
1388	powershell.exe
4384	powershell.exe
3796	powershell.exe
1952	powershell.exe
2392	powershell.exe
3952	powershell.exe
4380	powershell.exe
4404	powershell.exe
4132	powershell.exe
2136	powershell.exe
2920	powershell.exe
2976	powershell.exe
5112	powershell.exe
980	powershell.exe
1152	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	taskhostw.exe

Executes dropped EXE 11 IoCs

pid	Process
4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4628	taskhostw.exe
2260	taskhostw.exe
3452	taskhostw.exe
2332	taskhostw.exe
4352	taskhostw.exe
1720	taskhostw.exe
4528	taskhostw.exe
3444	taskhostw.exe
4768	taskhostw.exe
384	taskhostw.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\taskhostw.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\ea9f0e6c9e2dcd	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files\Google\Chrome\Application\38384e6a620884	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files\Uninstall Information\csrss.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXAE57.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\Uninstall Information\csrss.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files\Uninstall Information\886983d96e3d3e	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXAE67.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\27d1bcfc3c54e0	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\SearchApp.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\taskhostw.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files\Google\Chrome\Application\SearchApp.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\AppReadiness\dllhost.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Windows\AppReadiness\5940a34987c991	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Windows\AppReadiness\RCXB07C.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Windows\AppReadiness\RCXB07D.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Windows\AppReadiness\dllhost.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Windows\PLA\Reports\it-IT\WmiPrvSE.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Windows\PLA\Reports\it-IT\WmiPrvSE.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Windows\PLA\Reports\it-IT\24dbde2999530e	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	taskhostw.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4840	schtasks.exe
1016	schtasks.exe
4368	schtasks.exe
4528	schtasks.exe
2780	schtasks.exe
4964	schtasks.exe
2996	schtasks.exe
488	schtasks.exe
4324	schtasks.exe
5096	schtasks.exe
2344	schtasks.exe
3180	schtasks.exe
1612	schtasks.exe
2020	schtasks.exe
3756	schtasks.exe
1344	schtasks.exe
2716	schtasks.exe
2152	schtasks.exe
4408	schtasks.exe
3532	schtasks.exe
5032	schtasks.exe
4240	schtasks.exe
3508	schtasks.exe
5024	schtasks.exe
5016	schtasks.exe
4256	schtasks.exe
3124	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2976	powershell.exe
2976	powershell.exe
5112	powershell.exe
5112	powershell.exe
5072	powershell.exe
5072	powershell.exe
3952	powershell.exe
3952	powershell.exe
4532	powershell.exe
4532	powershell.exe
1388	powershell.exe
1388	powershell.exe
3744	powershell.exe
3744	powershell.exe
1072	powershell.exe
1072	powershell.exe
980	powershell.exe
980	powershell.exe
1860	powershell.exe
1860	powershell.exe
2392	powershell.exe
2392	powershell.exe
1072	powershell.exe
2976	powershell.exe
1388	powershell.exe
5072	powershell.exe
3952	powershell.exe
4532	powershell.exe
5112	powershell.exe
3744	powershell.exe
980	powershell.exe
2392	powershell.exe
1860	powershell.exe
4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeDebugPrivilege	3172	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	4628	taskhostw.exe
Token: SeDebugPrivilege	2260	taskhostw.exe
Token: SeDebugPrivilege	3452	taskhostw.exe
Token: SeDebugPrivilege	2332	taskhostw.exe
Token: SeDebugPrivilege	4352	taskhostw.exe
Token: SeDebugPrivilege	1720	taskhostw.exe
Token: SeDebugPrivilege	4528	taskhostw.exe
Token: SeDebugPrivilege	3444	taskhostw.exe
Token: SeDebugPrivilege	4768	taskhostw.exe
Token: SeDebugPrivilege	384	taskhostw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 2392	4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	97
PID 4000 wrote to memory of 2392	4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	97
PID 4000 wrote to memory of 4532	4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	98
PID 4000 wrote to memory of 4532	4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	98
PID 4000 wrote to memory of 2976	4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	99
PID 4000 wrote to memory of 2976	4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	99
PID 4000 wrote to memory of 3952	4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	100
PID 4000 wrote to memory of 3952	4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	100
PID 4000 wrote to memory of 1388	4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	101
PID 4000 wrote to memory of 1388	4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	101
PID 4000 wrote to memory of 980	4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	103
PID 4000 wrote to memory of 980	4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	103
PID 4000 wrote to memory of 5072	4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	104
PID 4000 wrote to memory of 5072	4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	104
PID 4000 wrote to memory of 1860	4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	105
PID 4000 wrote to memory of 1860	4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	105
PID 4000 wrote to memory of 1072	4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	106
PID 4000 wrote to memory of 1072	4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	106
PID 4000 wrote to memory of 5112	4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	107
PID 4000 wrote to memory of 5112	4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	107
PID 4000 wrote to memory of 3744	4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	108
PID 4000 wrote to memory of 3744	4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	108
PID 4000 wrote to memory of 4588	4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	119
PID 4000 wrote to memory of 4588	4000	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	119
PID 4588 wrote to memory of 5104	4588	cmd.exe	121
PID 4588 wrote to memory of 5104	4588	cmd.exe	121
PID 4588 wrote to memory of 4408	4588	cmd.exe	128
PID 4588 wrote to memory of 4408	4588	cmd.exe	128
PID 4408 wrote to memory of 1952	4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	146
PID 4408 wrote to memory of 1952	4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	146
PID 4408 wrote to memory of 3172	4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	147
PID 4408 wrote to memory of 3172	4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	147
PID 4408 wrote to memory of 3796	4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	148
PID 4408 wrote to memory of 3796	4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	148
PID 4408 wrote to memory of 4404	4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	150
PID 4408 wrote to memory of 4404	4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	150
PID 4408 wrote to memory of 2920	4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	151
PID 4408 wrote to memory of 2920	4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	151
PID 4408 wrote to memory of 4384	4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	153
PID 4408 wrote to memory of 4384	4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	153
PID 4408 wrote to memory of 2136	4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	154
PID 4408 wrote to memory of 2136	4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	154
PID 4408 wrote to memory of 1208	4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	155
PID 4408 wrote to memory of 1208	4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	155
PID 4408 wrote to memory of 4132	4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	156
PID 4408 wrote to memory of 4132	4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	156
PID 4408 wrote to memory of 4380	4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	157
PID 4408 wrote to memory of 4380	4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	157
PID 4408 wrote to memory of 1152	4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	158
PID 4408 wrote to memory of 1152	4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	158
PID 4408 wrote to memory of 4628	4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	169
PID 4408 wrote to memory of 4628	4408	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	169
PID 4628 wrote to memory of 3032	4628	taskhostw.exe	174
PID 4628 wrote to memory of 3032	4628	taskhostw.exe	174
PID 4628 wrote to memory of 1424	4628	taskhostw.exe	175
PID 4628 wrote to memory of 1424	4628	taskhostw.exe	175
PID 3032 wrote to memory of 2260	3032	WScript.exe	176
PID 3032 wrote to memory of 2260	3032	WScript.exe	176
PID 2260 wrote to memory of 3656	2260	taskhostw.exe	180
PID 2260 wrote to memory of 3656	2260	taskhostw.exe	180
PID 2260 wrote to memory of 2236	2260	taskhostw.exe	181
PID 2260 wrote to memory of 2236	2260	taskhostw.exe	181
PID 3656 wrote to memory of 3452	3656	WScript.exe	183
PID 3656 wrote to memory of 3452	3656	WScript.exe	183

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
"C:\Users\Admin\AppData\Local\Temp\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3744
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\58NgmlZn37.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5104
- - C:\Users\Admin\AppData\Local\Temp\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
    "C:\Users\Admin\AppData\Local\Temp\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4408
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3172
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4384
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4380
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1152
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\taskhostw.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\taskhostw.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4628
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b094169-fcc3-4a1c-8077-bf473541f42c.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3032
      - C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\taskhostw.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\taskhostw.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efb81e9e-2aea-4ec6-8709-1ad745f7eb4d.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\taskhostw.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\taskhostw.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84b698b9-fe85-40d7-a524-9318c0e9307a.vbs"
        9⤵
        
        PID:2032
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\taskhostw.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\taskhostw.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70051088-a9f2-446f-8177-43e4a0af6bcb.vbs"
        11⤵
        
        PID:764
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\taskhostw.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\taskhostw.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11dd9782-7014-452e-b39a-1979f233c8e1.vbs"
        13⤵
        
        PID:904
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\taskhostw.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\taskhostw.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\842169aa-427f-489c-ad4b-0a6b4ea93d33.vbs"
        15⤵
        
        PID:2240
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\taskhostw.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\taskhostw.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72e78af2-b523-4432-95a4-6602aad81024.vbs"
        17⤵
        
        PID:4904
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\taskhostw.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\taskhostw.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ef3e56f-6dd5-401d-aeff-7b2316b615f8.vbs"
        19⤵
        
        PID:1924
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\taskhostw.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\taskhostw.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b0609f8-e9ce-4525-b275-dda0b8203146.vbs"
        21⤵
        
        PID:2864
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\taskhostw.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\taskhostw.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c248b9a8-0578-479a-946e-eaeedce75bb7.vbs"
        23⤵
        
        PID:2904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3816b57-46d3-4d99-8ab3-1f60a89fbeee.vbs"
        23⤵
        
        PID:1752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbf8b2f5-e1fa-4dc8-a5ae-160fab765af8.vbs"
        21⤵
        
        PID:3236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5eea823-d550-46cb-9892-2979ad3153da.vbs"
        19⤵
        
        PID:3212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1763400a-95a0-46d9-b382-a6dd2c1423ec.vbs"
        17⤵
        
        PID:1388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39e7ffc5-7356-49ab-97b5-ba7c189746e7.vbs"
        15⤵
        
        PID:4728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bb5c814-1f6a-4a05-b619-f20181a28a2d.vbs"
        13⤵
        
        PID:3256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e0211db-c0fc-4e85-b4e1-aa6bb492d768.vbs"
        11⤵
        
        PID:2096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08fdef9a-e380-4833-b792-522c28bf0f35.vbs"
        9⤵
        
        PID:752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e26eb16-a09f-459b-b5d7-b8cd06fd15c0.vbs"
        7⤵
        
        PID:2236
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd9c1520-ef0e-432a-a4d8-9e2eec7f089e.vbs"
        5⤵
        
        PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\AppReadiness\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\AppReadiness\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\AppReadiness\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\Reports\it-IT\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\PLA\Reports\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Start Menu\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Start Menu\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\taskhostw.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
815f9e54d2e55a6cd87a044f75fdba0c

SHA1
9e2c91b5d015a2f96539227ed0a5d83cf26f6c08

SHA256
ec7d07723ca9c032e3662c0a316318065854ed4dc54106a5214278cbd148e75f

SHA512
9198d94b9d3ef35693881e3dc3e1c7f4b42d98f23a27f58cec67309628504de6940f0ac58bff1de2923b9d1b2dd11be82ea98bad9419d2e22f610df01c7401a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8a1d5945d69caaa5ad4650aa92416db8

SHA1
fce5ff33231a7b99c4e54afac0b356aa72c86aef

SHA256
536f6c89e5a645ed4b13768d4e63be2900f010b341e04729e79c04af7af1d567

SHA512
04a94cfc967dccb836f2a51b86f861f77421f57bfc6826b00a63a86df995e0e873b38a5c930a15a173b3ea4e768776a13860206468d1bb7ec614ce93f8143cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a9a7f35c006bbf5da72f9cb250ffbddb

SHA1
458a8cedc38dac109631d9fccb3bf6d2c5c0e89e

SHA256
a1db56d56e35a6c95f98204e40f69f70422969681d408e5edc4afbf732eef86b

SHA512
d341773d30e09214567c65f24cd1854f1e438b8528aa30d35b6baac16e671dde1245edda654f19343b7c160da45985ab53f08453e7f6286e272d544f8741c131

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
705e397ba2c670b0b9fcebdd31e0feea

SHA1
8566fe7e0903b7495e659ba0588b72e3ce538c3b

SHA256
ae5d0de2ba6fe534bf67dcdbbfd71cf3f8c26f3d6ec852d73362d274a242732f

SHA512
a2914a193cbea13119567199082c52eebe67719c80bc056b3820c6a4b2e8cf8c7ecd3e38975f6ffc616b171ab722a6664f44f65496fdaf114615c1bbdf98306c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b740f7616c3c3d006afd7e1586758eeb

SHA1
c465af4c07ecb9e3de239c410d3b2ed5de93cdde

SHA256
c11b84252afa74e4f323fcbae853cb45217a65d70ac44dea182f9ec872bd9872

SHA512
d4dd7531d48a9f6d6432fe0d55cefc76139566c54514ba722d76e5bd4371bfca0e491939795883de21901eac98b1af7236ea83281a7dde8befe16719993f185e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9301fb10a9394288e8324feb7da20e8d

SHA1
13cf5e60e24b5ee2c70badf42a0c0a8a1af4d3d0

SHA256
1687eeb30b85104251b199766ec1f00574c3ecd46a35578c2d7ce6db95ea28ec

SHA512
9fb789ff290c48028e0bd3ddc6fbc5bc1e34d37a967123f3f565ba639cc820901885ab4316e64dbf72515fa254f12ffc16273560aa681b7a28f564301181ab66

Download Submit
C:\Users\Admin\AppData\Local\Temp\11dd9782-7014-452e-b39a-1979f233c8e1.vbs

Filesize
736B

MD5
3baaf0cb5a726c5c75b76a0d5704940f

SHA1
41773ab89cd5e8b5094d1661c3b477de75653a92

SHA256
0f7ff1edaa1ff409c11d479c8d89402fadbef9ba6f789c5bbb82fc1f5aad8624

SHA512
ea8b3865dc1ab1e9b10068696ffc45bc4678e2657245b59f10d79a7f5c124116e215d87d4dd721314d1d616c9567aadb6435b7130921002bb7f6c87dc146fb56

Download Submit
C:\Users\Admin\AppData\Local\Temp\1b0609f8-e9ce-4525-b275-dda0b8203146.vbs

Filesize
736B

MD5
37baa7190910827078516e8beb3526ce

SHA1
3e805a75d2c01a4d299e2632980123b21517f454

SHA256
2acdb873ce653340b6a0e7e21d04fec4da6ee5c2a7c28b098130c98f9ebfaf3c

SHA512
51c5277d965c68b9936ed7da73a38d4250d549007accdd913660679c9e59c7e5c77040543e1cde07cae74c047e0036b74224614e5984853201f492001b6b52f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\58NgmlZn37.bat

Filesize
267B

MD5
c823ce1d652a9c3a6de9085fa8700f6f

SHA1
ee634e0179d2772a0b5085fb6e6734183c148d2f

SHA256
cc794cdaa24f8f985600fdb9512045a291cf259b8b6c9812c9f34e519c0e54ea

SHA512
3462a441312f744de8e962160615d0c471665b7258eb9615d39c76e09dbfdc68b2c183a814a3a69d264900b4dbd55b81ca8250847a34940a194a4402c4f81ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\70051088-a9f2-446f-8177-43e4a0af6bcb.vbs

Filesize
736B

MD5
356c2fd5003cfe3993c9394909f5da74

SHA1
915456526772e2465acfd5c9be90bdbbfef5779b

SHA256
2108a041519ae536358a8fc7d04a9344700136f4b8dda1b75bba998234d0b718

SHA512
51076657b1d03e3893c55fe9e5e8622feacfc2cbcf3413e822bc5985ab95d3cdfa8835836dae03bfa92d5d8fe1e40e371ec38bc4c47e17b4528ab543ba4a375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\72e78af2-b523-4432-95a4-6602aad81024.vbs

Filesize
736B

MD5
b66d3d2b8862b5ba968b267681652e48

SHA1
5b641ea5eb69f5e1d9bc7d056fff824084b94cb1

SHA256
d5c9ae09575292c6cd9a86e67bd47e8a3d7186721171f6a88609bf3b3d74985e

SHA512
cc27268fcf19de918dd1dc6ac587e3f27507130ec1c9692e819e0b4a2bc7bb199b9b984380600e2b18fb303cd488faa2707aed920adc4be311f07e9c599cc673

Download Submit
C:\Users\Admin\AppData\Local\Temp\842169aa-427f-489c-ad4b-0a6b4ea93d33.vbs

Filesize
736B

MD5
c0968b768a9c1732551f2c5ef4f09e5c

SHA1
51c3015e7e6a5275d1494e58a162d565132565e4

SHA256
fdbe1c509698ed6446f805c482cfaa757687c007f87bab1af0f5ee8f19ad7d51

SHA512
471e3cd008ac687caa1f43f688d1e47d213e37615ac87aee398e9444fc5d5d55f40ead226f004a6c5e5b43bea27b88fddb8acd7f0e3ff8b75e9840c40a30d81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\84b698b9-fe85-40d7-a524-9318c0e9307a.vbs

Filesize
736B

MD5
664502f7fcfcb88bb66bf75b0126d5d7

SHA1
59882d09f1a2d5d01da2bbef125d8a9a615d2d35

SHA256
f183b71c1c9409e0411cd00e1b0f5dec6ea43977ce99cbe5dc40c39a142409d3

SHA512
8a2451f1245f6dad02b63cf4f08683322a779442de573d741350493f06238e5cd3a70912ce57070f8d3d97122f373d29e33528b515c8b45811b8a5db5a56eace

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b094169-fcc3-4a1c-8077-bf473541f42c.vbs

Filesize
736B

MD5
3b1d18b942f107fbc44a5f9ddbbd43e7

SHA1
b051617831e324fbb09fe175b3e606210bc91f0e

SHA256
40a504f8fb865087b2119b825ebd50e4d9edd65e76f6e7cbac5b20cfc900d1e2

SHA512
ade240e58869b8339239045c7ea05838130c2975e332312b4bca8855c71b8b3e9a9031321d5c25efc24267f5dd964c08228b12acedea67596b9ecae4078e513e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ef3e56f-6dd5-401d-aeff-7b2316b615f8.vbs

Filesize
736B

MD5
c821c43a02c83e393d10a70a729ed800

SHA1
8e71d9040bea0fdd146367be63368440d5e48d23

SHA256
94b22311e52ef5c0867e129d3ff257956e891db945170c0fefacea40fedd02e7

SHA512
0ff344485c45e7f36ee3ad22f49f52c6b0ab1981f2c455a67e05b9b781559c70ac1b8c65d8b810fe831f5d990d0721330ae8e93e30d9f0c7f8b20ef8a86df534

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXA77C.tmp

Filesize
1.7MB

MD5
9dd2bc624ea9c953ff5621fef397066b

SHA1
e4ea9a4db77e4a5b3f062d4a3bbe10aa04913593

SHA256
b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6

SHA512
c63117abd2afa7b97afa1439b44412439bf5c0608fdcd4d45fce397d1a2e30766e2df0a19fafcb43b3cf657abe379848dbed4eaa666474be19ec52b7e7740a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ijtreldd.3x5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd9c1520-ef0e-432a-a4d8-9e2eec7f089e.vbs

Filesize
512B

MD5
3463c837ef7499617c8f768397db557e

SHA1
92e17081ac33f93336760e8414b7e5faa1cca4a4

SHA256
ec99abfc654f10d90cb487cab4398a1733cbf6d39b2c2e736bb30ed55ddc4e13

SHA512
8ac6158da56374ff875cb375dddb88f5d99c654798d6e6176096d6112c00594556b38f870ae2662f590d335ff9a53f7d5194e90b4ebfebf2a7f3fd342a5421d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\efb81e9e-2aea-4ec6-8709-1ad745f7eb4d.vbs

Filesize
736B

MD5
cb7f2ec5430b7a5fe1663903cdaea08a

SHA1
dda89ef522e2c91f3404e54fc379efe12a44abbc

SHA256
fc4a3ddca0bc54b5a9feac28c96de238446c62048b1b7b3c85a54bfb5bb3774c

SHA512
c665b18686f3cc2378ff81cd3a48e1c84fd3c6cb10bf86c06471d33d55dbd7efbfc7245907d7f296eb0a5681bfb6cf84439f336b3d67657b4233edc688067ed6

Download Submit
memory/384-516-0x000000001AF10000-0x000000001AF22000-memory.dmp

Filesize
72KB

Download
memory/3444-493-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/4000-7-0x000000001B5A0000-0x000000001B5B6000-memory.dmp

Filesize
88KB

Download
memory/4000-12-0x000000001B5E0000-0x000000001B5F2000-memory.dmp

Filesize
72KB

Download
memory/4000-8-0x0000000002CB0000-0x0000000002CC0000-memory.dmp

Filesize
64KB

Download
memory/4000-16-0x000000001C010000-0x000000001C01E000-memory.dmp

Filesize
56KB

Download
memory/4000-5-0x0000000002C90000-0x0000000002C98000-memory.dmp

Filesize
32KB

Download
memory/4000-6-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/4000-4-0x000000001B620000-0x000000001B670000-memory.dmp

Filesize
320KB

Download
memory/4000-3-0x0000000002B20000-0x0000000002B3C000-memory.dmp

Filesize
112KB

Download
memory/4000-0-0x00007FFB497F3000-0x00007FFB497F5000-memory.dmp

Filesize
8KB

Download
memory/4000-2-0x00007FFB497F0000-0x00007FFB4A2B1000-memory.dmp

Filesize
10.8MB

Download
memory/4000-10-0x000000001B5D0000-0x000000001B5D8000-memory.dmp

Filesize
32KB

Download
memory/4000-9-0x000000001B5C0000-0x000000001B5CC000-memory.dmp

Filesize
48KB

Download
memory/4000-1-0x00000000008A0000-0x0000000000A60000-memory.dmp

Filesize
1.8MB

Download
memory/4000-13-0x000000001C2D0000-0x000000001C7F8000-memory.dmp

Filesize
5.2MB

Download
memory/4000-14-0x000000001B670000-0x000000001B67C000-memory.dmp

Filesize
48KB

Download
memory/4000-15-0x000000001C000000-0x000000001C00A000-memory.dmp

Filesize
40KB

Download
memory/4000-88-0x00007FFB497F0000-0x00007FFB4A2B1000-memory.dmp

Filesize
10.8MB

Download
memory/4000-18-0x000000001B680000-0x000000001B68C000-memory.dmp

Filesize
48KB

Download
memory/4000-17-0x000000001C020000-0x000000001C028000-memory.dmp

Filesize
32KB

Download
memory/4000-23-0x00007FFB497F0000-0x00007FFB4A2B1000-memory.dmp

Filesize
10.8MB

Download
memory/4000-21-0x00007FFB497F0000-0x00007FFB4A2B1000-memory.dmp

Filesize
10.8MB

Download
memory/4000-19-0x000000001BEA0000-0x000000001BEAC000-memory.dmp

Filesize
48KB

Download
memory/4528-481-0x000000001C410000-0x000000001C422000-memory.dmp

Filesize
72KB

Download
memory/5072-94-0x000001BA5AC50000-0x000001BA5AC72000-memory.dmp

Filesize
136KB

Download