dcrat | e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
Size

1.7MB
MD5

d337a1cc8b6b0d9f1c16ec727b3197e2
SHA1

01dbeb18baa4efb70b3a30930e08d89e2e25c05a
SHA256

e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345
SHA512

d20493b21aceb61d5e8c49afa8cd0cdd14234b9b3d94d4f8af92f0b64cb4542fc154cd29339b1f56abae14c97b752f8f6b81d6e86e301c3576117fa510879285
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvV:eTHUxUoh1IF9gl2e

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3824	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	4500	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	4500	schtasks.exe	83

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2372-1-0x0000000000A10000-0x0000000000BD0000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cbf-30.dat	dcrat
behavioral2/files/0x000700000001e75d-166.dat	dcrat
behavioral2/files/0x000a000000023cc7-178.dat	dcrat
behavioral2/files/0x0009000000023cd0-189.dat	dcrat
behavioral2/files/0x0009000000023cda-225.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3304	powershell.exe
452	powershell.exe
2504	powershell.exe
4728	powershell.exe
2760	powershell.exe
5104	powershell.exe
4592	powershell.exe
3572	powershell.exe
3184	powershell.exe
3016	powershell.exe
5088	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wininit.exe

Executes dropped EXE 6 IoCs

pid	Process
4848	wininit.exe
2776	wininit.exe
400	wininit.exe
1228	wininit.exe
3232	wininit.exe
3752	wininit.exe

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\ja-JP\RCXEBC0.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\lsass.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\backgroundTaskHost.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\lsass.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\RCXE6FA.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RCXEE63.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\RCXF51F.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\RCXF7A1.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXDD7B.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\backgroundTaskHost.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\RCXE91E.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\eddb19405b7ce1	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files\Windows Defender\ja-JP\wininit.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\RuntimeBroker.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RCXEE43.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCXF077.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\9e8d7a4ca61bd9	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\RCXE67C.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\RCXF520.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\RCXF7A2.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\OfficeClickToRun.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files (x86)\Windows Media Player\5940a34987c991	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\RuntimeBroker.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\OfficeClickToRun.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\e6c9b481da804f	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\dllhost.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\RCXE98C.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files (x86)\Windows Media Player\dllhost.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files\Windows Defender\ja-JP\56085415360792	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files (x86)\Common Files\Services\9e8d7a4ca61bd9	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\Idle.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\RCXEBC1.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\wininit.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\6203df4a6bafc7	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\6ccacd8608530f	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXDD7C.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCXF0E5.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\Idle.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\ModemLogs\csrss.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Windows\es-ES\System.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Windows\es-ES\27d1bcfc3c54e0	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Windows\appcompat\RuntimeBroker.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Windows\SKB\LanguageModels\OfficeClickToRun.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Windows\appcompat\9e8d7a4ca61bd9	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Windows\es-ES\System.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Windows\SKB\LanguageModels\RCXDB76.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Windows\SKB\LanguageModels\RCXDB77.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Windows\appcompat\RCXDF82.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Windows\appcompat\RuntimeBroker.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Windows\ModemLogs\886983d96e3d3e	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Windows\Boot\RuntimeBroker.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Windows\SKB\LanguageModels\OfficeClickToRun.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Windows\SKB\LanguageModels\e6c9b481da804f	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Windows\es-ES\RCXD951.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Windows\ModemLogs\RCXD4F7.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Windows\ModemLogs\RCXD4F8.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Windows\ModemLogs\csrss.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Windows\es-ES\RCXD961.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Windows\appcompat\RCXDF81.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4228	schtasks.exe
1260	schtasks.exe
4876	schtasks.exe
4784	schtasks.exe
4944	schtasks.exe
3996	schtasks.exe
2516	schtasks.exe
632	schtasks.exe
4240	schtasks.exe
1836	schtasks.exe
4816	schtasks.exe
4776	schtasks.exe
5036	schtasks.exe
2772	schtasks.exe
3824	schtasks.exe
1040	schtasks.exe
3928	schtasks.exe
3936	schtasks.exe
3304	schtasks.exe
4688	schtasks.exe
3116	schtasks.exe
3088	schtasks.exe
2484	schtasks.exe
4152	schtasks.exe
4904	schtasks.exe
4536	schtasks.exe
4264	schtasks.exe
2064	schtasks.exe
2228	schtasks.exe
532	schtasks.exe
884	schtasks.exe
2608	schtasks.exe
2760	schtasks.exe
2024	schtasks.exe
2884	schtasks.exe
3968	schtasks.exe
2032	schtasks.exe
3016	schtasks.exe
3184	schtasks.exe
4984	schtasks.exe
3876	schtasks.exe
4508	schtasks.exe
624	schtasks.exe
1248	schtasks.exe
3772	schtasks.exe
1132	schtasks.exe
4544	schtasks.exe
2056	schtasks.exe
4412	schtasks.exe
4032	schtasks.exe
3776	schtasks.exe
4900	schtasks.exe
4392	schtasks.exe
1336	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
Token: SeDebugPrivilege	3304	powershell.exe
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	4848	wininit.exe
Token: SeDebugPrivilege	2776	wininit.exe
Token: SeDebugPrivilege	400	wininit.exe
Token: SeDebugPrivilege	1228	wininit.exe
Token: SeDebugPrivilege	3232	wininit.exe
Token: SeDebugPrivilege	3752	wininit.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 452	2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	143
PID 2372 wrote to memory of 452	2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	143
PID 2372 wrote to memory of 3304	2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	144
PID 2372 wrote to memory of 3304	2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	144
PID 2372 wrote to memory of 4592	2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	145
PID 2372 wrote to memory of 4592	2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	145
PID 2372 wrote to memory of 5088	2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	146
PID 2372 wrote to memory of 5088	2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	146
PID 2372 wrote to memory of 5104	2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	147
PID 2372 wrote to memory of 5104	2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	147
PID 2372 wrote to memory of 2760	2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	148
PID 2372 wrote to memory of 2760	2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	148
PID 2372 wrote to memory of 4728	2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	149
PID 2372 wrote to memory of 4728	2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	149
PID 2372 wrote to memory of 3016	2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	150
PID 2372 wrote to memory of 3016	2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	150
PID 2372 wrote to memory of 2504	2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	151
PID 2372 wrote to memory of 2504	2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	151
PID 2372 wrote to memory of 3184	2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	152
PID 2372 wrote to memory of 3184	2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	152
PID 2372 wrote to memory of 3572	2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	153
PID 2372 wrote to memory of 3572	2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	153
PID 2372 wrote to memory of 752	2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	165
PID 2372 wrote to memory of 752	2372	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	165
PID 752 wrote to memory of 3124	752	cmd.exe	167
PID 752 wrote to memory of 3124	752	cmd.exe	167
PID 752 wrote to memory of 4848	752	cmd.exe	175
PID 752 wrote to memory of 4848	752	cmd.exe	175
PID 4848 wrote to memory of 1400	4848	wininit.exe	177
PID 4848 wrote to memory of 1400	4848	wininit.exe	177
PID 4848 wrote to memory of 3440	4848	wininit.exe	178
PID 4848 wrote to memory of 3440	4848	wininit.exe	178
PID 1400 wrote to memory of 2776	1400	WScript.exe	181
PID 1400 wrote to memory of 2776	1400	WScript.exe	181
PID 2776 wrote to memory of 4900	2776	wininit.exe	184
PID 2776 wrote to memory of 4900	2776	wininit.exe	184
PID 2776 wrote to memory of 2944	2776	wininit.exe	185
PID 2776 wrote to memory of 2944	2776	wininit.exe	185
PID 4900 wrote to memory of 400	4900	WScript.exe	187
PID 4900 wrote to memory of 400	4900	WScript.exe	187
PID 400 wrote to memory of 3720	400	wininit.exe	189
PID 400 wrote to memory of 3720	400	wininit.exe	189
PID 400 wrote to memory of 4304	400	wininit.exe	190
PID 400 wrote to memory of 4304	400	wininit.exe	190
PID 3720 wrote to memory of 1228	3720	WScript.exe	192
PID 3720 wrote to memory of 1228	3720	WScript.exe	192
PID 1228 wrote to memory of 884	1228	wininit.exe	194
PID 1228 wrote to memory of 884	1228	wininit.exe	194
PID 1228 wrote to memory of 2512	1228	wininit.exe	195
PID 1228 wrote to memory of 2512	1228	wininit.exe	195
PID 884 wrote to memory of 3232	884	WScript.exe	197
PID 884 wrote to memory of 3232	884	WScript.exe	197
PID 3232 wrote to memory of 4196	3232	wininit.exe	199
PID 3232 wrote to memory of 4196	3232	wininit.exe	199
PID 3232 wrote to memory of 5060	3232	wininit.exe	200
PID 3232 wrote to memory of 5060	3232	wininit.exe	200
PID 4196 wrote to memory of 3752	4196	WScript.exe	202
PID 4196 wrote to memory of 3752	4196	WScript.exe	202
PID 3752 wrote to memory of 4364	3752	wininit.exe	204
PID 3752 wrote to memory of 4364	3752	wininit.exe	204
PID 3752 wrote to memory of 2892	3752	wininit.exe	205
PID 3752 wrote to memory of 2892	3752	wininit.exe	205

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
"C:\Users\Admin\AppData\Local\Temp\e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZfSNRP11EP.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3124
- - C:\Recovery\WindowsRE\wininit.exe
    "C:\Recovery\WindowsRE\wininit.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2299d3bd-e7e2-4caf-8b4a-7529582d14a2.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1400
    - - C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\454c532d-7982-425e-9d22-c25a6edd3d5e.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ae77ab4-9dce-432d-9d8b-ad35d0592e98.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19c5c928-b63c-4afc-aa91-d2f050bd2e39.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20ea4f6e-4822-4ba1-bc68-2ee1aaff18d2.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a215d302-fe31-4b30-8a80-30a409dcab8e.vbs"
        14⤵
        
        PID:4364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\313cc722-c365-4d40-bcc9-8926a7293baf.vbs"
        14⤵
        
        PID:2892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6b009a8-6595-4cfb-8525-e42508c5b535.vbs"
        12⤵
        
        PID:5060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14ad6710-24bb-484e-beca-3ead67cdc9f9.vbs"
        10⤵
        
        PID:2512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6f5331c-2661-41cd-b755-e667c0ad8f98.vbs"
        8⤵
        
        PID:4304
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e55a73fd-02e8-4b71-a7da-e85cc6b4db1b.vbs"
        6⤵
        
        PID:2944
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10c18431-4b97-44bc-8cd7-2d123b0b1c82.vbs"
      4⤵
      PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\ModemLogs\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ModemLogs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Windows\SKB\LanguageModels\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Windows\SKB\LanguageModels\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\appcompat\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\appcompat\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\appcompat\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\ja-JP\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Application Data\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Application Data\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\RuntimeBroker.exe

Filesize
1.7MB

MD5
01f2a02ebbea2e6405a7a36e267f824e

SHA1
c6650f2e86df97cb486b5166cd88a8ec9a76f146

SHA256
6644ffeb7291b55640edea011ed0f8cfd8779c04591f2c0a4f7001027971a915

SHA512
66eec6838a0377b603f432a0cfa5118d16136b596519f3a31b2102ef93627f170bd056c387838ba5b7403ba7f5b5285e6ea1cc94453b5931fe0183dd0bbaaa92

Download Submit
C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe

Filesize
1.7MB

MD5
955c381a12a4a5cae75d015a569fd0f5

SHA1
98d52961fdfb0e7a02e4502c8aba0c527c84e60b

SHA256
39b3de720c6f17e1887969f3aa9848d0b1360060ec704c5ebc02f6ae7c38a306

SHA512
678f22e218a812023a2c0b579ce552fef73d9d6aef30f9037b5fea7cb9625322414b3f4662768104f8e92b2127c7fde4d72fb3f3aa5d29ea081fbc7742160c51

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\backgroundTaskHost.exe

Filesize
1.7MB

MD5
300a3698c36b4e9b06dc5a385316dc43

SHA1
37454d14f2a551bd145775b6e006bade4ae9447a

SHA256
a9e1ff4a6f88638a689054be770675f2c947b0c9f4a4ab3578ac77424b8dccd7

SHA512
b97bfbc8cf0d3f8af2e8a2b38a896faa9d087dad42c637ea2b9e9a475977db544166c3209e902775975c9eb7404eff0de0a6fdac8939ceea54a3b1793f1c4b97

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
1.7MB

MD5
f1bdad81dfb258946454ea1a9ad52a0e

SHA1
a871a2175d4708788100bf11146806219cb73973

SHA256
804ca8805337fb89d4b1b3ef07c77812fab2a1cfd91b6d8da9fa726ba1accaaf

SHA512
a2c895c8b243cf6b1055238e64b134befba144f0af7fdb430c5c1e8a69908f5d79f3aae6c2d2da1d2b416c9a1d0bec9542d5d11c743d2678f25245808bf40188

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ae77ab4-9dce-432d-9d8b-ad35d0592e98.vbs

Filesize
708B

MD5
b237fea12f5e79c29d1a76a2082799fe

SHA1
c84afc83700f1d233c5e8672b4dcb906fea3b201

SHA256
1466ba3821a6df842c8104d603e395fb9861373cd33ecdf09aa590e74565e5c2

SHA512
f55071f69b6ef70d2a1c780248590a2c2bc4799f22b0f45f9111a08d7f85cd3bf2c1303f2b7d8bc703b7460c1e87fc513af2dc27b49e9857e7b7c08525be81fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\10c18431-4b97-44bc-8cd7-2d123b0b1c82.vbs

Filesize
485B

MD5
5e0f629d0d648fadf37a9182552e1675

SHA1
f4c4873f5227e0984175715212a38941b96cfd98

SHA256
399e982d4cfd9c91a27f5136d7ed5b635ab79165fe53a43697d9e315d9efbc8d

SHA512
169c016cc280a2262549c9628e19c40e9fa3e4e628f540415883a9368b5e2aa7b4f71a4e10556538a95dc0ab8cfa1beffca6d1564ba4f7fb1f692a5a32847f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\19c5c928-b63c-4afc-aa91-d2f050bd2e39.vbs

Filesize
709B

MD5
7b77df5afce92e4a6c4a2bfb370dc51c

SHA1
b5dc41f3e5ccca59a70fa8ae4822643e31b5c5cf

SHA256
fa5b4f3609414fb092aeede24f502a09d3145c0a523d71325ec59d6f24ff66ac

SHA512
a1d1fb1988ef6ff8133e92c179453cb813e73e9481d0eaffd9298c9a97fcfbc0650fefe74f72809f5f899eff00b727500e54072e36944c253c16ab1eaa95da39

Download Submit
C:\Users\Admin\AppData\Local\Temp\20ea4f6e-4822-4ba1-bc68-2ee1aaff18d2.vbs

Filesize
709B

MD5
5962160ee6c5ebf65e5b3ec73cf2a806

SHA1
d9fda71b1861a67f9fe17b1d1e86fda47b7ce354

SHA256
789fc77e4b24c86ef056e9169847f6276a83a54a6d406a7dc72384011c85e871

SHA512
8187ee71ef66adcb3267f079354503981572d8ffc29edd8088b1576f7c4eeacbe8469703701b9789e9c7dd665e1eef7dd30276e49474648dd9b1dc1a788a0df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2299d3bd-e7e2-4caf-8b4a-7529582d14a2.vbs

Filesize
709B

MD5
0d05e51c9f3d64f379b18f23860ef3f4

SHA1
90b6c5d50266642d73f771a4689e1b3e5ce545f0

SHA256
627dd895d14c2ba1fc718762374ba3d5a2bc7f43aa25a39d285e81956a2a7e6a

SHA512
4acdd323bba3d549a61281f30b8beb07db1a24dacb9239e0efe46c31c9c487b4c450fcb862cb8553290cfc19b142fc0fd4334be408a7d93723f2426fe9782e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\454c532d-7982-425e-9d22-c25a6edd3d5e.vbs

Filesize
709B

MD5
76cbf7fe9ba8882fe8b35da1921fa59e

SHA1
af0fb033968583cee674f9ef594e5fd8ab40fd00

SHA256
b4218e22017f0b56514e9b84d7de4bd8d8712a055547a74e298086f23bbc97b5

SHA512
f5b7df61e4b516f104fadad645028d187e48a32d1707e147ad1ec5746ba5ee6e65b8e4f77b223873e93fc5029b185b11f3e6fb61c50eeb278b6355dace0273de

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZfSNRP11EP.bat

Filesize
198B

MD5
eaba6ffd1a4c6ca8b1f1559a98a06163

SHA1
b08f49c9ae34000fa97ca9e2ffe8ebdc1705b5d3

SHA256
77d268f9792beb7e66cc795a9cfae635bf9238d759ec85c68498301b3f9fc5d7

SHA512
4009f021fe8fef0332bf751b575e9949e2f26210c78d37aa47003aba6eac1341c96e3c3dbfce83f2480c409c329942680692c5bec534b11ea1d3064d25d22ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_huzoqolv.0ag.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a215d302-fe31-4b30-8a80-30a409dcab8e.vbs

Filesize
709B

MD5
a4202fb34e74c4eefb25e649fd684f0e

SHA1
e3982c9eb41c0e24919c58af38cec210e6720342

SHA256
9b858ab7345523e49158f20d0a6c77794f05d69039a6dfe49930c879e95174f5

SHA512
04c6c4254bfcd30272c276b91832833c4c9ac7fa70d1d0f7bf836316f79f8fd72dcb34273b0d566ac8cd93425d5162edab71730d49431f8dca65d220fe264b5d

Download Submit
C:\Windows\SKB\LanguageModels\OfficeClickToRun.exe

Filesize
1.7MB

MD5
d337a1cc8b6b0d9f1c16ec727b3197e2

SHA1
01dbeb18baa4efb70b3a30930e08d89e2e25c05a

SHA256
e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345

SHA512
d20493b21aceb61d5e8c49afa8cd0cdd14234b9b3d94d4f8af92f0b64cb4542fc154cd29339b1f56abae14c97b752f8f6b81d6e86e301c3576117fa510879285

Download Submit
memory/2372-169-0x00007FF8470A3000-0x00007FF8470A5000-memory.dmp

Filesize
8KB

Download
memory/2372-291-0x00007FF8470A0000-0x00007FF847B61000-memory.dmp

Filesize
10.8MB

Download
memory/2372-15-0x000000001C020000-0x000000001C02A000-memory.dmp

Filesize
40KB

Download
memory/2372-17-0x000000001C010000-0x000000001C018000-memory.dmp

Filesize
32KB

Download
memory/2372-20-0x00007FF8470A0000-0x00007FF847B61000-memory.dmp

Filesize
10.8MB

Download
memory/2372-18-0x000000001C130000-0x000000001C13C000-memory.dmp

Filesize
48KB

Download
memory/2372-14-0x000000001BEF0000-0x000000001BEFC000-memory.dmp

Filesize
48KB

Download
memory/2372-192-0x00007FF8470A0000-0x00007FF847B61000-memory.dmp

Filesize
10.8MB

Download
memory/2372-204-0x00007FF8470A0000-0x00007FF847B61000-memory.dmp

Filesize
10.8MB

Download
memory/2372-13-0x000000001C420000-0x000000001C948000-memory.dmp

Filesize
5.2MB

Download
memory/2372-228-0x00007FF8470A0000-0x00007FF847B61000-memory.dmp

Filesize
10.8MB

Download
memory/2372-16-0x000000001C000000-0x000000001C00E000-memory.dmp

Filesize
56KB

Download
memory/2372-19-0x000000001C180000-0x000000001C18C000-memory.dmp

Filesize
48KB

Download
memory/2372-23-0x00007FF8470A0000-0x00007FF847B61000-memory.dmp

Filesize
10.8MB

Download
memory/2372-0-0x00007FF8470A3000-0x00007FF8470A5000-memory.dmp

Filesize
8KB

Download
memory/2372-12-0x000000001BEC0000-0x000000001BED2000-memory.dmp

Filesize
72KB

Download
memory/2372-10-0x000000001BEB0000-0x000000001BEB8000-memory.dmp

Filesize
32KB

Download
memory/2372-9-0x000000001BEA0000-0x000000001BEAC000-memory.dmp

Filesize
48KB

Download
memory/2372-8-0x000000001B930000-0x000000001B940000-memory.dmp

Filesize
64KB

Download
memory/2372-7-0x000000001B910000-0x000000001B926000-memory.dmp

Filesize
88KB

Download
memory/2372-5-0x000000001B8F0000-0x000000001B8F8000-memory.dmp

Filesize
32KB

Download
memory/2372-6-0x000000001B900000-0x000000001B910000-memory.dmp

Filesize
64KB

Download
memory/2372-4-0x000000001BE50000-0x000000001BEA0000-memory.dmp

Filesize
320KB

Download
memory/2372-3-0x000000001B730000-0x000000001B74C000-memory.dmp

Filesize
112KB

Download
memory/2372-2-0x00007FF8470A0000-0x00007FF847B61000-memory.dmp

Filesize
10.8MB

Download
memory/2372-1-0x0000000000A10000-0x0000000000BD0000-memory.dmp

Filesize
1.8MB

Download
memory/3304-301-0x0000029B22DB0000-0x0000029B22DD2000-memory.dmp

Filesize
136KB

Download