dcrat | 6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8

Resubmissions

13-01-2025 04:14

250113-et66ksvpex 10

12-01-2025 13:59

250112-ragg2axnhl 10

Analysis

max time kernel
899s
max time network
898s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
Size

1.7MB
MD5

0624cb81236f6a0e8d0487a766458088
SHA1

36ea7baa5b367c60269eb1a277bd5ad4bc41b54b
SHA256

6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8
SHA512

742d2c2d154133ba9b38c67b59fb4ddbcd16b8b420c8e7fbd14a4c4283c8a875ae62d17924a53b000caf04f5b627d15f031b12e7f98821f03079451008b86553
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvD:OTHUxUoh1IF9gl2M

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2712	schtasks.exe	31

DCRat payload 48 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2728-1-0x0000000000260000-0x0000000000420000-memory.dmp	dcrat
behavioral1/files/0x0005000000018690-27.dat	dcrat
behavioral1/files/0x0009000000016d2e-65.dat	dcrat
behavioral1/files/0x000c000000016d47-102.dat	dcrat
behavioral1/memory/1664-112-0x0000000001200000-0x00000000013C0000-memory.dmp	dcrat
behavioral1/memory/2784-196-0x00000000001A0000-0x0000000000360000-memory.dmp	dcrat
behavioral1/memory/2644-208-0x00000000002C0000-0x0000000000480000-memory.dmp	dcrat
behavioral1/memory/2484-220-0x0000000000AE0000-0x0000000000CA0000-memory.dmp	dcrat
behavioral1/memory/692-232-0x00000000000E0000-0x00000000002A0000-memory.dmp	dcrat
behavioral1/memory/708-244-0x0000000000DE0000-0x0000000000FA0000-memory.dmp	dcrat
behavioral1/memory/1000-256-0x0000000001320000-0x00000000014E0000-memory.dmp	dcrat
behavioral1/memory/1868-290-0x00000000013A0000-0x0000000001560000-memory.dmp	dcrat
behavioral1/memory/2916-332-0x0000000000840000-0x0000000000A00000-memory.dmp	dcrat
behavioral1/memory/3036-341-0x00000000011E0000-0x00000000013A0000-memory.dmp	dcrat
behavioral1/memory/2296-370-0x0000000000010000-0x00000000001D0000-memory.dmp	dcrat
behavioral1/memory/2724-379-0x0000000001270000-0x0000000001430000-memory.dmp	dcrat
behavioral1/memory/848-387-0x0000000000150000-0x0000000000310000-memory.dmp	dcrat
behavioral1/memory/840-395-0x0000000001100000-0x00000000012C0000-memory.dmp	dcrat
behavioral1/memory/692-411-0x00000000012F0000-0x00000000014B0000-memory.dmp	dcrat
behavioral1/memory/1268-427-0x0000000000160000-0x0000000000320000-memory.dmp	dcrat
behavioral1/memory/2552-435-0x0000000000AB0000-0x0000000000C70000-memory.dmp	dcrat
behavioral1/memory/2948-443-0x0000000000220000-0x00000000003E0000-memory.dmp	dcrat
behavioral1/memory/2276-452-0x0000000000DC0000-0x0000000000F80000-memory.dmp	dcrat
behavioral1/memory/2980-468-0x0000000000350000-0x0000000000510000-memory.dmp	dcrat
behavioral1/memory/2104-476-0x0000000000360000-0x0000000000520000-memory.dmp	dcrat
behavioral1/memory/2204-484-0x00000000013D0000-0x0000000001590000-memory.dmp	dcrat
behavioral1/memory/284-500-0x0000000000100000-0x00000000002C0000-memory.dmp	dcrat
behavioral1/memory/2632-508-0x0000000000B70000-0x0000000000D30000-memory.dmp	dcrat
behavioral1/memory/1608-516-0x0000000000CA0000-0x0000000000E60000-memory.dmp	dcrat
behavioral1/memory/912-525-0x0000000001060000-0x0000000001220000-memory.dmp	dcrat
behavioral1/memory/1560-526-0x00000000001C0000-0x0000000000380000-memory.dmp	dcrat
behavioral1/memory/1380-527-0x0000000000E20000-0x0000000000FE0000-memory.dmp	dcrat
behavioral1/memory/2896-550-0x00000000003F0000-0x00000000005B0000-memory.dmp	dcrat
behavioral1/memory/2592-558-0x0000000001330000-0x00000000014F0000-memory.dmp	dcrat
behavioral1/memory/288-566-0x0000000001340000-0x0000000001500000-memory.dmp	dcrat
behavioral1/memory/1856-581-0x00000000002D0000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/1160-582-0x0000000000110000-0x00000000002D0000-memory.dmp	dcrat
behavioral1/memory/1548-590-0x0000000001180000-0x0000000001340000-memory.dmp	dcrat
behavioral1/memory/1508-599-0x00000000012C0000-0x0000000001480000-memory.dmp	dcrat
behavioral1/memory/2968-614-0x0000000001380000-0x0000000001540000-memory.dmp	dcrat
behavioral1/memory/1560-622-0x00000000002F0000-0x00000000004B0000-memory.dmp	dcrat
behavioral1/memory/696-631-0x0000000000210000-0x00000000003D0000-memory.dmp	dcrat
behavioral1/memory/2844-639-0x0000000000180000-0x0000000000340000-memory.dmp	dcrat
behavioral1/memory/2288-648-0x0000000000350000-0x0000000000510000-memory.dmp	dcrat
behavioral1/memory/2980-656-0x00000000003D0000-0x0000000000590000-memory.dmp	dcrat
behavioral1/memory/1732-664-0x0000000001010000-0x00000000011D0000-memory.dmp	dcrat
behavioral1/memory/1924-673-0x00000000012E0000-0x00000000014A0000-memory.dmp	dcrat
behavioral1/memory/2920-696-0x0000000000230000-0x00000000003F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1252	powershell.exe
1396	powershell.exe
964	powershell.exe
932	powershell.exe
2492	powershell.exe
840	powershell.exe
600	powershell.exe
2080	powershell.exe
2472	powershell.exe
1280	powershell.exe
2056	powershell.exe
324	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe

Executes dropped EXE 64 IoCs

pid	Process
1664	winlogon.exe
1788	winlogon.exe
2784	winlogon.exe
2644	winlogon.exe
2484	winlogon.exe
692	winlogon.exe
708	winlogon.exe
1000	winlogon.exe
2280	winlogon.exe
992	winlogon.exe
1868	winlogon.exe
2032	winlogon.exe
1036	winlogon.exe
2816	winlogon.exe
2916	winlogon.exe
3036	winlogon.exe
3028	winlogon.exe
1524	winlogon.exe
2564	winlogon.exe
2296	winlogon.exe
2724	winlogon.exe
848	winlogon.exe
840	winlogon.exe
2936	winlogon.exe
692	services.exe
2940	winlogon.exe
2308	services.exe
1268	services.exe
2552	services.exe
2948	services.exe
2276	services.exe
664	services.exe
2980	services.exe
2104	services.exe
2204	services.exe
2132	services.exe
284	services.exe
2632	services.exe
1608	services.exe
912	taskhost.exe
1560	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
1380	services.exe
2980	services.exe
2608	services.exe
2896	services.exe
1800	System.exe
2592	services.exe
288	services.exe
1364	services.exe
1856	Idle.exe
2620	services.exe
1160	winlogon.exe
2204	services.exe
1548	winlogon.exe
1508	winlogon.exe
1160	winlogon.exe
2968	winlogon.exe
1560	winlogon.exe
696	winlogon.exe
2844	winlogon.exe
2288	winlogon.exe
2980	winlogon.exe
1732	winlogon.exe
1924	winlogon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2548	schtasks.exe
2924	schtasks.exe
2588	schtasks.exe
2624	schtasks.exe
2888	schtasks.exe
2140	schtasks.exe
2772	schtasks.exe
808	schtasks.exe
1180	schtasks.exe
1408	schtasks.exe
328	schtasks.exe
2636	schtasks.exe
2776	schtasks.exe
2096	schtasks.exe
1784	schtasks.exe
1344	schtasks.exe
1816	schtasks.exe
2892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2080	powershell.exe
932	powershell.exe
324	powershell.exe
964	powershell.exe
600	powershell.exe
2492	powershell.exe
2056	powershell.exe
1280	powershell.exe
840	powershell.exe
1396	powershell.exe
2472	powershell.exe
1252	powershell.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe
1664	winlogon.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeDebugPrivilege	324	powershell.exe
Token: SeDebugPrivilege	964	powershell.exe
Token: SeDebugPrivilege	600	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	1664	winlogon.exe
Token: SeDebugPrivilege	1788	winlogon.exe
Token: SeDebugPrivilege	2784	winlogon.exe
Token: SeDebugPrivilege	2644	winlogon.exe
Token: SeDebugPrivilege	2484	winlogon.exe
Token: SeDebugPrivilege	692	winlogon.exe
Token: SeDebugPrivilege	708	winlogon.exe
Token: SeDebugPrivilege	1000	winlogon.exe
Token: SeDebugPrivilege	2280	winlogon.exe
Token: SeDebugPrivilege	992	winlogon.exe
Token: SeDebugPrivilege	1868	winlogon.exe
Token: SeDebugPrivilege	2032	winlogon.exe
Token: SeDebugPrivilege	1036	winlogon.exe
Token: SeDebugPrivilege	2816	winlogon.exe
Token: SeDebugPrivilege	2916	winlogon.exe
Token: SeDebugPrivilege	3036	winlogon.exe
Token: SeDebugPrivilege	3028	winlogon.exe
Token: SeDebugPrivilege	1524	winlogon.exe
Token: SeDebugPrivilege	2564	winlogon.exe
Token: SeDebugPrivilege	2296	winlogon.exe
Token: SeDebugPrivilege	2724	winlogon.exe
Token: SeDebugPrivilege	848	winlogon.exe
Token: SeDebugPrivilege	840	winlogon.exe
Token: SeDebugPrivilege	2936	winlogon.exe
Token: SeDebugPrivilege	692	services.exe
Token: SeDebugPrivilege	2940	winlogon.exe
Token: SeDebugPrivilege	2308	services.exe
Token: SeDebugPrivilege	1268	services.exe
Token: SeDebugPrivilege	2552	services.exe
Token: SeDebugPrivilege	2948	services.exe
Token: SeDebugPrivilege	2276	services.exe
Token: SeDebugPrivilege	664	services.exe
Token: SeDebugPrivilege	2980	services.exe
Token: SeDebugPrivilege	2104	services.exe
Token: SeDebugPrivilege	2204	services.exe
Token: SeDebugPrivilege	2132	services.exe
Token: SeDebugPrivilege	284	services.exe
Token: SeDebugPrivilege	2632	services.exe
Token: SeDebugPrivilege	1608	services.exe
Token: SeDebugPrivilege	912	taskhost.exe
Token: SeDebugPrivilege	1560	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
Token: SeDebugPrivilege	1380	services.exe
Token: SeDebugPrivilege	2980	services.exe
Token: SeDebugPrivilege	2608	services.exe
Token: SeDebugPrivilege	2896	services.exe
Token: SeDebugPrivilege	1800	System.exe
Token: SeDebugPrivilege	2592	services.exe
Token: SeDebugPrivilege	288	services.exe
Token: SeDebugPrivilege	1364	services.exe
Token: SeDebugPrivilege	1856	Idle.exe
Token: SeDebugPrivilege	2620	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 600	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	50
PID 2728 wrote to memory of 600	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	50
PID 2728 wrote to memory of 600	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	50
PID 2728 wrote to memory of 2080	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	51
PID 2728 wrote to memory of 2080	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	51
PID 2728 wrote to memory of 2080	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	51
PID 2728 wrote to memory of 2472	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	52
PID 2728 wrote to memory of 2472	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	52
PID 2728 wrote to memory of 2472	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	52
PID 2728 wrote to memory of 1280	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	53
PID 2728 wrote to memory of 1280	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	53
PID 2728 wrote to memory of 1280	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	53
PID 2728 wrote to memory of 2056	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	54
PID 2728 wrote to memory of 2056	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	54
PID 2728 wrote to memory of 2056	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	54
PID 2728 wrote to memory of 1252	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	55
PID 2728 wrote to memory of 1252	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	55
PID 2728 wrote to memory of 1252	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	55
PID 2728 wrote to memory of 324	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	56
PID 2728 wrote to memory of 324	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	56
PID 2728 wrote to memory of 324	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	56
PID 2728 wrote to memory of 840	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	57
PID 2728 wrote to memory of 840	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	57
PID 2728 wrote to memory of 840	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	57
PID 2728 wrote to memory of 964	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	58
PID 2728 wrote to memory of 964	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	58
PID 2728 wrote to memory of 964	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	58
PID 2728 wrote to memory of 1396	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	59
PID 2728 wrote to memory of 1396	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	59
PID 2728 wrote to memory of 1396	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	59
PID 2728 wrote to memory of 932	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	67
PID 2728 wrote to memory of 932	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	67
PID 2728 wrote to memory of 932	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	67
PID 2728 wrote to memory of 2492	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	68
PID 2728 wrote to memory of 2492	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	68
PID 2728 wrote to memory of 2492	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	68
PID 2728 wrote to memory of 1664	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	74
PID 2728 wrote to memory of 1664	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	74
PID 2728 wrote to memory of 1664	2728	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	74
PID 1664 wrote to memory of 1276	1664	winlogon.exe	75
PID 1664 wrote to memory of 1276	1664	winlogon.exe	75
PID 1664 wrote to memory of 1276	1664	winlogon.exe	75
PID 1664 wrote to memory of 2396	1664	winlogon.exe	76
PID 1664 wrote to memory of 2396	1664	winlogon.exe	76
PID 1664 wrote to memory of 2396	1664	winlogon.exe	76
PID 1276 wrote to memory of 1788	1276	WScript.exe	77
PID 1276 wrote to memory of 1788	1276	WScript.exe	77
PID 1276 wrote to memory of 1788	1276	WScript.exe	77
PID 1788 wrote to memory of 2676	1788	winlogon.exe	78
PID 1788 wrote to memory of 2676	1788	winlogon.exe	78
PID 1788 wrote to memory of 2676	1788	winlogon.exe	78
PID 1788 wrote to memory of 2628	1788	winlogon.exe	79
PID 1788 wrote to memory of 2628	1788	winlogon.exe	79
PID 1788 wrote to memory of 2628	1788	winlogon.exe	79
PID 2676 wrote to memory of 2784	2676	WScript.exe	80
PID 2676 wrote to memory of 2784	2676	WScript.exe	80
PID 2676 wrote to memory of 2784	2676	WScript.exe	80
PID 2784 wrote to memory of 2688	2784	winlogon.exe	81
PID 2784 wrote to memory of 2688	2784	winlogon.exe	81
PID 2784 wrote to memory of 2688	2784	winlogon.exe	81
PID 2784 wrote to memory of 1940	2784	winlogon.exe	82
PID 2784 wrote to memory of 1940	2784	winlogon.exe	82
PID 2784 wrote to memory of 1940	2784	winlogon.exe	82
PID 2688 wrote to memory of 2644	2688	WScript.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
C:\Users\Admin\AppData\Local\Temp\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
  "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fde79a2-8336-4e3a-bc90-60ce7e82e01a.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1276
  - - C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
      "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1788
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9295220-f993-443c-bba5-5634b2b59e53.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb2ad20c-ec09-47e4-b3d4-df60510e2e55.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edb70889-75a4-4083-8469-075887fc5f0a.vbs"
        9⤵
        
        PID:2060
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\caaab5ca-392e-47b5-bf81-9d770cd9b0bc.vbs"
        11⤵
        
        PID:684
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\848020ea-d282-40f7-8c44-1366eab4d797.vbs"
        13⤵
        
        PID:1276
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\706b0cd1-d363-4222-8b35-d4e6dc0bf382.vbs"
        15⤵
        
        PID:328
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32be462e-17c9-44a7-8561-d4bed576c908.vbs"
        17⤵
        
        PID:2520
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\519a98c4-3e38-4828-863b-5608f22ced29.vbs"
        19⤵
        
        PID:1048
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27467a90-19fe-440a-8975-63adc9a8d292.vbs"
        21⤵
        
        PID:1788
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b4df1c8-e5c0-49a5-bf71-07bba7add470.vbs"
        23⤵
        
        PID:884
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9839310-8cbf-4b73-82c4-5ded153c1161.vbs"
        25⤵
        
        PID:2576
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e991016-c98b-4faf-9459-d2f884e3a19a.vbs"
        27⤵
        
        PID:1832
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6649948a-51cc-4da6-9422-1dbb0f9d056d.vbs"
        29⤵
        
        PID:1760
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0498e6f-7b1a-4201-b7dd-a833b1721f69.vbs"
        31⤵
        
        PID:620
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b730951c-b560-482a-8d8c-0010408958d5.vbs"
        33⤵
        
        PID:2292
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f2b787e-6245-413b-927e-b6d93781820f.vbs"
        35⤵
        
        PID:2576
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d05404c5-f547-4bad-903e-5ab12f8dd8a3.vbs"
        37⤵
        
        PID:1736
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a23b4a85-5c67-4470-b0f8-f7d934e4f906.vbs"
        39⤵
        
        PID:2916
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee818d17-2d77-4d86-8455-4b7bbd005cd3.vbs"
        41⤵
        
        PID:1252
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1125d39b-3c66-4564-a4dc-c5e2f8dc519f.vbs"
        43⤵
        
        PID:2388
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97f09be4-6976-4ddc-8fea-3e2051e27588.vbs"
        45⤵
        
        PID:324
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae9e1cb7-8328-4ef1-aeb1-90c192fe9f09.vbs"
        47⤵
        
        PID:2664
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        48⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a962857-3c9b-4490-a015-078a10a5369d.vbs"
        49⤵
        
        PID:1252
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        50⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7bd86eb-e2ea-4fa2-b981-b65f5eb5f9ea.vbs"
        49⤵
        
        PID:1096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3508c968-7c7f-4bf0-92ff-a54d644088ee.vbs"
        47⤵
        
        PID:2428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\254d5b32-429f-4552-a58d-8f6a44149eca.vbs"
        45⤵
        
        PID:2652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae473f61-3cb2-4562-9272-14407d7bde4e.vbs"
        43⤵
        
        PID:548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\340b7d6d-fc07-4442-ba11-80b9ccbbb35d.vbs"
        41⤵
        
        PID:2052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd85d0fc-0d1a-4720-90b6-61c6e3b78108.vbs"
        39⤵
        
        PID:860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6397d4c5-2efb-44b0-9a4f-ab85fbb9d200.vbs"
        37⤵
        
        PID:2696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0ca2b39-d800-41cf-845e-e7ec23a1f7ba.vbs"
        35⤵
        
        PID:1676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9eefe77-57ba-4931-81e7-71a4740ee88b.vbs"
        33⤵
        
        PID:2768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de7b1ae5-5fab-40ee-af95-f21d82978f0a.vbs"
        31⤵
        
        PID:1860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5107546-9346-481f-9967-d5d8d38b50e0.vbs"
        29⤵
        
        PID:2648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e84b6f8d-c9c6-4189-8e60-5345ec5b7709.vbs"
        27⤵
        
        PID:2580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24a5c77e-e4c1-48db-99de-19c3254beba2.vbs"
        25⤵
        
        PID:928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b014cfb5-2899-4c1d-aeca-021bb83ba833.vbs"
        23⤵
        
        PID:1720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7834536-0e2a-4dc7-8cd2-87e55a569687.vbs"
        21⤵
        
        PID:2236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8abe3583-a2a7-4c10-9bf7-de82d18d534b.vbs"
        19⤵
        
        PID:768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1077599-da04-4428-b3e5-1b535d7a3b96.vbs"
        17⤵
        
        PID:2860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73d3c3ed-46d5-4cd4-bfb1-e3cc49c066b6.vbs"
        15⤵
        
        PID:1816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\434997f9-098d-4dc4-8a47-fc022141b002.vbs"
        13⤵
        
        PID:2176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ebdab09-ab54-428e-845c-f3d4bde387c9.vbs"
        11⤵
        
        PID:2528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\547a5f45-009f-4dd6-be72-a16b53d0e885.vbs"
        9⤵
        
        PID:2836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d58fb18-470a-495f-97f8-fec55a20cbb9.vbs"
        7⤵
        
        PID:1940
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aed96267-c246-4d95-b341-221255331a92.vbs"
        5⤵
        
        PID:2628
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d97ac76-4cac-4906-a147-bef13b33389e.vbs"
    3⤵
    PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa86" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa86" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\taskeng.exe
taskeng.exe {1E1810D9-068C-4BC8-BC33-27C6A3765AFB} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
1⤵
PID:1812
- C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
  C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:692
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cc8a61a-b3ee-417f-9351-f1f033542b4b.vbs"
    3⤵
    PID:280
  - - C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
      C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2308
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a4ca932-f8bc-407a-975f-ba37a48d668b.vbs"
        5⤵
        
        PID:984
      - C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5033a22a-ce21-4909-8371-084eda96ce5e.vbs"
        7⤵
        
        PID:2776
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bba4e67d-4c7c-4086-9ce8-61760d3bb7f3.vbs"
        9⤵
        
        PID:960
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f73eb9a6-111f-488b-8674-7ad7c7427d11.vbs"
        11⤵
        
        PID:2340
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\414c8be3-2720-40b4-8b36-d2db668b1cd1.vbs"
        13⤵
        
        PID:904
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95c32db6-6ca5-4953-9a53-98122b83538f.vbs"
        15⤵
        
        PID:2372
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ffb5c70-7f0f-47d5-bf17-6097f935b58a.vbs"
        17⤵
        
        PID:2716
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30daccf2-8d89-460b-9b64-f1feeec36fca.vbs"
        19⤵
        
        PID:2960
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7834c53d-70df-4ad1-881a-3ff9f8c4457c.vbs"
        21⤵
        
        PID:2976
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59b93dac-1cb6-4d1d-9325-7e0c6247acc9.vbs"
        23⤵
        
        PID:3000
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3700a891-60ae-4eea-b387-83a96196a854.vbs"
        25⤵
        
        PID:1600
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60a9836c-e75c-4ae0-8b32-38e73546b6ea.vbs"
        27⤵
        
        PID:620
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74a26553-e994-48e4-81d7-d8f93608f21c.vbs"
        29⤵
        
        PID:2896
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40b22a8b-894a-4b81-b501-3ac7ce69af97.vbs"
        31⤵
        
        PID:2496
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd6ed3e7-3c6f-44fa-81e5-523171321def.vbs"
        33⤵
        
        PID:2884
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c928de8-556d-4573-b069-fa362b7fd7f4.vbs"
        35⤵
        
        PID:2704
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aff42e79-f410-49ea-a4ac-aec54bdd51dd.vbs"
        37⤵
        
        PID:448
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59ebf796-ffdf-4130-88ea-c128588adb6a.vbs"
        39⤵
        
        PID:1612
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        40⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82a70759-0a56-43f4-9e7f-cb0ab25e3a5c.vbs"
        41⤵
        
        PID:2944
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        42⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb76b4d7-af83-4190-a67d-4e47e3e34d97.vbs"
        43⤵
        
        PID:864
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
        44⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c36bb60a-491c-4e84-9448-81ba5faa8ff7.vbs"
        43⤵
        
        PID:2948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0e19d7a-1cbc-4a54-b29d-15a68bf2b52b.vbs"
        41⤵
        
        PID:2752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\463196b8-b349-41ba-b989-d94af72ae541.vbs"
        39⤵
        
        PID:3048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0983d5f-146a-4185-a3b8-fbb31160cb43.vbs"
        37⤵
        
        PID:996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa46355b-34e2-4205-9a6a-48fa8f8bbf8e.vbs"
        35⤵
        
        PID:1656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e64ca311-c17a-4a69-9825-bb9e8b9a5857.vbs"
        33⤵
        
        PID:1180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\616cee42-d494-477f-a5f4-de3be9db4639.vbs"
        31⤵
        
        PID:2524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf1a8860-ab9d-486e-a929-1f92129b7865.vbs"
        29⤵
        
        PID:320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a328aa8d-ea9d-43a8-bfce-510abfdef0bb.vbs"
        27⤵
        
        PID:1032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7a7739d-73d1-4774-9fe6-b1fba25f373a.vbs"
        25⤵
        
        PID:904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45590777-b803-4a79-85b1-2a1347be03e2.vbs"
        23⤵
        
        PID:2460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\988585e8-f477-42ee-bc27-3cd13e4a82d3.vbs"
        21⤵
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd9811b6-482b-4d25-bf1f-f7c511630aec.vbs"
        19⤵
        
        PID:184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d04eb62-e59d-42fe-8400-d7104293834c.vbs"
        17⤵
        
        PID:2456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a929445-7bcc-449d-8348-183200495de1.vbs"
        15⤵
        
        PID:2096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b943f86-9525-4319-b293-5a8057d740c2.vbs"
        13⤵
        
        PID:2444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60435278-0367-44fc-8489-420466b17970.vbs"
        11⤵
        
        PID:1804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e2933c5-8bc3-4fd2-9508-ddec9ec95ec0.vbs"
        9⤵
        
        PID:1928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2a85fff-1099-4039-b830-aa7913018483.vbs"
        7⤵
        
        PID:1712
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f13fe814-2e61-487a-ad10-c23fe31698da.vbs"
        5⤵
        
        PID:2292
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ce4e4de-907e-4193-bc71-69f94e70eb2e.vbs"
    3⤵
    PID:1912
- C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
  C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe
  C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:912
- C:\Users\Public\System.exe
  C:\Users\Public\System.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe
  C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
  "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
  2⤵
  - Executes dropped EXE
  PID:1160
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af9ff56d-d6cb-4a4f-8956-4a8352db78ac.vbs"
    3⤵
    PID:3024
  - - C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
      "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
      4⤵
      Executes dropped EXE
      PID:1548
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00f69734-e461-4010-b5ca-6e29c5e7f760.vbs"
        5⤵
        
        PID:1732
      - C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        6⤵
        Executes dropped EXE
        
        PID:1508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09ff9d56-770c-4c5b-8410-03162101cfbf.vbs"
        7⤵
        
        PID:2612
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        8⤵
        Executes dropped EXE
        
        PID:1160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\644c47c8-042d-46cd-b3f3-d5a7c2f675db.vbs"
        9⤵
        
        PID:296
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        10⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b7c591a-8b1c-4340-b722-16693fe4f78e.vbs"
        11⤵
        
        PID:2328
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        12⤵
        Executes dropped EXE
        
        PID:1560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1043bf2-ddbd-4a4f-84ff-aef11e52e2eb.vbs"
        13⤵
        
        PID:2112
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        14⤵
        Executes dropped EXE
        
        PID:696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6300a39-ee85-4fe5-a99d-504d8ccc292e.vbs"
        15⤵
        
        PID:2204
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        16⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f2c8c2f-29ed-42cc-938e-502ef66c962d.vbs"
        17⤵
        
        PID:1732
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        18⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1538c975-0b28-454e-af65-1a03275d4c36.vbs"
        19⤵
        
        PID:1280
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        20⤵
        Executes dropped EXE
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8d95c82-a4e3-4ef3-b9dd-aeee332a0070.vbs"
        21⤵
        
        PID:1832
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        22⤵
        Executes dropped EXE
        
        PID:1732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\267c44cf-110d-4e42-946a-f9066dabc2c3.vbs"
        23⤵
        
        PID:1284
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        24⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61e6f193-e4f7-4293-8e25-c888bc3c8804.vbs"
        25⤵
        
        PID:1356
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        26⤵
        
        PID:296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16bf8d25-5850-4567-ae3c-bcec2b4ec7eb.vbs"
        27⤵
        
        PID:2200
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        28⤵
        
        PID:2112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4e51cb7-c480-49ab-9571-cb5c66697472.vbs"
        29⤵
        
        PID:2240
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        30⤵
        
        PID:2920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d37c49a0-2ee2-4bc1-893a-d7e7bf20ce40.vbs"
        31⤵
        
        PID:1664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ba4a7f6-e059-4570-a1bd-bf1d9d7545d1.vbs"
        31⤵
        
        PID:2544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d8607a6-4844-4551-ab68-ceb2dbaa9473.vbs"
        29⤵
        
        PID:780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5560008-bf4f-4397-95b7-26902eabe968.vbs"
        27⤵
        
        PID:1240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6463e24f-4816-4e7e-88e1-99eb1c5c2fc7.vbs"
        25⤵
        
        PID:1616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19944b23-5317-40b5-9b39-570a3862604e.vbs"
        23⤵
        
        PID:2608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8d832df-8b88-4829-b759-e330b214806f.vbs"
        21⤵
        
        PID:2512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\363283c1-ec48-4740-9f43-5fdda460f830.vbs"
        19⤵
        
        PID:1624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8412e67-3079-4d74-bdc1-628ff734501e.vbs"
        17⤵
        
        PID:2152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38709331-0b52-4502-b1db-2d4aae40edc2.vbs"
        15⤵
        
        PID:2480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06a08604-6e89-47bf-933c-aac66e343f97.vbs"
        13⤵
        
        PID:3032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd8105b6-dcc3-40cd-9f2b-fb6e2babcc5d.vbs"
        11⤵
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\781ed1e7-1c56-458d-9c33-b662238c3370.vbs"
        9⤵
        
        PID:2720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c150316-cf0c-4968-b67d-50b90a10ff4a.vbs"
        7⤵
        
        PID:2028
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61c00a8e-583f-4a83-86c4-a8001d292302.vbs"
        5⤵
        
        PID:1368
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea594277-cf8c-4378-b77b-c05b10f16835.vbs"
    3⤵
    PID:448
- C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
  C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe
  2⤵
  - Executes dropped EXE
  PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe

Filesize
1.7MB

MD5
2ea92336aa3f912eaebfaf60e6251870

SHA1
5d3e63969000bc62c39e1db7f53d8647c6cdd1d2

SHA256
e74c6c745fd15e4d74a561c878e739bfa8173dc89bb9838d6b7f02757822015b

SHA512
dc46e869807cff0d83a1af991b38495ab877082403053638b20bb5def135e6d8cc4462cda024233374d2ae2c9f829d8db2dc16b5b92831e112d488de2527bb4d

Download Submit
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe

Filesize
1.7MB

MD5
0624cb81236f6a0e8d0487a766458088

SHA1
36ea7baa5b367c60269eb1a277bd5ad4bc41b54b

SHA256
6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8

SHA512
742d2c2d154133ba9b38c67b59fb4ddbcd16b8b420c8e7fbd14a4c4283c8a875ae62d17924a53b000caf04f5b627d15f031b12e7f98821f03079451008b86553

Download Submit
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe

Filesize
1.7MB

MD5
f6803c404e4d7c790669592869d7177b

SHA1
eade66424e255c76c63d6c7e927375cbff696c5b

SHA256
0a394b048fcd766d3a7268067a16eaf9bc9e98c47503fbec9f2798f113136c85

SHA512
ebe336c1f8dc7a5563ba0e6d77c8c4f9fe2e3c6ebb1c5bcdb3f25218f30e04aeed7be56f74557fd0ffffe800e46351f886e1944485132d85fe61d778a7ab698e

Download Submit
C:\Users\Admin\AppData\Local\Temp\27467a90-19fe-440a-8975-63adc9a8d292.vbs

Filesize
750B

MD5
f4317a04016d8160ea2a6041a2982ecb

SHA1
81ccfaee1b019223ee4cf5c651581fd01971743b

SHA256
5133db1b1249b2650f879b35e295b4b3837efd3a004e7e20b61b82d29237337f

SHA512
529bf16d4f3f226c09aee60f0691055ff35aeb0910340386b1bcee0a381bf832e668e6ef1d0439098bb2363edcba6c6abd07c0ee12c350b98c87bd85b330b276

Download Submit
C:\Users\Admin\AppData\Local\Temp\32be462e-17c9-44a7-8561-d4bed576c908.vbs

Filesize
751B

MD5
8b0406c012e86150a79c2a8355307a5f

SHA1
4f1df04e4308df1cc97e129b29b80f31910616c5

SHA256
f7ca38aea0be7c5037bb844303fb159541943d56fd50d5f63c8daf3140133202

SHA512
25b1260d2069d8f9c5d517627cf7d9b831d86db6c771b78eb6d91fc4b1b81fe0b782117ecc3f1cdf3ff743241356387802563047168c657ae0f5b24886aeeee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e991016-c98b-4faf-9459-d2f884e3a19a.vbs

Filesize
751B

MD5
bb1904cd3c1c80e808a6704adf8f5281

SHA1
613c5040e6af6b9c4295315e0bda282d63eb73d7

SHA256
5423ddafde261e0b47d5a0741dcba838650c6038f4d70307afbe3896fdd885bb

SHA512
2dfc594fd50c964c8a53446e5c26a57c4fdc82a63d072cf4e21cbf48214655497e6c554afec1ae9ea6c10922e924611a833f5498ade928a6c800f55b7d670e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\519a98c4-3e38-4828-863b-5608f22ced29.vbs

Filesize
751B

MD5
0a270ab20d5c6256cdc23d90614ce2b2

SHA1
8dc6992f1a5740c80437678dc72f0ecc7d3b59d6

SHA256
bb27bfc59af12d87c4c222d85ae21818541759097fcbfdab66bdb5e1e3a26120

SHA512
a503ac32f88b2b6fd8bc56cbccef7cc90ba294e1abcba5656442687a71ab0163805c3c03f6801787e69ebc953631a705d5f3368891c6fd5b24662502e5b01b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b4df1c8-e5c0-49a5-bf71-07bba7add470.vbs

Filesize
751B

MD5
0ce0b4d4b4365380e812e66a9f62d888

SHA1
195c3aea66c778e3f5fb3b4030fda1053c7922bb

SHA256
3d2a0aa31cdce42b7ac66cb3f80c0ac8f00e35f5778b2cf2414bba5adfec95cf

SHA512
55bed0f7e4534f0d7649fed3968d43e5ee45ef9c7b507ec6f9e0bd5373180d6051b30823e432d46a44d4f0714586e4c3a958c3c1631d1be59c02bb9be934c94e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5fde79a2-8336-4e3a-bc90-60ce7e82e01a.vbs

Filesize
751B

MD5
25c99886c3847bc1ab87819b63a43d0e

SHA1
d68bf1d5ca194af687a849c2e9377edf9c96e7c1

SHA256
626f91825b008b6415ffd7029fcf2471ae45f8ddb9ee6af5e9b731d031b0e47f

SHA512
62a67b72ffad79d09fc24a1a290cd31deab5554b39e63e6178d78c526c22e549efde3ac0e4d09ef60e0a0490c0ae781ed3dcc34aa698abfc41268975920c8d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\644c47c8-042d-46cd-b3f3-d5a7c2f675db.vbs

Filesize
751B

MD5
fc2c34f414bfe2d75ec3cc2e31e116a8

SHA1
635c0c1d8dfe227f6b5dac9b5f9bc2d06f53bb05

SHA256
51c460903c6d1488a26e178a045148b32addb519ea3d247eb561e4b7c55adb4a

SHA512
c2b1a750b8053e0005c739e4ccd72add176bc4809e8411d041186c81ea9c940c99b4e49dcf756db3cf9cbf337a9be2f1fa9d2f18895bbcd6834c54d6d63c14b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\706b0cd1-d363-4222-8b35-d4e6dc0bf382.vbs

Filesize
750B

MD5
3f8a3c65a032c1d95aa5eb982ca368d3

SHA1
c08f213d77a9d741d2a77f9f80608a3817bda1e8

SHA256
b0a4dbef1e9c52806c8680a1ed644e133bf78aa0811e1b70b060e0297c47381e

SHA512
b2821ebe3f271c17941e3421c729ac226e7e0435e12fc80c1a06d7b63569af0fa2b49a493bf54f5ca6f17ac81fc92858c073c16cf132b61796c6bf2d3f0b2831

Download Submit
C:\Users\Admin\AppData\Local\Temp\848020ea-d282-40f7-8c44-1366eab4d797.vbs

Filesize
750B

MD5
ad28dcd74f2397d640f0a978ec147a3a

SHA1
2ead0f2f901aff133459a1f4024b787599ca4711

SHA256
e322d869769889661996e2c57278e7555a7e064f818be86226a080b3747c92f8

SHA512
3f764adc036430ef62936cc3c797564386934dd411cc3f7444ddb688940a2b5beed1ba17b5a77cc9c07f00084e54fe3b2fe9b121f442b3cccd34fdc4d371a487

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d97ac76-4cac-4906-a147-bef13b33389e.vbs

Filesize
527B

MD5
2a47634b7db66349e6460bbc57ced768

SHA1
07424e66ec2e6356043b8fc458334df565a89640

SHA256
a209c7130497794fd858fc7beaa050607551b39c9ee69f7ebda8d7b0b281650f

SHA512
405ac2d1ec607e731af4916d8847a48db07dba08b61dad2b473600918e4f26221cc9039e099aaca336f7a095e3a3fa036e1db18a2efeaf06935d5875ca11200e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd6ed3e7-3c6f-44fa-81e5-523171321def.vbs

Filesize
737B

MD5
ea8aea9ad93e701123c94de705b51d39

SHA1
e5a6674ec1d21548f92b20262677f192639dd032

SHA256
028f49f4449fcb12c1e28214dd40190c915f4fbcec3baff81cd1f8ed2b0c6d96

SHA512
89ad5bc0de2efca6469d7a65dbcc0ec1ac5731bb6223724d8c2c677da6ede8127d82a0134699ca9b15ae15610ffaa9f4ad934e609282dd440be628ca7bc76b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\caaab5ca-392e-47b5-bf81-9d770cd9b0bc.vbs

Filesize
751B

MD5
773048f940c0e7dd394b7c83fb5b5fb7

SHA1
bade6b651a4e7f9fbfe49756578a785400085db1

SHA256
33fa65401356a944ad483484117ba3a4435bdde73082ef36da2134acbf7f77bf

SHA512
9c78f83dc3d6d6a56fea9204bafedd9824713f8698e09abd26763c2ab9793032b347c7f60143069234c4fce519701113eebc900eef07526cfae05e7902d96865

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9295220-f993-443c-bba5-5634b2b59e53.vbs

Filesize
751B

MD5
d5b7b36d8c6d5fd86770dfc6bda8ab04

SHA1
47ad45b527ffc9e62ac056830a5fd0261d9ae1f5

SHA256
7aed1311f8e4f081e1fd8e5d4fa70c9b4032096a71ab9971495680e448849b6d

SHA512
33af8d242c65fa86bf049e4c1e638eaa88450d28265e840b543d998edf23a21386079195b5ddf15ec493cfa4eaf6b955d4c8a1103c15f0ce8600de532ea90ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\edb70889-75a4-4083-8469-075887fc5f0a.vbs

Filesize
751B

MD5
da2c1982d0ad65e9fe503af6b89a8774

SHA1
33c32860238c7dc7d00fb0eeded140e081f3e71c

SHA256
0da4cf9870ebc6cb5794fdc76879b50b278a12b6b2b43c0c377f958873fb2ffd

SHA512
0ddc977332cfd8b611535998a51fa3fb29846e197dd9277d18c875f387b284644561ace0742e2e7be9c491f12f2fd679d872cc2fb133eb90a1ffc1801356bfaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\f13fe814-2e61-487a-ad10-c23fe31698da.vbs

Filesize
513B

MD5
5a3135e55493b2634ba53cd66dca6889

SHA1
0057e1fc4afa7a8c489c73c96bbb133057523289

SHA256
401452346c9e2f5ab7b183d3138359788ad9919947421ee4e421679b5ce00ee2

SHA512
97b1bfba9d8e28dff31443ed13f0d899048a97aeaee35ede700bf689fc69a8a64c62da95cf8e4461b6f87d38f581dfa7223239495ba34c583642fe42abdc19d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9839310-8cbf-4b73-82c4-5ded153c1161.vbs

Filesize
751B

MD5
b2e21e435b71b23ea3bb9cdee3a42587

SHA1
ec7edf42ba154337cc167b49c692a665d9da53dd

SHA256
f9513ad6415825e13efb68f3caa014670bc063d57163e41d83cc0b7426b0976e

SHA512
d75e4a2a074bb41e9813282bbf112a5336b39c9a4ef4a7f76f627fa6eac8effae00964e4b80e8af4d52a14337c240517227f9000d07dbcb9341b3179af4f0edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb2ad20c-ec09-47e4-b3d4-df60510e2e55.vbs

Filesize
751B

MD5
0a27809b0cdd6bc2b8b094dad5e9e1c0

SHA1
2551d347cae314191e631d7e701a643a862bca4d

SHA256
77ed6bef7ce5618fb1b7caab7806aa606cc397651efa2ca4571412238c35b441

SHA512
d462a6a5ba045cf19175c68c26ad8beb9cac4d96ae18c8d8a1539fbe7eed4e2dfa26296115b84071fcc3aa0f89f4d0233186ec1c271e8fb5abf73a2d1a5cd9b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ebee606ef5f2814d033094a66e7edc51

SHA1
965906d7dae0e14e8c3ddbd48c4db46195f11923

SHA256
08007513501afad1f768b32f55559b1e660570d226f1957f51e0ba305d03dafa

SHA512
cda98addfe4bc62eeaa60f0e6b16a2ded075910c5c7f25dd4ba9538012787c7e634de5fe9615d77f090cf05917d9d06a6582868fe35174af20a3c889a70bbf80

Download Submit
memory/284-500-0x0000000000100000-0x00000000002C0000-memory.dmp

Filesize
1.8MB

Download
memory/288-566-0x0000000001340000-0x0000000001500000-memory.dmp

Filesize
1.8MB

Download
memory/664-460-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/692-412-0x0000000000A80000-0x0000000000A92000-memory.dmp

Filesize
72KB

Download
memory/692-411-0x00000000012F0000-0x00000000014B0000-memory.dmp

Filesize
1.8MB

Download
memory/692-232-0x00000000000E0000-0x00000000002A0000-memory.dmp

Filesize
1.8MB

Download
memory/696-631-0x0000000000210000-0x00000000003D0000-memory.dmp

Filesize
1.8MB

Download
memory/708-244-0x0000000000DE0000-0x0000000000FA0000-memory.dmp

Filesize
1.8MB

Download
memory/840-395-0x0000000001100000-0x00000000012C0000-memory.dmp

Filesize
1.8MB

Download
memory/848-387-0x0000000000150000-0x0000000000310000-memory.dmp

Filesize
1.8MB

Download
memory/912-525-0x0000000001060000-0x0000000001220000-memory.dmp

Filesize
1.8MB

Download
memory/1000-256-0x0000000001320000-0x00000000014E0000-memory.dmp

Filesize
1.8MB

Download
memory/1036-313-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/1160-582-0x0000000000110000-0x00000000002D0000-memory.dmp

Filesize
1.8MB

Download
memory/1268-427-0x0000000000160000-0x0000000000320000-memory.dmp

Filesize
1.8MB

Download
memory/1380-527-0x0000000000E20000-0x0000000000FE0000-memory.dmp

Filesize
1.8MB

Download
memory/1508-599-0x00000000012C0000-0x0000000001480000-memory.dmp

Filesize
1.8MB

Download
memory/1548-590-0x0000000001180000-0x0000000001340000-memory.dmp

Filesize
1.8MB

Download
memory/1548-591-0x0000000000650000-0x0000000000662000-memory.dmp

Filesize
72KB

Download
memory/1560-526-0x00000000001C0000-0x0000000000380000-memory.dmp

Filesize
1.8MB

Download
memory/1560-622-0x00000000002F0000-0x00000000004B0000-memory.dmp

Filesize
1.8MB

Download
memory/1560-623-0x0000000000810000-0x0000000000822000-memory.dmp

Filesize
72KB

Download
memory/1608-517-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/1608-516-0x0000000000CA0000-0x0000000000E60000-memory.dmp

Filesize
1.8MB

Download
memory/1664-112-0x0000000001200000-0x00000000013C0000-memory.dmp

Filesize
1.8MB

Download
memory/1732-665-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/1732-664-0x0000000001010000-0x00000000011D0000-memory.dmp

Filesize
1.8MB

Download
memory/1856-581-0x00000000002D0000-0x0000000000490000-memory.dmp

Filesize
1.8MB

Download
memory/1868-290-0x00000000013A0000-0x0000000001560000-memory.dmp

Filesize
1.8MB

Download
memory/1924-673-0x00000000012E0000-0x00000000014A0000-memory.dmp

Filesize
1.8MB

Download
memory/2080-123-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2080-125-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2104-476-0x0000000000360000-0x0000000000520000-memory.dmp

Filesize
1.8MB

Download
memory/2112-688-0x0000000000A80000-0x0000000000A92000-memory.dmp

Filesize
72KB

Download
memory/2132-492-0x0000000000650000-0x0000000000662000-memory.dmp

Filesize
72KB

Download
memory/2204-484-0x00000000013D0000-0x0000000001590000-memory.dmp

Filesize
1.8MB

Download
memory/2276-452-0x0000000000DC0000-0x0000000000F80000-memory.dmp

Filesize
1.8MB

Download
memory/2288-648-0x0000000000350000-0x0000000000510000-memory.dmp

Filesize
1.8MB

Download
memory/2296-370-0x0000000000010000-0x00000000001D0000-memory.dmp

Filesize
1.8MB

Download
memory/2296-371-0x0000000001FD0000-0x0000000001FE2000-memory.dmp

Filesize
72KB

Download
memory/2484-220-0x0000000000AE0000-0x0000000000CA0000-memory.dmp

Filesize
1.8MB

Download
memory/2552-435-0x0000000000AB0000-0x0000000000C70000-memory.dmp

Filesize
1.8MB

Download
memory/2592-558-0x0000000001330000-0x00000000014F0000-memory.dmp

Filesize
1.8MB

Download
memory/2632-508-0x0000000000B70000-0x0000000000D30000-memory.dmp

Filesize
1.8MB

Download
memory/2644-208-0x00000000002C0000-0x0000000000480000-memory.dmp

Filesize
1.8MB

Download
memory/2724-379-0x0000000001270000-0x0000000001430000-memory.dmp

Filesize
1.8MB

Download
memory/2728-15-0x0000000002230000-0x0000000002238000-memory.dmp

Filesize
32KB

Download
memory/2728-6-0x00000000005B0000-0x00000000005C6000-memory.dmp

Filesize
88KB

Download
memory/2728-20-0x000007FEF4E50000-0x000007FEF583C000-memory.dmp

Filesize
9.9MB

Download
memory/2728-17-0x0000000002250000-0x000000000225C000-memory.dmp

Filesize
48KB

Download
memory/2728-1-0x0000000000260000-0x0000000000420000-memory.dmp

Filesize
1.8MB

Download
memory/2728-2-0x000007FEF4E50000-0x000007FEF583C000-memory.dmp

Filesize
9.9MB

Download
memory/2728-16-0x0000000002240000-0x000000000224C000-memory.dmp

Filesize
48KB

Download
memory/2728-13-0x0000000002220000-0x000000000222A000-memory.dmp

Filesize
40KB

Download
memory/2728-14-0x0000000002210000-0x000000000221E000-memory.dmp

Filesize
56KB

Download
memory/2728-12-0x0000000002200000-0x000000000220C000-memory.dmp

Filesize
48KB

Download
memory/2728-3-0x0000000000240000-0x000000000025C000-memory.dmp

Filesize
112KB

Download
memory/2728-11-0x0000000000810000-0x0000000000822000-memory.dmp

Filesize
72KB

Download
memory/2728-4-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/2728-0-0x000007FEF4E53000-0x000007FEF4E54000-memory.dmp

Filesize
4KB

Download
memory/2728-9-0x00000000005F0000-0x00000000005F8000-memory.dmp

Filesize
32KB

Download
memory/2728-113-0x000007FEF4E50000-0x000007FEF583C000-memory.dmp

Filesize
9.9MB

Download
memory/2728-8-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/2728-5-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/2728-7-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/2784-196-0x00000000001A0000-0x0000000000360000-memory.dmp

Filesize
1.8MB

Download
memory/2844-639-0x0000000000180000-0x0000000000340000-memory.dmp

Filesize
1.8MB

Download
memory/2844-640-0x0000000002050000-0x0000000002062000-memory.dmp

Filesize
72KB

Download
memory/2896-550-0x00000000003F0000-0x00000000005B0000-memory.dmp

Filesize
1.8MB

Download
memory/2916-333-0x0000000000750000-0x0000000000762000-memory.dmp

Filesize
72KB

Download
memory/2916-332-0x0000000000840000-0x0000000000A00000-memory.dmp

Filesize
1.8MB

Download
memory/2920-696-0x0000000000230000-0x00000000003F0000-memory.dmp

Filesize
1.8MB

Download
memory/2936-403-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/2948-443-0x0000000000220000-0x00000000003E0000-memory.dmp

Filesize
1.8MB

Download
memory/2948-444-0x0000000002080000-0x0000000002092000-memory.dmp

Filesize
72KB

Download
memory/2968-614-0x0000000001380000-0x0000000001540000-memory.dmp

Filesize
1.8MB

Download
memory/2980-535-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/2980-656-0x00000000003D0000-0x0000000000590000-memory.dmp

Filesize
1.8MB

Download
memory/2980-468-0x0000000000350000-0x0000000000510000-memory.dmp

Filesize
1.8MB

Download
memory/3036-341-0x00000000011E0000-0x00000000013A0000-memory.dmp

Filesize
1.8MB

Download