dcrat | e0b7deb5306d43671d3800515bdf5b31455b483a06862be563813eabea3e181d

Analysis

max time kernel
27s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
Size

1.6MB
MD5

1d5a1ae245a5e111a2587dbdb7dce8af
SHA1

c3e74dedff703865d0455ab498b2fd3cb6e7aa00
SHA256

c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e
SHA512

75f5d287ebc247ac0aa2825dcb784894b31b4665a52994b0154ce9c1386dacb3fb72affaa32d9e86729e7da28f91c9c7f8eb2c755ac44c77c3c095e304ab367c
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5568	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5644	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5696	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5816	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5736	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3728	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	512	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6008	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5304	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	5312	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	5312	schtasks.exe	89

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral14/memory/3292-1-0x00000000000D0000-0x0000000000272000-memory.dmp	dcrat
behavioral14/files/0x00070000000242b5-26.dat	dcrat
behavioral14/files/0x00080000000242b0-110.dat	dcrat
behavioral14/files/0x000b0000000242b5-133.dat	dcrat
behavioral14/files/0x00090000000242bc-144.dat	dcrat
behavioral14/files/0x00080000000242c4-161.dat	dcrat
behavioral14/files/0x00090000000242c4-189.dat	dcrat
behavioral14/files/0x000b0000000242c7-201.dat	dcrat
behavioral14/files/0x00090000000242ce-212.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
116	powershell.exe
212	powershell.exe
2452	powershell.exe
1432	powershell.exe
2780	powershell.exe
744	powershell.exe
4484	powershell.exe
3224	powershell.exe
4672	powershell.exe
3320	powershell.exe
1752	powershell.exe
1536	powershell.exe
3016	powershell.exe
2316	powershell.exe
5956	powershell.exe
4424	powershell.exe
4444	powershell.exe
2252	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	Registry.exe

Executes dropped EXE 2 IoCs

pid	Process
5940	Registry.exe
8	Registry.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\55b276f4edf653	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\RCX8368.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\886983d96e3d3e	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\RCX82F9.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backgroundTaskHost.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX917D.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backgroundTaskHost.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\eddb19405b7ce1	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\e6c9b481da804f	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\RCX8F78.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\OfficeClickToRun.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\csrss.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RCX856C.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RCX85DB.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\RCX8EFA.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\OfficeClickToRun.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX91EB.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\csrss.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\uk-UA\ee2ad38f3d4382	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Windows\Web\Screen\RCX8CE5.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Windows\Web\Screen\RCX8CE6.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Windows\Web\Screen\csrss.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Windows\PolicyDefinitions\uk-UA\RCX9953.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Windows\PolicyDefinitions\uk-UA\RCX9982.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Windows\Web\Screen\886983d96e3d3e	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Windows\PolicyDefinitions\uk-UA\Registry.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Windows\Web\Screen\csrss.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Windows\PolicyDefinitions\uk-UA\Registry.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	Registry.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5644	schtasks.exe
1388	schtasks.exe
5696	schtasks.exe
2184	schtasks.exe
5736	schtasks.exe
512	schtasks.exe
4364	schtasks.exe
1596	schtasks.exe
4120	schtasks.exe
4924	schtasks.exe
2332	schtasks.exe
2352	schtasks.exe
4976	schtasks.exe
5304	schtasks.exe
3176	schtasks.exe
4676	schtasks.exe
4724	schtasks.exe
2064	schtasks.exe
4804	schtasks.exe
4704	schtasks.exe
5116	schtasks.exe
2348	schtasks.exe
2000	schtasks.exe
2400	schtasks.exe
2224	schtasks.exe
5108	schtasks.exe
448	schtasks.exe
5568	schtasks.exe
1836	schtasks.exe
2440	schtasks.exe
4612	schtasks.exe
3728	schtasks.exe
4936	schtasks.exe
1380	schtasks.exe
5004	schtasks.exe
3456	schtasks.exe
5816	schtasks.exe
4940	schtasks.exe
1868	schtasks.exe
6008	schtasks.exe
4836	schtasks.exe
4168	schtasks.exe
3576	schtasks.exe
3516	schtasks.exe
4732	schtasks.exe
4608	schtasks.exe
2344	schtasks.exe
2468	schtasks.exe
5032	schtasks.exe
4840	schtasks.exe
2276	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
4444	powershell.exe
4444	powershell.exe
4424	powershell.exe
4424	powershell.exe
1752	powershell.exe
1752	powershell.exe
2252	powershell.exe
2252	powershell.exe
744	powershell.exe
744	powershell.exe
5956	powershell.exe
5956	powershell.exe
1432	powershell.exe
1432	powershell.exe
2452	powershell.exe
2452	powershell.exe
3320	powershell.exe
3320	powershell.exe
1536	powershell.exe
1536	powershell.exe
4672	powershell.exe
4672	powershell.exe
212	powershell.exe
2316	powershell.exe
2316	powershell.exe
212	powershell.exe
4484	powershell.exe
4484	powershell.exe
2780	powershell.exe
2780	powershell.exe
116	powershell.exe
116	powershell.exe
3016	powershell.exe
3016	powershell.exe
3224	powershell.exe
3224	powershell.exe
2452	powershell.exe
1536	powershell.exe
4484	powershell.exe
4672	powershell.exe
116	powershell.exe
4444	powershell.exe
4444	powershell.exe
1432	powershell.exe
744	powershell.exe
744	powershell.exe
5956	powershell.exe
5956	powershell.exe
1752	powershell.exe
1752	powershell.exe
2252	powershell.exe
2252	powershell.exe
4424	powershell.exe
4424	powershell.exe
3320	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	4424	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	744	powershell.exe
Token: SeDebugPrivilege	5956	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	3320	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	212	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	116	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeDebugPrivilege	5940	Registry.exe
Token: SeDebugPrivilege	8	Registry.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 2452	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	146
PID 3292 wrote to memory of 2452	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	146
PID 3292 wrote to memory of 3320	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	147
PID 3292 wrote to memory of 3320	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	147
PID 3292 wrote to memory of 4444	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	148
PID 3292 wrote to memory of 4444	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	148
PID 3292 wrote to memory of 4672	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	150
PID 3292 wrote to memory of 4672	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	150
PID 3292 wrote to memory of 4424	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	151
PID 3292 wrote to memory of 4424	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	151
PID 3292 wrote to memory of 212	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	153
PID 3292 wrote to memory of 212	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	153
PID 3292 wrote to memory of 116	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	154
PID 3292 wrote to memory of 116	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	154
PID 3292 wrote to memory of 3224	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	155
PID 3292 wrote to memory of 3224	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	155
PID 3292 wrote to memory of 5956	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	157
PID 3292 wrote to memory of 5956	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	157
PID 3292 wrote to memory of 2316	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	158
PID 3292 wrote to memory of 2316	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	158
PID 3292 wrote to memory of 3016	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	159
PID 3292 wrote to memory of 3016	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	159
PID 3292 wrote to memory of 1432	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	161
PID 3292 wrote to memory of 1432	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	161
PID 3292 wrote to memory of 4484	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	226
PID 3292 wrote to memory of 4484	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	226
PID 3292 wrote to memory of 744	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	163
PID 3292 wrote to memory of 744	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	163
PID 3292 wrote to memory of 2780	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	164
PID 3292 wrote to memory of 2780	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	164
PID 3292 wrote to memory of 1536	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	165
PID 3292 wrote to memory of 1536	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	165
PID 3292 wrote to memory of 1752	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	166
PID 3292 wrote to memory of 1752	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	166
PID 3292 wrote to memory of 2252	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	168
PID 3292 wrote to memory of 2252	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	168
PID 3292 wrote to memory of 2092	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	182
PID 3292 wrote to memory of 2092	3292	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	182
PID 2092 wrote to memory of 4832	2092	cmd.exe	184
PID 2092 wrote to memory of 4832	2092	cmd.exe	184
PID 2092 wrote to memory of 5940	2092	cmd.exe	186
PID 2092 wrote to memory of 5940	2092	cmd.exe	186
PID 5940 wrote to memory of 5976	5940	Registry.exe	187
PID 5940 wrote to memory of 5976	5940	Registry.exe	187
PID 5940 wrote to memory of 4584	5940	Registry.exe	188
PID 5940 wrote to memory of 4584	5940	Registry.exe	188
PID 5976 wrote to memory of 8	5976	WScript.exe	189
PID 5976 wrote to memory of 8	5976	WScript.exe	189
PID 8 wrote to memory of 4616	8	Registry.exe	190
PID 8 wrote to memory of 4616	8	Registry.exe	190
PID 8 wrote to memory of 4440	8	Registry.exe	191
PID 8 wrote to memory of 4440	8	Registry.exe	191

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
"C:\Users\Admin\AppData\Local\Temp\c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\900323d723f1dd1206\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\USOShared\Logs\User\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\60739cf6f660743813\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\de-DE\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\900323d723f1dd1206\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\900323d723f1dd1206\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Screen\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\60739cf6f660743813\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\uk-UA\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2252
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TMTpWtvwnJ.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4832
- - C:\Windows\PolicyDefinitions\uk-UA\Registry.exe
    "C:\Windows\PolicyDefinitions\uk-UA\Registry.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5940
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62ac7b21-4105-47e5-b164-8b64af9c6121.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5976
    - - C:\Windows\PolicyDefinitions\uk-UA\Registry.exe
        
        C:\Windows\PolicyDefinitions\uk-UA\Registry.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:8
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1f1e5b1-48c4-45ba-bc14-1ae16744e0fc.vbs"
        6⤵
        
        PID:4616
        
        C:\Windows\PolicyDefinitions\uk-UA\Registry.exe
        
        C:\Windows\PolicyDefinitions\uk-UA\Registry.exe
        7⤵
        
        PID:5532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddddc9c9-6177-438c-ab86-91210f49e4eb.vbs"
        8⤵
        
        PID:5504
        
        C:\Windows\PolicyDefinitions\uk-UA\Registry.exe
        
        C:\Windows\PolicyDefinitions\uk-UA\Registry.exe
        9⤵
        
        PID:4884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97bb53d7-7a51-40b1-a39b-fa2fe3d5bae6.vbs"
        10⤵
        
        PID:5964
        
        C:\Windows\PolicyDefinitions\uk-UA\Registry.exe
        
        C:\Windows\PolicyDefinitions\uk-UA\Registry.exe
        11⤵
        
        PID:5180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4037ed29-3447-4f92-86d8-09521530d607.vbs"
        12⤵
        
        PID:5968
        
        C:\Windows\PolicyDefinitions\uk-UA\Registry.exe
        
        C:\Windows\PolicyDefinitions\uk-UA\Registry.exe
        13⤵
        
        PID:4744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a916d606-f8e9-4eaf-9429-9557c9c793e6.vbs"
        14⤵
        
        PID:432
        
        C:\Windows\PolicyDefinitions\uk-UA\Registry.exe
        
        C:\Windows\PolicyDefinitions\uk-UA\Registry.exe
        15⤵
        
        PID:5452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1397119-f8ae-48c5-80e6-d488c747b59d.vbs"
        16⤵
        
        PID:4636
        
        C:\Windows\PolicyDefinitions\uk-UA\Registry.exe
        
        C:\Windows\PolicyDefinitions\uk-UA\Registry.exe
        17⤵
        
        PID:1460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9435049-0742-44ae-ad99-6b413c1b414c.vbs"
        18⤵
        
        PID:2440
        
        C:\Windows\PolicyDefinitions\uk-UA\Registry.exe
        
        C:\Windows\PolicyDefinitions\uk-UA\Registry.exe
        19⤵
        
        PID:4220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87eea3a8-428d-42e7-a194-f9a13ba2a9c9.vbs"
        20⤵
        
        PID:4304
        
        C:\Windows\PolicyDefinitions\uk-UA\Registry.exe
        
        C:\Windows\PolicyDefinitions\uk-UA\Registry.exe
        21⤵
        
        PID:5224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4110f6e4-49bd-4ee5-895a-85f35fe64ca4.vbs"
        22⤵
        
        PID:5736
        
        C:\Windows\PolicyDefinitions\uk-UA\Registry.exe
        
        C:\Windows\PolicyDefinitions\uk-UA\Registry.exe
        23⤵
        
        PID:1520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1acb78f-0ef4-485a-9e2d-c02f31e85fe2.vbs"
        24⤵
        
        PID:4484
        
        C:\Windows\PolicyDefinitions\uk-UA\Registry.exe
        
        C:\Windows\PolicyDefinitions\uk-UA\Registry.exe
        25⤵
        
        PID:5180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09650ed2-1724-45d9-a560-82bc854f951a.vbs"
        26⤵
        
        PID:1560
        
        C:\Windows\PolicyDefinitions\uk-UA\Registry.exe
        
        C:\Windows\PolicyDefinitions\uk-UA\Registry.exe
        27⤵
        
        PID:872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ac571b6-a4c5-4f24-baf3-a88bd8a9718e.vbs"
        28⤵
        
        PID:5076
        
        C:\Windows\PolicyDefinitions\uk-UA\Registry.exe
        
        C:\Windows\PolicyDefinitions\uk-UA\Registry.exe
        29⤵
        
        PID:5480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39726bfb-fbe6-44ad-a53e-642ceee4374d.vbs"
        28⤵
        
        PID:4232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5642248-fc1c-4e6d-9d7a-d1b9487e9bf8.vbs"
        26⤵
        
        PID:3228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\991f1038-5cd7-492e-89d4-bcbbb5663c1a.vbs"
        24⤵
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\853b2c10-90bc-423c-a20e-6ee2e73c37f8.vbs"
        22⤵
        
        PID:2004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8bfaaa6-32f6-47a1-b535-a2946a3d9395.vbs"
        20⤵
        
        PID:2580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\052c4a5f-22aa-4e34-a61c-e4220486f8b4.vbs"
        18⤵
        
        PID:4652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22742b81-911a-404d-b972-88b44928af75.vbs"
        16⤵
        
        PID:3776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1d2852f-305a-4067-ae46-f5cfc7798fb7.vbs"
        14⤵
        
        PID:2888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03904779-2901-4657-af20-94a873275d0c.vbs"
        12⤵
        
        PID:5392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fcc2071-ba67-4dc7-8c59-da4e00083e45.vbs"
        10⤵
        
        PID:4576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20c9ad39-5540-4dc3-80d4-81d02c57861e.vbs"
        8⤵
        
        PID:6116
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14b638ca-da67-4598-b7e2-4b8495bcb822.vbs"
        6⤵
        
        PID:4440
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e1462cc-7834-4696-b87b-5b4fbc7f27db.vbs"
      4⤵
      PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\900323d723f1dd1206\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\900323d723f1dd1206\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\900323d723f1dd1206\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\USOShared\Logs\User\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\Logs\User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\USOShared\Logs\User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\60739cf6f660743813\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\60739cf6f660743813\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\60739cf6f660743813\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\900323d723f1dd1206\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\900323d723f1dd1206\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\900323d723f1dd1206\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\Screen\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Web\Screen\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Screen\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\60739cf6f660743813\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\60739cf6f660743813\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\60739cf6f660743813\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Windows\PolicyDefinitions\uk-UA\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\uk-UA\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\uk-UA\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\60739cf6f660743813\unsecapp.exe

Filesize
1.6MB

MD5
d45456effbab81c1dfb27c356503e937

SHA1
d3a46a07cdad77f92acaea177f0a44ec7d279554

SHA256
a83604ef85f3b5a4a83fde69af06f64a1553001c492a0373790b0cb80ef5cc59

SHA512
6005a227127c3782e828091ebe32ffebcd6285d8a82737e3a76405e17fcde8b7369d89c46f6a397eb66c144d559f8ad9612e94c4a8e90914e8d96de0171888b3

Download Submit
C:\900323d723f1dd1206\RCX8A62.tmp

Filesize
1.6MB

MD5
9242e52c0855efecb0f2176f6ef4becc

SHA1
61dd874e64fd6f371f7ecc351a64caa409a6c026

SHA256
c54a9d7e90d4ad06ec2f6b7603e0ccb88d154ed17b23d1d082883ae502f7cc31

SHA512
2b4e1d422052346240419e600da5bbcb361ac037a011bb59a720bfcc37090aafe062b69b2edecfbe31fd43f5d30bdfeade1b52edb9e3324d5781012036a63488

Download Submit
C:\Program Files (x86)\Windows Media Player\de-DE\csrss.exe

Filesize
1.6MB

MD5
11fd5f458883690b36d062d5b35e97ce

SHA1
7853fbe5bf47025898d71fc3ed0df3b6eb064f6f

SHA256
4df09ce835f266cd228effa64a3a9a001a9d7757de9c89c00213e414a88aa2d2

SHA512
fc806521ddf89a9409c7fddb1040ede9c3aba6d80332e21c4a4ac4adfd098122c0f89777fd0dc8862a034bad887b14884266da375097407f245588762022d179

Download Submit
C:\Program Files (x86)\Windows NT\Accessories\en-US\OfficeClickToRun.exe

Filesize
1.6MB

MD5
6aca0f8f7f5296acaab08af0b699f809

SHA1
03eb6fe2db2c0bc9667b9c876c1db79a1060dec6

SHA256
fadb629ad5502e23e58e28e46f8e5eeb09acd4adf9f768b330b5d09fb776b0e8

SHA512
5e1bcaf4ec2a22357a75eb90302c876f678b580fc5b6c5250d10c9c7f131b9e347abe7171603e45b84170f6f46450cfd163d0f9b33617daf4763965106addfed

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\it-IT\StartMenuExperienceHost.exe

Filesize
1.6MB

MD5
e9e7f8eef333e50f947595957bf3c29b

SHA1
5203877d04a18847918e01f5f2b6a3fe734b38bd

SHA256
fd91fe0ff538d156294967504504a347a82432c7a50866ae0292ca78b6c0e367

SHA512
833633c4071e7d9aafe19cb9dabfddaed67dc30862acfa031e41ca9df3ce5a8d8ef1778e0181a506508533be507c472c25e32e14d49a36d6221624ba11bded31

Download Submit
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backgroundTaskHost.exe

Filesize
1.6MB

MD5
a0ca2504349339fdd4c5918b21e36d6e

SHA1
db74d9e6b29850ae0bf71349d939c36671da33e4

SHA256
7dea6ec1d01c9ec139e9ebb062f86e0b375114258e56d757d91edf74a8eb599e

SHA512
ec77da8014e98848e0dd13724b8e2c585c354a91388d34a4a03d1248a95cbd4c4e3956298b3f81e3d8bc75da394ffa277195dadf20837e2c24af6cb31a07dc49

Download Submit
C:\ProgramData\USOShared\Logs\User\StartMenuExperienceHost.exe

Filesize
1.6MB

MD5
1d5a1ae245a5e111a2587dbdb7dce8af

SHA1
c3e74dedff703865d0455ab498b2fd3cb6e7aa00

SHA256
c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e

SHA512
75f5d287ebc247ac0aa2825dcb784894b31b4665a52994b0154ce9c1386dacb3fb72affaa32d9e86729e7da28f91c9c7f8eb2c755ac44c77c3c095e304ab367c

Download Submit
C:\ProgramData\USOShared\Logs\User\StartMenuExperienceHost.exe

Filesize
1.6MB

MD5
259b1e090652f687f885a87c03d2d26d

SHA1
e5e7dd01dfb3feb94c7c68a11414c3ebe498f6f1

SHA256
9556354402e6e1991eedb1a709b9a5e6359b5ace388b4ce69056db9d229b919c

SHA512
0396bab629d7bed3ca5e9fd6dd3a05591ff1a1441d254275ee3f4cae673e97eb64e2b945d08d89bac11762e050e6c56ad8b3b36a1211a1cced031ea41146aa92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Registry.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd95e4475b8798a58a9e9d19409c1eac

SHA1
571d070dd6315847c4ba334670beffd245a35c45

SHA256
d33812e9c83075812c904e8ea736f744d614cb597e4c7aa4420021e492390729

SHA512
1ad95b0411ffbdeff090c3c71000377027095ecbc8ad27d9b4c8b7b469e669f7d76cd13f7ab2012779b6ac12c5ff2671f4e44fa8d1f2aefae3824ed74a9fa7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9191187d695b2965f2ceb651f0b37ee8

SHA1
b50a4038fb94c8aa7cff8d6941a4329b5b2ae8c7

SHA256
654a46452391ae3310ff9c6a4c820774e950276014fea044c41f007f6c335833

SHA512
90094f44f83470c88c4fcecb239f70e8e791b3b3da628c00676e3c4791766808b4e31c12beef2a7bc7d6a12d05bd8150888461ed1ef7e9eebc8697f6955d63bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b8971cf79836c5c5b3e0b1374dd496e8

SHA1
776b84e89302f50d9d5df06d0c3f6173cdec327c

SHA256
b6c4f309974137e8d1819e2746a1405e46c2434f60113deb8f4bd3ab1e99b613

SHA512
5ebd4446cf817c9f4dc96a3f07538d4bf1e302f060d000dd53ad51fa0ef00160675d1da9b022748fa58167090b323ce160f991845c2370aa457e3fc08be8a923

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6c8fd95453fe0d2e0f6d8e5ac03994b1

SHA1
d9811cf9d2b0d0ce3387fd79462cd592b005a634

SHA256
232dac927d663f4ed67a4f005da093bc9865c323767c29c3b4a21797f4a60e58

SHA512
f334216c706e96e85910bc14e7eeec0da3e6f4e9a8620108c938d997266939170aabfdfddd9830f454a34d0db503f8f0bbe63c910007bfd03f294f8a34945810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
82da496008a09abc336bf9adbe6453dd

SHA1
a57df6c2432c6bf7ab549a4333e636f9d9dfebd2

SHA256
69def38d01c34269e4e7be79130fc62befb01815c783fef6d4dc116672306810

SHA512
86d1efaf512d5ffc0af6a4508e63ffaa646971192762461957c0a544e77f9f24bbd0576927a6a996a87f147bcd6562bdc27a57caac6aad64354f485a7a7a7197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0f29d4b03e157fa020f2b793683543af

SHA1
1b0603266b02dd38444489e0d5e18ee93b6b766a

SHA256
eec5516679b34fb0efe983a81cc19b0b5cf33fd3191d5d8fd5c3fb082a55d410

SHA512
b0cca3aa1373f813a7a16a1ca94b7e048d83f8875b28949d7ece9668c5cb847250d1468080a85e478833a8876b668a8a6e0ef4df4a289ca66badac3af00dc5c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c7454a02e79188b5f4bbed86feed056d

SHA1
b10bdbef71097af6ff6fcc8e76095230f804bb20

SHA256
911d42b704879b39289785576d2907b784b2fc40ec2e921b3581ab37fc1a6ebc

SHA512
226d75a7a8bf505141f613a3a5bd455356217a9cfe74bd59aed9686bfc7667aea92395f434321d7f94697e5dcb5d568409f9071af620881d8c9f11abb0f5ebff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
76c4d3c87da7e0fe580b97f942028fe6

SHA1
d182259b34f7c96471edd28e97470888ffe150d1

SHA256
d9f1c9c92ee57bbb51767eeba0cdab1c3b11d4cd735f07fc206b6f2014f15439

SHA512
23466bc0414638ac0d90ecf79e47c21fbe7a0308acb69d64b4cc72ae6cf045b66147c54ae7488ca76391b0fffd7c7ca39d093789b25af720b8a0e62f3e0841ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47dc8ed1f00b2cf40d90efa529ee35cc

SHA1
851d6a181ebb44256367c73042ed4f774bce9bdd

SHA256
2a1fa5eb6fa8a3b821776f5db5d69d414ca120a4612e613ec6ad34d216b2223e

SHA512
3dc49732881a4c8d2edfd4619ea4d206cca74fabba7d00f2021a7e07dba47c436a10f2d591ca43930c674ffe6b5f528a9e10e543dd87edf97d3f2f078c23c928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fb615e25fa5c5d81a46365d6446ed714

SHA1
a57ba54012b1fb1920cfcf276424556d6dc547fc

SHA256
61387deb1626bfef8716a58b204fe05f3df45181550ac38a081c97409c8973fc

SHA512
75961d4e10c7387ca20add4c96b2c4ebb897de417a18b6c6ac9008baa7c0d38823db4797d42e423225c09314ebfe8b000aa9f659f2e992ac8eba8a071407414e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
daa089218fdc061e9ac7982ae6f8d334

SHA1
02628c148f3d35f8e5e61060a2aa2c8757167238

SHA256
cdd7a4ffec6acd211d98541acf1d4d5ef2852fa4d73b4182392f04f1c6d165ec

SHA512
f59ae59d0b8906b1e9685501d2d2981b0dbb1e104e38353a26559ad1fce76f55d184bc14d56596f0e25c4e21a39fcdf66fd0d7472d3e301f1743715dd684e14d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e1462cc-7834-4696-b87b-5b4fbc7f27db.vbs

Filesize
499B

MD5
2bba5e10484c410d4a6f1a9034609e0b

SHA1
3ecc43aefd33201c3ef7e4ac5ad89784710f2ea9

SHA256
13f0bb03703c4807e882245afb05d43aefacbea704af76074d6b00ea1a61222a

SHA512
9b9de7e49e17386ef2b740cdbc78250810df5287f691071c31fc684e2f08240448036f2b5ba8cc0f505d370949e61c7a03ab061063c31c1208f87e9bb55c1b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4037ed29-3447-4f92-86d8-09521530d607.vbs

Filesize
723B

MD5
453c8aadc05f16d9f7d104b01c319418

SHA1
3787ce1a49d1415b660a40a361d744f8c4d15a12

SHA256
665fda6ac0a0f8c0c8cbcf097cff81a875e3c9889661ccd14e99ff39a3b5c872

SHA512
00b1e3a6537cd45aadcfff59e3d49a4dea1a7c2fa3839cc331e3da404eae00d3cea6ffe8945e6e3bcde1383db0d3668adfb0e2b5dccccf55ad7f92b06754e41f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4110f6e4-49bd-4ee5-895a-85f35fe64ca4.vbs

Filesize
723B

MD5
e5a770bb1b30bb880c2cf5f360e6b58c

SHA1
bb7a9858c4d86c5e60140d88a8480b915a37b4e7

SHA256
9a54e96f5613c987784d5c654c102ee4ad7f9416b4e9cf48cee8922e2228f2c6

SHA512
7eb2e826c740de6730345b8971eb76b0dc2c64fcfb0a76879854a2ed740423045af91923e6ead29ea3b98c453da2124fab2b74d8e1b114d4ac0d0df38fd7fa9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\62ac7b21-4105-47e5-b164-8b64af9c6121.vbs

Filesize
723B

MD5
10466ffd10da627bdb5588a76ed21aa2

SHA1
2cdd57ec8bbd65f7fff11bb7ac61790f5152c516

SHA256
af74c09e7f98063ebe35678f14c8d0c3606c30cdcb04fffb46ed9ccc9708dd5a

SHA512
ddde512f3e04266eca4295f1e521a4e62c671e53d87099e9051db7e50a22f2cfffdf9413a14ddd9a87e6cc60b615691cc0baa98f4c9729d039d0015ff6e697a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\87eea3a8-428d-42e7-a194-f9a13ba2a9c9.vbs

Filesize
723B

MD5
660a73f4147c1a67aedf30f0105aa520

SHA1
264da0f4a07c39e5f469d357e7dd468cb83854a6

SHA256
8533eb7c133e45901ed6c4c3f4fbffdea20495c65ffccbcc4db654aa0d85a983

SHA512
2ab6122470ecf95efa51e88e14c35d940c1ace657897bb1ad490369c5b81ae57365fd8d1067af3aa3181dcbf80a0264c21b9b120811d53a9e600b925d1debb24

Download Submit
C:\Users\Admin\AppData\Local\Temp\97bb53d7-7a51-40b1-a39b-fa2fe3d5bae6.vbs

Filesize
723B

MD5
b6dfbc4919d089c4c1b2798fe518ed5b

SHA1
3563a059245b8b49e5fe26f079cdfb74879e98c3

SHA256
fa60c454634070941d67d4f3a470c9531eca4b7c3f8c2aad794d34e4bb2f3d6a

SHA512
545605467f11685c4fbad38a98f97f7820f2b78437ebfccae9caf89cff3c798d65fac5838d1478f0ef67a9ba655da4422501addef1455588ea6a3e37441d942b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMTpWtvwnJ.bat

Filesize
212B

MD5
f23b6f345f2f75cee0a10d4dc904068d

SHA1
9842b9926358afa81c47c5c4d18627d02d84483e

SHA256
1c8e5e536158490a19eace0434b34ea8259e2d350ebe6793b5230ba5cad1ec1d

SHA512
382eece683b9eb5d7fe8124093cb6b32226868445296e1b1464aa0db7094cf09b4d1c04af4937b1ce2e847c0694e19b4494d757e955e390ea44b434c48ec2a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ry4xtpyo.nyy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a916d606-f8e9-4eaf-9429-9557c9c793e6.vbs

Filesize
723B

MD5
4bdeeb56f2babe045dc71465ea398aa4

SHA1
8b26d4f2ba20e5684637357655bfaedecd41f5f3

SHA256
b2c8109ff91bb416c9b3eb4bb90e53cc7b382df32d1cd52398cc25f2ac131385

SHA512
68f481a29eb23b275a002102edcddcee9897a5dcc31e71d58a909962dcd3020485c97a9b0aada3ef97da47aac43e567b93457b7626c9e04112c07b4bffed3242

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9435049-0742-44ae-ad99-6b413c1b414c.vbs

Filesize
723B

MD5
78d537a33e41a85c03ebbb30a9b1fd55

SHA1
688cd872c122be349152975485e2e7a2e13e770e

SHA256
4d66135b64b7c158e647190bd38494a5f6caa9e0f2672b3d104c69f3058dae35

SHA512
a63191ae64d04029aa8cfadc7cf95889a775b539da870f73401ef9b129fb69a4b5ef8f59dc3d10bbc74603bbf9e853f31e51c655baa39f9c1ed81427905c151b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1f1e5b1-48c4-45ba-bc14-1ae16744e0fc.vbs

Filesize
720B

MD5
9a366679bc6dadcafdecb617e088593e

SHA1
d0850b90377da2712dafd5f4b9b664011e367d3e

SHA256
f44265f054457a5c879b3886310f01364d056ba0d06eb37914174178d7f01e36

SHA512
ef5e9e3ccdf3960b7dec3dbc31beeb8f33530aff29b594aea32594ff561c31f9f7ad6591e5630ef3ece8fef33dfc14b92b65e1972887be11007c2243a03c7e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1397119-f8ae-48c5-80e6-d488c747b59d.vbs

Filesize
723B

MD5
7ca9268137ee9fd5e6b053dd56e0bd68

SHA1
4a182da0b7979b560a97beaeb861d1c3f99b5aaf

SHA256
742a55abf6998bdf8c135fd85ac2f2d6f86fad84c4fb96ce56c6d5c70ae6bef3

SHA512
4def352dff9b66497e45250d52350475a97d01dd59cf81c4f6f0df78c8db55796c2a1ffeb853974c850666e8c01673baa3c7745098d09d74f81a33b3c71fd645

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddddc9c9-6177-438c-ab86-91210f49e4eb.vbs

Filesize
723B

MD5
65dbd54bd7dddfc30491bcab20568f38

SHA1
d1ddb8ab98522f3397ee8fa2ff9a3623075a5d28

SHA256
0fb1588ac2d95a05dc4a25d180c70ee596e74bf47ad4a75909bd4c72730ead0d

SHA512
64adfb9a4ea730bd794a80b5aaece023c903b2451c7947bbe04da9a095e8800500cfb1c4ce10da37e3d3ec17b9baf4076e191862d7f88bafbf7b4edecdd662b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1acb78f-0ef4-485a-9e2d-c02f31e85fe2.vbs

Filesize
723B

MD5
bc3bf793404965a3b60c5c2b7bf83e06

SHA1
863a36cc6320455e0e3f1532ae46c4632c0aaf2f

SHA256
b9c2f0c3a4b88e4239d48eb76e093eb92e4e6058bd3ec3269442f7c11ebd5f86

SHA512
9f8ae363f081eaad801add551a4ee6b6b1c62e1ebb1a8b99cbcc0ee0a1373193b2baf7634b420c221459a87f246dadd71f7add284190a972bba8b1df5f28d7dd

Download Submit
memory/3292-13-0x000000001AEE0000-0x000000001AEEE000-memory.dmp

Filesize
56KB

Download
memory/3292-15-0x000000001B750000-0x000000001B758000-memory.dmp

Filesize
32KB

Download
memory/3292-1-0x00000000000D0000-0x0000000000272000-memory.dmp

Filesize
1.6MB

Download
memory/3292-215-0x00007FFFD38A0000-0x00007FFFD4361000-memory.dmp

Filesize
10.8MB

Download
memory/3292-192-0x00007FFFD38A3000-0x00007FFFD38A5000-memory.dmp

Filesize
8KB

Download
memory/3292-3-0x000000001AD80000-0x000000001AD9C000-memory.dmp

Filesize
112KB

Download
memory/3292-9-0x000000001ADC0000-0x000000001ADC8000-memory.dmp

Filesize
32KB

Download
memory/3292-10-0x000000001ADD0000-0x000000001ADDC000-memory.dmp

Filesize
48KB

Download
memory/3292-12-0x000000001AED0000-0x000000001AEDA000-memory.dmp

Filesize
40KB

Download
memory/3292-0-0x00007FFFD38A3000-0x00007FFFD38A5000-memory.dmp

Filesize
8KB

Download
memory/3292-14-0x000000001B740000-0x000000001B748000-memory.dmp

Filesize
32KB

Download
memory/3292-255-0x00007FFFD38A0000-0x00007FFFD4361000-memory.dmp

Filesize
10.8MB

Download
memory/3292-16-0x000000001B860000-0x000000001B86A000-memory.dmp

Filesize
40KB

Download
memory/3292-17-0x000000001B760000-0x000000001B76C000-memory.dmp

Filesize
48KB

Download
memory/3292-11-0x000000001AE40000-0x000000001AE4C000-memory.dmp

Filesize
48KB

Download
memory/3292-6-0x000000001ADA0000-0x000000001ADB6000-memory.dmp

Filesize
88KB

Download
memory/3292-8-0x000000001ADE0000-0x000000001ADF0000-memory.dmp

Filesize
64KB

Download
memory/3292-7-0x00000000025A0000-0x00000000025A8000-memory.dmp

Filesize
32KB

Download
memory/3292-4-0x000000001ADF0000-0x000000001AE40000-memory.dmp

Filesize
320KB

Download
memory/3292-5-0x0000000000930000-0x0000000000940000-memory.dmp

Filesize
64KB

Download
memory/3292-2-0x00007FFFD38A0000-0x00007FFFD4361000-memory.dmp

Filesize
10.8MB

Download
memory/4444-265-0x000001C4EEB70000-0x000001C4EEB92000-memory.dmp

Filesize
136KB

Download