dcrat | 1364e3f0b350e7b83a82e9d75745a14b1d88ee737583dcf3450ec719fadf6ad8

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
Size

1.6MB
MD5

3f11fa2cd76162ff88f473e5ce7370bd
SHA1

c9d23fd0b96a490dd737f8cee733d2efdebe5b17
SHA256

0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624
SHA512

2c54a9e1dd2eb6cd53517f4731920bfa324aa867a81adefee61f1ec487ba1f38a2f403e0f083b73c489281f7956dad294e3c179bcf71e8392ec01c039be13c75
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3940	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3816	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5932	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6128	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4256	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5288	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5884	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	4472	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	4472	schtasks.exe	88

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral4/memory/3452-1-0x00000000004F0000-0x0000000000692000-memory.dmp	dcrat
behavioral4/files/0x00070000000242b3-26.dat	dcrat
behavioral4/files/0x0010000000024131-52.dat	dcrat
behavioral4/files/0x0005000000021603-142.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5852	powershell.exe
2528	powershell.exe
1708	powershell.exe
1492	powershell.exe
5116	powershell.exe
2536	powershell.exe
4420	powershell.exe
2468	powershell.exe
1364	powershell.exe
3200	powershell.exe
5368	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe

Executes dropped EXE 15 IoCs

pid	Process
4844	StartMenuExperienceHost.exe
2156	StartMenuExperienceHost.exe
2116	StartMenuExperienceHost.exe
3624	StartMenuExperienceHost.exe
1668	StartMenuExperienceHost.exe
332	StartMenuExperienceHost.exe
728	StartMenuExperienceHost.exe
4948	StartMenuExperienceHost.exe
5932	StartMenuExperienceHost.exe
560	StartMenuExperienceHost.exe
1708	StartMenuExperienceHost.exe
5524	StartMenuExperienceHost.exe
5504	StartMenuExperienceHost.exe
2828	StartMenuExperienceHost.exe
6088	StartMenuExperienceHost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\5b884080fd4f94	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RCX8DC6.tmp	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RCX8DB5.tmp	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\winlogon.exe	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX8FCB.tmp	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX9039.tmp	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File created	C:\Program Files\Windows Multimedia Platform\winlogon.exe	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File created	C:\Program Files\Windows Multimedia Platform\cc11b995f2a76d	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DigitalLocker\en-US\RCX840A.tmp	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File opened for modification	C:\Windows\AppReadiness\RCX923E.tmp	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File opened for modification	C:\Windows\AppReadiness\RCX923F.tmp	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File opened for modification	C:\Windows\AppReadiness\sppsvc.exe	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File created	C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File created	C:\Windows\DigitalLocker\en-US\55b276f4edf653	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File created	C:\Windows\AppReadiness\sppsvc.exe	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File created	C:\Windows\AppReadiness\0a1fd5f707cd16	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\RCX8409.tmp	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	StartMenuExperienceHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4604	schtasks.exe
3940	schtasks.exe
1000	schtasks.exe
4344	schtasks.exe
4732	schtasks.exe
6128	schtasks.exe
2272	schtasks.exe
4360	schtasks.exe
4632	schtasks.exe
4776	schtasks.exe
3816	schtasks.exe
4768	schtasks.exe
3400	schtasks.exe
2560	schtasks.exe
2004	schtasks.exe
4864	schtasks.exe
1100	schtasks.exe
4892	schtasks.exe
4460	schtasks.exe
5288	schtasks.exe
5884	schtasks.exe
4552	schtasks.exe
4836	schtasks.exe
2608	schtasks.exe
4800	schtasks.exe
4880	schtasks.exe
5932	schtasks.exe
4740	schtasks.exe
3944	schtasks.exe
4256	schtasks.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
5852	powershell.exe
5852	powershell.exe
1492	powershell.exe
1492	powershell.exe
4420	powershell.exe
4420	powershell.exe
2468	powershell.exe
2468	powershell.exe
5116	powershell.exe
5116	powershell.exe
1364	powershell.exe
1364	powershell.exe
2536	powershell.exe
2536	powershell.exe
3200	powershell.exe
3200	powershell.exe
5368	powershell.exe
5368	powershell.exe
2528	powershell.exe
2528	powershell.exe
1708	powershell.exe
1708	powershell.exe
2468	powershell.exe
2536	powershell.exe
1708	powershell.exe
1492	powershell.exe
1364	powershell.exe
5368	powershell.exe
5852	powershell.exe
4420	powershell.exe
2528	powershell.exe
3200	powershell.exe
5116	powershell.exe
4844	StartMenuExperienceHost.exe
2156	StartMenuExperienceHost.exe
2116	StartMenuExperienceHost.exe
3624	StartMenuExperienceHost.exe
1668	StartMenuExperienceHost.exe
332	StartMenuExperienceHost.exe
728	StartMenuExperienceHost.exe
4948	StartMenuExperienceHost.exe
5932	StartMenuExperienceHost.exe
560	StartMenuExperienceHost.exe
1708	StartMenuExperienceHost.exe
5524	StartMenuExperienceHost.exe
5504	StartMenuExperienceHost.exe
5504	StartMenuExperienceHost.exe
2828	StartMenuExperienceHost.exe
2828	StartMenuExperienceHost.exe
6088	StartMenuExperienceHost.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
Token: SeDebugPrivilege	5852	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	4420	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	5368	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	4844	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	2156	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	2116	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3624	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	1668	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	332	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	728	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4948	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5932	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	560	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	1708	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5524	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5504	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	2828	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	6088	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 5852	3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	125
PID 3452 wrote to memory of 5852	3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	125
PID 3452 wrote to memory of 2528	3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	126
PID 3452 wrote to memory of 2528	3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	126
PID 3452 wrote to memory of 1708	3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	127
PID 3452 wrote to memory of 1708	3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	127
PID 3452 wrote to memory of 1492	3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	128
PID 3452 wrote to memory of 1492	3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	128
PID 3452 wrote to memory of 5116	3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	129
PID 3452 wrote to memory of 5116	3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	129
PID 3452 wrote to memory of 2536	3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	130
PID 3452 wrote to memory of 2536	3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	130
PID 3452 wrote to memory of 4420	3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	131
PID 3452 wrote to memory of 4420	3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	131
PID 3452 wrote to memory of 2468	3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	132
PID 3452 wrote to memory of 2468	3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	132
PID 3452 wrote to memory of 1364	3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	133
PID 3452 wrote to memory of 1364	3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	133
PID 3452 wrote to memory of 3200	3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	134
PID 3452 wrote to memory of 3200	3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	134
PID 3452 wrote to memory of 5368	3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	135
PID 3452 wrote to memory of 5368	3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	135
PID 3452 wrote to memory of 536	3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	147
PID 3452 wrote to memory of 536	3452	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	147
PID 536 wrote to memory of 2044	536	cmd.exe	149
PID 536 wrote to memory of 2044	536	cmd.exe	149
PID 536 wrote to memory of 4844	536	cmd.exe	152
PID 536 wrote to memory of 4844	536	cmd.exe	152
PID 4844 wrote to memory of 6084	4844	StartMenuExperienceHost.exe	153
PID 4844 wrote to memory of 6084	4844	StartMenuExperienceHost.exe	153
PID 4844 wrote to memory of 5424	4844	StartMenuExperienceHost.exe	154
PID 4844 wrote to memory of 5424	4844	StartMenuExperienceHost.exe	154
PID 6084 wrote to memory of 2156	6084	WScript.exe	155
PID 6084 wrote to memory of 2156	6084	WScript.exe	155
PID 2156 wrote to memory of 716	2156	StartMenuExperienceHost.exe	156
PID 2156 wrote to memory of 716	2156	StartMenuExperienceHost.exe	156
PID 2156 wrote to memory of 4740	2156	StartMenuExperienceHost.exe	157
PID 2156 wrote to memory of 4740	2156	StartMenuExperienceHost.exe	157
PID 716 wrote to memory of 2116	716	WScript.exe	168
PID 716 wrote to memory of 2116	716	WScript.exe	168
PID 2116 wrote to memory of 700	2116	StartMenuExperienceHost.exe	169
PID 2116 wrote to memory of 700	2116	StartMenuExperienceHost.exe	169
PID 2116 wrote to memory of 2528	2116	StartMenuExperienceHost.exe	170
PID 2116 wrote to memory of 2528	2116	StartMenuExperienceHost.exe	170
PID 700 wrote to memory of 3624	700	WScript.exe	171
PID 700 wrote to memory of 3624	700	WScript.exe	171
PID 3624 wrote to memory of 5200	3624	StartMenuExperienceHost.exe	172
PID 3624 wrote to memory of 5200	3624	StartMenuExperienceHost.exe	172
PID 3624 wrote to memory of 5736	3624	StartMenuExperienceHost.exe	173
PID 3624 wrote to memory of 5736	3624	StartMenuExperienceHost.exe	173
PID 5200 wrote to memory of 1668	5200	WScript.exe	174
PID 5200 wrote to memory of 1668	5200	WScript.exe	174
PID 1668 wrote to memory of 3176	1668	StartMenuExperienceHost.exe	175
PID 1668 wrote to memory of 3176	1668	StartMenuExperienceHost.exe	175
PID 1668 wrote to memory of 1372	1668	StartMenuExperienceHost.exe	176
PID 1668 wrote to memory of 1372	1668	StartMenuExperienceHost.exe	176
PID 3176 wrote to memory of 332	3176	WScript.exe	177
PID 3176 wrote to memory of 332	3176	WScript.exe	177
PID 332 wrote to memory of 3436	332	StartMenuExperienceHost.exe	178
PID 332 wrote to memory of 3436	332	StartMenuExperienceHost.exe	178
PID 332 wrote to memory of 4208	332	StartMenuExperienceHost.exe	179
PID 332 wrote to memory of 4208	332	StartMenuExperienceHost.exe	179
PID 3436 wrote to memory of 728	3436	WScript.exe	181
PID 3436 wrote to memory of 728	3436	WScript.exe	181

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
"C:\Users\Admin\AppData\Local\Temp\0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\60739cf6f660743813\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\900323d723f1dd1206\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\60739cf6f660743813\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppReadiness\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\900323d723f1dd1206\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5368
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jmx6rbFj4y.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2044
- - C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
    "C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53e0ccaf-f3e3-48d5-96a9-e5e5a4c21e12.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:6084
    - - C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
        
        C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfd0fcdd-9f94-4ad1-9e91-2d3e8f170c1c.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
        
        C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e342a2fe-ec4a-4e54-9dd6-946c5b330556.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
        
        C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0eac97a5-c48d-4c1c-89a0-dc14c78cec15.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5200
        
        C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
        
        C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1fed703-63a0-40dc-b576-113afa1597e1.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
        
        C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9dd68a2-b263-4561-a2f3-76913d527d24.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
        
        C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\840ef1b5-6351-4fdd-8a18-9c3b2ab14155.vbs"
        16⤵
        
        PID:4796
        
        C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
        
        C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd8f1d94-83fc-4916-9b3c-aa325b6400e8.vbs"
        18⤵
        
        PID:2712
        
        C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
        
        C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5915a086-5ba7-4426-ae81-0c0ca3a7ab21.vbs"
        20⤵
        
        PID:5408
        
        C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
        
        C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\175955b5-cfd6-46b5-8a91-9a7d5f650530.vbs"
        22⤵
        
        PID:5244
        
        C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
        
        C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9479c42b-c8f8-4802-b5d2-b392ae83d623.vbs"
        24⤵
        
        PID:5984
        
        C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
        
        C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f697e8be-34f6-47cf-a1fc-e124582800b7.vbs"
        26⤵
        
        PID:5796
        
        C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
        
        C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24581d79-0bac-44e6-9776-abd714f028d8.vbs"
        28⤵
        
        PID:5188
        
        C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
        
        C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\127f7ff5-ab62-4c04-be96-e1af7599a837.vbs"
        30⤵
        
        PID:1812
        
        C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
        
        C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b7c0fbc-283d-4909-acca-5b4f362da454.vbs"
        32⤵
        
        PID:4788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2160eab-36f7-4ef5-857d-48cb03d4fcf6.vbs"
        32⤵
        
        PID:3680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fca70582-9a73-40b0-ae8d-813c6dc0e439.vbs"
        30⤵
        
        PID:1752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd5d9894-f93c-4d42-bc75-bf35a1a0a5ff.vbs"
        28⤵
        
        PID:4408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\343dfa82-d26b-4741-97b3-9e686f367304.vbs"
        26⤵
        
        PID:4052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4c879eb-97cf-42c1-82b0-606424d36744.vbs"
        24⤵
        
        PID:408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b015f50d-ffbf-4cdb-ac98-7af331e2cd46.vbs"
        22⤵
        
        PID:6056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c83da661-3394-4376-886a-894c88abc40b.vbs"
        20⤵
        
        PID:2340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\242360b6-d3fb-47f9-b463-7a322e274e59.vbs"
        18⤵
        
        PID:5740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17a2dc97-73f7-4f1d-b1d8-0c8fffc3b93a.vbs"
        16⤵
        
        PID:3472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ca00d5c-1560-4eb4-9834-b48bc81b83bb.vbs"
        14⤵
        
        PID:4208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d80c1062-4fad-4a83-a3c5-44d69c67ff95.vbs"
        12⤵
        
        PID:1372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87c9d1db-362f-4aa8-a57d-8bb3cd60a8c8.vbs"
        10⤵
        
        PID:5736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a163ab73-f92c-41c0-b6a0-17f5730f2efc.vbs"
        8⤵
        
        PID:2528
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29dd0cfb-e546-47d8-bd5c-d0b6dacfd928.vbs"
        6⤵
        
        PID:4740
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f7912c6-9051-4015-a405-2b5f69207666.vbs"
      4⤵
      PID:5424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\60739cf6f660743813\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\60739cf6f660743813\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\60739cf6f660743813\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Windows\DigitalLocker\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\900323d723f1dd1206\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\900323d723f1dd1206\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\900323d723f1dd1206\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\60739cf6f660743813\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\60739cf6f660743813\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\60739cf6f660743813\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\AppReadiness\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\AppReadiness\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\AppReadiness\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\900323d723f1dd1206\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\900323d723f1dd1206\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\900323d723f1dd1206\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\60739cf6f660743813\RCX8204.tmp

Filesize
1.6MB

MD5
90518a251d109675d2a1a92e5254dcd7

SHA1
12c2f6badbf11ec59c5325b3e02a039ce1c4d4a7

SHA256
bf2cf5892176f478ee52e49daa5ff8b2e40b2dd61a270ab16a54c1211ef92a15

SHA512
3480114f99024ebaf39839e149733bc834a81a0bc1345693ad9540fef80e76de500d230d41951b800af95f1cc10ece7ff05ce8f4f557f366fcb50d391daf0237

Download Submit
C:\60739cf6f660743813\SppExtComObj.exe

Filesize
1.6MB

MD5
3f11fa2cd76162ff88f473e5ce7370bd

SHA1
c9d23fd0b96a490dd737f8cee733d2efdebe5b17

SHA256
0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624

SHA512
2c54a9e1dd2eb6cd53517f4731920bfa324aa867a81adefee61f1ec487ba1f38a2f403e0f083b73c489281f7956dad294e3c179bcf71e8392ec01c039be13c75

Download Submit
C:\Recovery\WindowsRE\backgroundTaskHost.exe

Filesize
1.6MB

MD5
9ea8ed2d2802e94bb996a97900e449d1

SHA1
e24f31045a6c82d9542520d17448031e052e84eb

SHA256
55bc25e0eff7a2fb501c4413355c1ba71ebc080995633cc9bbcb30fb35c6049e

SHA512
ea441053b548a829ca95c5796f868f104d7a5f71789c8da0f1a34559cc712f852ffd042b14339c02e4d2e464378b2725c962326a05ed3464bd6b5cf7fa4f8754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\StartMenuExperienceHost.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fb615e25fa5c5d81a46365d6446ed714

SHA1
a57ba54012b1fb1920cfcf276424556d6dc547fc

SHA256
61387deb1626bfef8716a58b204fe05f3df45181550ac38a081c97409c8973fc

SHA512
75961d4e10c7387ca20add4c96b2c4ebb897de417a18b6c6ac9008baa7c0d38823db4797d42e423225c09314ebfe8b000aa9f659f2e992ac8eba8a071407414e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3f0db2be09ea50e93f81f83a58fdc049

SHA1
862883227880dde307538079454109d35f39723e

SHA256
b747c644e6479e6e921d09626c68d2df0d33d2a707f9432e5fc1b138e6c9387d

SHA512
a7f4644e8f4a0dd59f47645ba7afe312c9e714f923019add5cddf6491f3466731abd66c854bdaa497c0f162c1ae08df5c6506e2171ec9d74ae5c9ffcd69f0773

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
385f2ec5a61f1814b5b9ab67c2f07a0e

SHA1
1426461338ffaf19c90943434470b10ab38347be

SHA256
832f227c50733f10c0461f4494219ceb045a9fc45b2a88b07e795a9226b4e6c7

SHA512
a9858fa3d7eaca31fba2ed05c7c3a0f3db5bfde5ae20d91bb2f942f2ed39339e7939385441d1377f292c4e72761f98e61e0842fd87f852b99408a391215bd9f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
de3ba80caa50615acb96106e34d317cb

SHA1
38f3d5e39cdd18e80cc4295acd4658453eab4297

SHA256
ede1485afc45cccca56f0d392cd5af86f604719b09d5c550a1c49e8023125564

SHA512
12322effb7cd38b7b1a19bdd0ae733546b367f48c8b742824cb3aac6be594c9c601fcd69b10b8185bd8adb7f63c2a5ec013242e6ad678bf532e615a8d915bdb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2cb0c163f92e343cbfa657ce4d842fb6

SHA1
0299696d7430f09f9e3d32aa5b95f01363b405f5

SHA256
c604c709aa50f7f59c87b4420713c8563bc5b80d9bce8f812d26e0a7c25d13f7

SHA512
780353a0fa086a96d6b186a4f38160b0521e972ccfa18803db64ecd2ef6d3c1c69ea4dba0b557f1cf7c1ff6ab8720e447e827c92549b6aea5a0ecacd0494b8d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ee8ad908bac8e73dd273df7a2e067f8b

SHA1
cb95f6c5dd9a10dd89b269d83c7eb76895eab80f

SHA256
446446492cdae4148cf9f3e8a5b2e45dc8f009d095487765e2809529f68b3404

SHA512
9066bf783160ebda8a02037cd0950a8a344a126a60e5a7002ee5e90515ad2fe55dacf610087de9d3f873f6124ce8b0121beb9021dcdcfb45da807b00a78b78c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\0eac97a5-c48d-4c1c-89a0-dc14c78cec15.vbs

Filesize
734B

MD5
df2b7f9099ef29e625ed9adb95881a43

SHA1
c2d5d6fa14c537660fefa67bc5038f88bc57d4dc

SHA256
1bcc049dedfb5c4dddc04251bdadd5f153f457c89f6cb1da744540ae2e9fd279

SHA512
8344644532525c339383ebace526898f0e433eab6306c78df7275b0b85bbafc8dcaf6d285e601ccebb209da778b444f0035d7510091a066358e7478f8d07c5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\175955b5-cfd6-46b5-8a91-9a7d5f650530.vbs

Filesize
733B

MD5
ef35f2e5b234a629bce8ef4928f533ff

SHA1
2a075f4cb7d1b531f1171fff8b91a4bc940c0e52

SHA256
0a1b65e6f54e7742f16165c42f85ea641c5d3061c657c5b927ddd9fc29200ac2

SHA512
e7f250c702e3a6355d63caa90867281e54cfbf435ba8736c0b7621a3575335ee9ae6a84e20834ed24c84da643ffbbb0d99b0c6f0dca02f6c44fe97ceefe27fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\24581d79-0bac-44e6-9776-abd714f028d8.vbs

Filesize
734B

MD5
d7f0e479b8a0838237cb80abf5d10212

SHA1
5cd8032ab84b1a02646f037e6486619442f803b6

SHA256
a2188654c1005071a8c7e3310491221039c4d8dab5ec82ffa5809ee3d117c893

SHA512
c153e95a4f3a59be7db3d531aa39595b16410ae6bb919eea69024a1e1878fa4af81d390b7b76eea897c7f35f975580cc6b24c140129790f05fcdb41801409919

Download Submit
C:\Users\Admin\AppData\Local\Temp\53e0ccaf-f3e3-48d5-96a9-e5e5a4c21e12.vbs

Filesize
734B

MD5
be715150154c1a30bca8ee1b6a8a91a6

SHA1
4045dd04d9009278b8745a8df882c9fb752b2d6f

SHA256
0252edacf089c636eab4697ab4f0109e755925cda7434ead096d567031505803

SHA512
2018b11642a1fa3478fe27e12ecb682d4fe5d98df1348b7daff1e3350038788dd957ed24bedb15b2a9fff9af35e83fa1fa78c3354d130ec6310329393fd4c72f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5915a086-5ba7-4426-ae81-0c0ca3a7ab21.vbs

Filesize
734B

MD5
6d411d8c607989cb4d921624815dcc33

SHA1
2370a9cfadd66ad6d541cff637318f3d70845716

SHA256
284f97825d56706e6a14d7422a9752c012eb6cb0b4975956f03f6917579bb2da

SHA512
4b7330d4434890f09d0c78136271039b551c01e27afabee4760dc0ceb97eed3978d20433876938ffe4461a05e62e66758c7dd702d34f5ced06c057524b949fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f7912c6-9051-4015-a405-2b5f69207666.vbs

Filesize
510B

MD5
94c31d7a49b224fbbe8c17f565bdaa74

SHA1
3179d580e54f9727997cabf836f7229c6258d2f9

SHA256
69b4743cd28ab24808e27674e695d3b29965329e45ec563752f71ffaaaed172f

SHA512
6c5de7861295e09f56df99c9e77fed105a62aba81f8c67633b39884523a5076bea4dd941d6caf46d4991479be05ee5e6580a7d5219746acede09537b976d41eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\840ef1b5-6351-4fdd-8a18-9c3b2ab14155.vbs

Filesize
733B

MD5
3fb07611e9632a9314edc4b93255ccf3

SHA1
986b65e1c57ff2f9a7b082c5fefd2cdb23ddb249

SHA256
851234336335e2c75824fa699a8ac0291004a860ad558ef057cca4e3b2abd68a

SHA512
5fdc85a5ec926cdf3ac824729c4621356b7b193a94ae5cb7abbfcc5fbaaec7a22100befdcb15a7316965e1b814224f3d24c9a53851c2b14f00984022b0541b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\9479c42b-c8f8-4802-b5d2-b392ae83d623.vbs

Filesize
734B

MD5
faa14c3cb8769718861fcc9229b47eef

SHA1
4d5b766f26c45a9f55775a6fe5c071cc456c1516

SHA256
ed2f0cb51703bd2a70fedaca597b9061526ae44d4ed52f921ff5e81f7c0d78f1

SHA512
0d9e76a5de32e6d4e612bf8e767ce2e101753c51d70cfe719dde2bb0dcbf3e48175af3fd9e5cd0b90b5d796229c092234e068f9e2a45f84af46285cbc0349313

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jmx6rbFj4y.bat

Filesize
223B

MD5
65989d65e0d12ce6c4c00401179c4549

SHA1
7ae42a1ac04e2abcceaf64ed7d63724401a85282

SHA256
3ea576d4c55f99f01218421461e2a2ae73156c11a483f490d81dd2c8c949cba9

SHA512
f03eff418a01b38db682f2e4bcecb1f6d64297283c4fb7a4cc693cbd6634b9943ce7c104378f4a2e480966c4806ca6cc4d1da518ed041ca2cbf733b5cc8e1165

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kkvtz1zg.j0t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9dd68a2-b263-4561-a2f3-76913d527d24.vbs

Filesize
733B

MD5
490552eac8a4aa781ddfa26b4dc27956

SHA1
a367edcada55d4ad1274f6a8884e5c15650ac83d

SHA256
bd97b7600d46465fa46b2efc32c145e65a58fc711fd89539a4519cfed119a925

SHA512
88400bdf9bccba36e41c67e0b6bf665dc58b7d9b83c851ab7ca93bee2eb429d019cbfa938efd52104d5f024dd5b754809b4afb946bdcb885305cb84c405b2e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfd0fcdd-9f94-4ad1-9e91-2d3e8f170c1c.vbs

Filesize
734B

MD5
19ed1dca13562a15da1a7a1aea0e5974

SHA1
872a4d37967fe67ce33a3aff4cbaed9becebe22b

SHA256
707e89d2f9dc8cca5d09c8f76e17f97d2182c832f633ee48b293b772b33cf6f2

SHA512
309bb8f3b1792033e02351281503599da66af55a36b2a8c2b46b95fe2946e7c8c716cfe0dc7277bb809b90ddda01fdb39db03542f8750c070cae44fca81dbd9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1fed703-63a0-40dc-b576-113afa1597e1.vbs

Filesize
734B

MD5
299d58d6b3e247d265640a577616c157

SHA1
f1f698965544d6e80858d7cf09d89472f300cbda

SHA256
2d16476076b6eeb353baa694b3e7dd2e6ab0dd6fd031c82a6df2961da879728e

SHA512
ad679dbd48c89f25dcd158c3412d0836bd47a8c9ca16b6001b911a277116d4f6b764e387ff29b52489a6304e2fe5502fff5b7645d72c71de4d957ebcdf82e1a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd8f1d94-83fc-4916-9b3c-aa325b6400e8.vbs

Filesize
734B

MD5
0ece97f317f58dc85a886dda72a125a4

SHA1
66ba43ddc791da9b55770ac970b60f0798ed2f47

SHA256
a82f19b95d2ebe5b4d4a40ac3acc18ca43482bf145663d25fe64f42453f9d3b2

SHA512
630061e0e414bc9dc72428409c4ec4ac6f8f9943d5002f70bbbbb798d2542aa8eaf0d53b8db0d4223ec6b363fa68cec930d659db6bab209b78574192fd798031

Download Submit
C:\Users\Admin\AppData\Local\Temp\e342a2fe-ec4a-4e54-9dd6-946c5b330556.vbs

Filesize
734B

MD5
ae263a0e5e771aa97f29793dd74aef57

SHA1
4196360ea25d291f92b71118b5e67878813b5865

SHA256
8813ebaf98e57f1c3bc50ef4f6858e486265bc7ec8da7efcfa6ec537c51dffd5

SHA512
48479339a2a85d6b448e6a992c6e055d88ab885bde823b033465c1be0ecbc7b51308cf023e82c28e8794a35c2ea60069c932021ef85c32205cd6df32a2a17d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\f697e8be-34f6-47cf-a1fc-e124582800b7.vbs

Filesize
734B

MD5
6afbe5b15b44e30d1645aefa3899e714

SHA1
511b100b64b98aa4e0149944c25aeb2d244a63f5

SHA256
63f00780dcf14acc15aeaf7ed2a84ecda6623521ae72faac76155e5d47ba3ef9

SHA512
90d0a79a5e54348bb901c78267725ea1a56eabfe084b37f30847fec35e8b41876c29a068f21d5bbc418e4c14f99a50a059d0ac6a2fae48fb29c5e9dc34fc1e9f

Download Submit
memory/1364-274-0x000001B84A880000-0x000001B84A9EA000-memory.dmp

Filesize
1.4MB

Download
memory/1492-279-0x0000022FAAFF0000-0x0000022FAB15A000-memory.dmp

Filesize
1.4MB

Download
memory/1668-360-0x000000001C180000-0x000000001C282000-memory.dmp

Filesize
1.0MB

Download
memory/1708-271-0x000002053EFE0000-0x000002053F14A000-memory.dmp

Filesize
1.4MB

Download
memory/2116-336-0x000000001C4B0000-0x000000001C5B2000-memory.dmp

Filesize
1.0MB

Download
memory/2156-324-0x000000001C050000-0x000000001C152000-memory.dmp

Filesize
1.0MB

Download
memory/2468-275-0x00000176F0B40000-0x00000176F0CAA000-memory.dmp

Filesize
1.4MB

Download
memory/2528-286-0x000001D47EDA0000-0x000001D47EF0A000-memory.dmp

Filesize
1.4MB

Download
memory/2536-276-0x0000013A70630000-0x0000013A7079A000-memory.dmp

Filesize
1.4MB

Download
memory/3200-294-0x000001D338D30000-0x000001D338E9A000-memory.dmp

Filesize
1.4MB

Download
memory/3452-5-0x00000000028C0000-0x00000000028D0000-memory.dmp

Filesize
64KB

Download
memory/3452-13-0x000000001BB50000-0x000000001BB5E000-memory.dmp

Filesize
56KB

Download
memory/3452-16-0x000000001BB80000-0x000000001BB8A000-memory.dmp

Filesize
40KB

Download
memory/3452-3-0x00000000028A0000-0x00000000028BC000-memory.dmp

Filesize
112KB

Download
memory/3452-4-0x000000001B300000-0x000000001B350000-memory.dmp

Filesize
320KB

Download
memory/3452-7-0x000000001B2D0000-0x000000001B2D8000-memory.dmp

Filesize
32KB

Download
memory/3452-15-0x000000001BB70000-0x000000001BB78000-memory.dmp

Filesize
32KB

Download
memory/3452-12-0x000000001BB40000-0x000000001BB4A000-memory.dmp

Filesize
40KB

Download
memory/3452-6-0x000000001B2B0000-0x000000001B2C6000-memory.dmp

Filesize
88KB

Download
memory/3452-17-0x000000001BB90000-0x000000001BB9C000-memory.dmp

Filesize
48KB

Download
memory/3452-14-0x000000001BB60000-0x000000001BB68000-memory.dmp

Filesize
32KB

Download
memory/3452-2-0x00007FFBCFDF0000-0x00007FFBD08B1000-memory.dmp

Filesize
10.8MB

Download
memory/3452-11-0x000000001BB30000-0x000000001BB3C000-memory.dmp

Filesize
48KB

Download
memory/3452-162-0x00007FFBCFDF0000-0x00007FFBD08B1000-memory.dmp

Filesize
10.8MB

Download
memory/3452-10-0x000000001B350000-0x000000001B35C000-memory.dmp

Filesize
48KB

Download
memory/3452-1-0x00000000004F0000-0x0000000000692000-memory.dmp

Filesize
1.6MB

Download
memory/3452-9-0x000000001B2F0000-0x000000001B2F8000-memory.dmp

Filesize
32KB

Download
memory/3452-0-0x00007FFBCFDF3000-0x00007FFBCFDF5000-memory.dmp

Filesize
8KB

Download
memory/3452-8-0x000000001B2E0000-0x000000001B2F0000-memory.dmp

Filesize
64KB

Download
memory/3624-348-0x000000001C620000-0x000000001C722000-memory.dmp

Filesize
1.0MB

Download
memory/4420-291-0x000001F878F90000-0x000001F8790FA000-memory.dmp

Filesize
1.4MB

Download
memory/4844-311-0x000000001CB10000-0x000000001CC12000-memory.dmp

Filesize
1.0MB

Download
memory/5116-287-0x00000205BDA60000-0x00000205BDBCA000-memory.dmp

Filesize
1.4MB

Download
memory/5368-288-0x0000023D640C0000-0x0000023D6422A000-memory.dmp

Filesize
1.4MB

Download
memory/5852-297-0x0000021864220000-0x000002186438A000-memory.dmp

Filesize
1.4MB

Download
memory/5852-172-0x00000218640F0000-0x0000021864112000-memory.dmp

Filesize
136KB

Download