dcrat | 70bba6e748b04c937188f113389a3c90bf30806add70222b920886a57b0bdd98

Analysis

max time kernel
127s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12d3790d20dcd64ff72360ebd3b199e3.exe
Size

1.6MB
MD5

12d3790d20dcd64ff72360ebd3b199e3
SHA1

548c99a5137a38ed6fefdfdb9fd1d528d7795b74
SHA256

e4f54860982aa850776dbb14e8cd179b9afff0f02a06a7fcf7cada35fee4e6cc
SHA512

32e3da761ac34f1e920190619b2449a96ff2e3ede2cea65b11efbeaf5e049f22645e378bb3187406786b2fd2e8f3a8180ce1d6b3dd75cbd57b8a16a17fdae4fc
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5780	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5992	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5604	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5348	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6124	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5868	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	884	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	884	schtasks.exe	87

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral24/memory/836-1-0x0000000000A30000-0x0000000000BD2000-memory.dmp	dcrat
behavioral24/files/0x0007000000024315-26.dat	dcrat
behavioral24/files/0x0007000000022bb1-115.dat	dcrat
behavioral24/files/0x000a00000002431a-149.dat	dcrat
behavioral24/files/0x0009000000024321-160.dat	dcrat
behavioral24/files/0x0009000000024325-171.dat	dcrat
behavioral24/files/0x000c00000002432a-217.dat	dcrat
behavioral24/files/0x000a000000024337-243.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4628	powershell.exe
4632	powershell.exe
3516	powershell.exe
6032	powershell.exe
5204	powershell.exe
1092	powershell.exe
5940	powershell.exe
680	powershell.exe
5456	powershell.exe
5916	powershell.exe
1984	powershell.exe
1444	powershell.exe
4588	powershell.exe
4472	powershell.exe
6024	powershell.exe
1840	powershell.exe
3612	powershell.exe
5192	powershell.exe
1504	powershell.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	12d3790d20dcd64ff72360ebd3b199e3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Registry.exe

Executes dropped EXE 11 IoCs

pid	Process
1360	Registry.exe
5204	Registry.exe
4288	Registry.exe
1596	Registry.exe
1232	Registry.exe
2796	Registry.exe
2460	Registry.exe
5940	Registry.exe
5204	Registry.exe
4784	Registry.exe
5604	Registry.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX9C6A.tmp	12d3790d20dcd64ff72360ebd3b199e3.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe	12d3790d20dcd64ff72360ebd3b199e3.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXB518.tmp	12d3790d20dcd64ff72360ebd3b199e3.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXB596.tmp	12d3790d20dcd64ff72360ebd3b199e3.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\eddb19405b7ce1	12d3790d20dcd64ff72360ebd3b199e3.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe	12d3790d20dcd64ff72360ebd3b199e3.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX9BEC.tmp	12d3790d20dcd64ff72360ebd3b199e3.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXB303.tmp	12d3790d20dcd64ff72360ebd3b199e3.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe	12d3790d20dcd64ff72360ebd3b199e3.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\Registry.exe	12d3790d20dcd64ff72360ebd3b199e3.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\5940a34987c991	12d3790d20dcd64ff72360ebd3b199e3.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\Registry.exe	12d3790d20dcd64ff72360ebd3b199e3.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXB304.tmp	12d3790d20dcd64ff72360ebd3b199e3.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe	12d3790d20dcd64ff72360ebd3b199e3.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\ee2ad38f3d4382	12d3790d20dcd64ff72360ebd3b199e3.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Logs\Telephony\12d3790d20dcd64ff72360ebd3b199e3.exe	12d3790d20dcd64ff72360ebd3b199e3.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCXAE7A.tmp	12d3790d20dcd64ff72360ebd3b199e3.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCXAE7B.tmp	12d3790d20dcd64ff72360ebd3b199e3.exe
File opened for modification	C:\Windows\Registration\CRMLog\unsecapp.exe	12d3790d20dcd64ff72360ebd3b199e3.exe
File opened for modification	C:\Windows\Logs\Telephony\RCXB79C.tmp	12d3790d20dcd64ff72360ebd3b199e3.exe
File opened for modification	C:\Windows\Logs\Telephony\12d3790d20dcd64ff72360ebd3b199e3.exe	12d3790d20dcd64ff72360ebd3b199e3.exe
File created	C:\Windows\Registration\CRMLog\unsecapp.exe	12d3790d20dcd64ff72360ebd3b199e3.exe
File created	C:\Windows\Registration\CRMLog\29c1c3cc0f7685	12d3790d20dcd64ff72360ebd3b199e3.exe
File created	C:\Windows\Logs\Telephony\7b92838ba618ed	12d3790d20dcd64ff72360ebd3b199e3.exe
File opened for modification	C:\Windows\Logs\Telephony\RCXB79B.tmp	12d3790d20dcd64ff72360ebd3b199e3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	12d3790d20dcd64ff72360ebd3b199e3.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	Registry.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5096	schtasks.exe
4820	schtasks.exe
5780	schtasks.exe
3748	schtasks.exe
1708	schtasks.exe
6124	schtasks.exe
4740	schtasks.exe
2652	schtasks.exe
4748	schtasks.exe
4852	schtasks.exe
376	schtasks.exe
2756	schtasks.exe
5604	schtasks.exe
1976	schtasks.exe
3568	schtasks.exe
4452	schtasks.exe
5092	schtasks.exe
4624	schtasks.exe
4788	schtasks.exe
468	schtasks.exe
1004	schtasks.exe
4492	schtasks.exe
4900	schtasks.exe
4992	schtasks.exe
3724	schtasks.exe
1488	schtasks.exe
4960	schtasks.exe
4068	schtasks.exe
5992	schtasks.exe
4604	schtasks.exe
4712	schtasks.exe
5868	schtasks.exe
3016	schtasks.exe
5072	schtasks.exe
1672	schtasks.exe
1212	schtasks.exe
4784	schtasks.exe
2576	schtasks.exe
4248	schtasks.exe
4152	schtasks.exe
3176	schtasks.exe
5348	schtasks.exe
5044	schtasks.exe
608	schtasks.exe
2192	schtasks.exe
2968	schtasks.exe
2256	schtasks.exe
4928	schtasks.exe
4908	schtasks.exe
2592	schtasks.exe
4528	schtasks.exe
2328	schtasks.exe
4664	schtasks.exe
4948	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
836	12d3790d20dcd64ff72360ebd3b199e3.exe
836	12d3790d20dcd64ff72360ebd3b199e3.exe
836	12d3790d20dcd64ff72360ebd3b199e3.exe
836	12d3790d20dcd64ff72360ebd3b199e3.exe
836	12d3790d20dcd64ff72360ebd3b199e3.exe
836	12d3790d20dcd64ff72360ebd3b199e3.exe
836	12d3790d20dcd64ff72360ebd3b199e3.exe
836	12d3790d20dcd64ff72360ebd3b199e3.exe
836	12d3790d20dcd64ff72360ebd3b199e3.exe
836	12d3790d20dcd64ff72360ebd3b199e3.exe
836	12d3790d20dcd64ff72360ebd3b199e3.exe
836	12d3790d20dcd64ff72360ebd3b199e3.exe
836	12d3790d20dcd64ff72360ebd3b199e3.exe
836	12d3790d20dcd64ff72360ebd3b199e3.exe
5204	powershell.exe
5204	powershell.exe
4588	powershell.exe
4588	powershell.exe
3516	powershell.exe
3516	powershell.exe
6032	powershell.exe
6032	powershell.exe
5940	powershell.exe
5940	powershell.exe
1984	powershell.exe
1984	powershell.exe
4628	powershell.exe
4628	powershell.exe
1840	powershell.exe
1840	powershell.exe
1504	powershell.exe
1504	powershell.exe
680	powershell.exe
680	powershell.exe
1092	powershell.exe
1092	powershell.exe
3612	powershell.exe
3612	powershell.exe
5192	powershell.exe
5192	powershell.exe
4472	powershell.exe
4472	powershell.exe
6024	powershell.exe
6024	powershell.exe
5916	powershell.exe
5916	powershell.exe
1444	powershell.exe
1444	powershell.exe
4632	powershell.exe
4632	powershell.exe
1444	powershell.exe
5204	powershell.exe
5204	powershell.exe
4588	powershell.exe
4588	powershell.exe
1984	powershell.exe
3516	powershell.exe
3516	powershell.exe
5940	powershell.exe
5940	powershell.exe
5916	powershell.exe
6032	powershell.exe
6032	powershell.exe
4472	powershell.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	836	12d3790d20dcd64ff72360ebd3b199e3.exe
Token: SeDebugPrivilege	5204	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	4588	powershell.exe
Token: SeDebugPrivilege	3516	powershell.exe
Token: SeDebugPrivilege	6032	powershell.exe
Token: SeDebugPrivilege	5940	powershell.exe
Token: SeDebugPrivilege	4628	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeDebugPrivilege	5916	powershell.exe
Token: SeDebugPrivilege	5192	powershell.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	6024	powershell.exe
Token: SeDebugPrivilege	1360	Registry.exe
Token: SeDebugPrivilege	5204	Registry.exe
Token: SeDebugPrivilege	4288	Registry.exe
Token: SeDebugPrivilege	1596	Registry.exe
Token: SeDebugPrivilege	1232	Registry.exe
Token: SeDebugPrivilege	2796	Registry.exe
Token: SeDebugPrivilege	2460	Registry.exe
Token: SeDebugPrivilege	5940	Registry.exe
Token: SeDebugPrivilege	5204	Registry.exe
Token: SeDebugPrivilege	4784	Registry.exe
Token: SeDebugPrivilege	5604	Registry.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 5204	836	12d3790d20dcd64ff72360ebd3b199e3.exe	192
PID 836 wrote to memory of 5204	836	12d3790d20dcd64ff72360ebd3b199e3.exe	192
PID 836 wrote to memory of 6032	836	12d3790d20dcd64ff72360ebd3b199e3.exe	143
PID 836 wrote to memory of 6032	836	12d3790d20dcd64ff72360ebd3b199e3.exe	143
PID 836 wrote to memory of 4588	836	12d3790d20dcd64ff72360ebd3b199e3.exe	144
PID 836 wrote to memory of 4588	836	12d3790d20dcd64ff72360ebd3b199e3.exe	144
PID 836 wrote to memory of 1504	836	12d3790d20dcd64ff72360ebd3b199e3.exe	145
PID 836 wrote to memory of 1504	836	12d3790d20dcd64ff72360ebd3b199e3.exe	145
PID 836 wrote to memory of 3612	836	12d3790d20dcd64ff72360ebd3b199e3.exe	147
PID 836 wrote to memory of 3612	836	12d3790d20dcd64ff72360ebd3b199e3.exe	147
PID 836 wrote to memory of 1444	836	12d3790d20dcd64ff72360ebd3b199e3.exe	149
PID 836 wrote to memory of 1444	836	12d3790d20dcd64ff72360ebd3b199e3.exe	149
PID 836 wrote to memory of 1984	836	12d3790d20dcd64ff72360ebd3b199e3.exe	150
PID 836 wrote to memory of 1984	836	12d3790d20dcd64ff72360ebd3b199e3.exe	150
PID 836 wrote to memory of 3516	836	12d3790d20dcd64ff72360ebd3b199e3.exe	151
PID 836 wrote to memory of 3516	836	12d3790d20dcd64ff72360ebd3b199e3.exe	151
PID 836 wrote to memory of 4632	836	12d3790d20dcd64ff72360ebd3b199e3.exe	152
PID 836 wrote to memory of 4632	836	12d3790d20dcd64ff72360ebd3b199e3.exe	152
PID 836 wrote to memory of 5916	836	12d3790d20dcd64ff72360ebd3b199e3.exe	153
PID 836 wrote to memory of 5916	836	12d3790d20dcd64ff72360ebd3b199e3.exe	153
PID 836 wrote to memory of 1840	836	12d3790d20dcd64ff72360ebd3b199e3.exe	154
PID 836 wrote to memory of 1840	836	12d3790d20dcd64ff72360ebd3b199e3.exe	154
PID 836 wrote to memory of 5192	836	12d3790d20dcd64ff72360ebd3b199e3.exe	155
PID 836 wrote to memory of 5192	836	12d3790d20dcd64ff72360ebd3b199e3.exe	155
PID 836 wrote to memory of 6024	836	12d3790d20dcd64ff72360ebd3b199e3.exe	157
PID 836 wrote to memory of 6024	836	12d3790d20dcd64ff72360ebd3b199e3.exe	157
PID 836 wrote to memory of 5456	836	12d3790d20dcd64ff72360ebd3b199e3.exe	158
PID 836 wrote to memory of 5456	836	12d3790d20dcd64ff72360ebd3b199e3.exe	158
PID 836 wrote to memory of 4628	836	12d3790d20dcd64ff72360ebd3b199e3.exe	160
PID 836 wrote to memory of 4628	836	12d3790d20dcd64ff72360ebd3b199e3.exe	160
PID 836 wrote to memory of 680	836	12d3790d20dcd64ff72360ebd3b199e3.exe	161
PID 836 wrote to memory of 680	836	12d3790d20dcd64ff72360ebd3b199e3.exe	161
PID 836 wrote to memory of 5940	836	12d3790d20dcd64ff72360ebd3b199e3.exe	162
PID 836 wrote to memory of 5940	836	12d3790d20dcd64ff72360ebd3b199e3.exe	162
PID 836 wrote to memory of 4472	836	12d3790d20dcd64ff72360ebd3b199e3.exe	163
PID 836 wrote to memory of 4472	836	12d3790d20dcd64ff72360ebd3b199e3.exe	163
PID 836 wrote to memory of 1092	836	12d3790d20dcd64ff72360ebd3b199e3.exe	164
PID 836 wrote to memory of 1092	836	12d3790d20dcd64ff72360ebd3b199e3.exe	164
PID 836 wrote to memory of 3008	836	12d3790d20dcd64ff72360ebd3b199e3.exe	180
PID 836 wrote to memory of 3008	836	12d3790d20dcd64ff72360ebd3b199e3.exe	180
PID 3008 wrote to memory of 2200	3008	cmd.exe	182
PID 3008 wrote to memory of 2200	3008	cmd.exe	182
PID 3008 wrote to memory of 1360	3008	cmd.exe	183
PID 3008 wrote to memory of 1360	3008	cmd.exe	183
PID 1360 wrote to memory of 4100	1360	Registry.exe	184
PID 1360 wrote to memory of 4100	1360	Registry.exe	184
PID 1360 wrote to memory of 3324	1360	Registry.exe	185
PID 1360 wrote to memory of 3324	1360	Registry.exe	185
PID 4100 wrote to memory of 5204	4100	WScript.exe	192
PID 4100 wrote to memory of 5204	4100	WScript.exe	192
PID 5204 wrote to memory of 4604	5204	Registry.exe	194
PID 5204 wrote to memory of 4604	5204	Registry.exe	194
PID 5204 wrote to memory of 4212	5204	Registry.exe	195
PID 5204 wrote to memory of 4212	5204	Registry.exe	195
PID 4604 wrote to memory of 4288	4604	WScript.exe	200
PID 4604 wrote to memory of 4288	4604	WScript.exe	200
PID 4288 wrote to memory of 2364	4288	Registry.exe	201
PID 4288 wrote to memory of 2364	4288	Registry.exe	201
PID 4288 wrote to memory of 5100	4288	Registry.exe	202
PID 4288 wrote to memory of 5100	4288	Registry.exe	202
PID 2364 wrote to memory of 1596	2364	WScript.exe	203
PID 2364 wrote to memory of 1596	2364	WScript.exe	203
PID 1596 wrote to memory of 4820	1596	Registry.exe	204
PID 1596 wrote to memory of 4820	1596	Registry.exe	204

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\12d3790d20dcd64ff72360ebd3b199e3.exe
"C:\Users\Admin\AppData\Local\Temp\12d3790d20dcd64ff72360ebd3b199e3.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\12d3790d20dcd64ff72360ebd3b199e3.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\12d3790d20dcd64ff72360ebd3b199e3.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\UEV\Templates\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\Telephony\12d3790d20dcd64ff72360ebd3b199e3.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQEvZAPO2s.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2200
- - C:\Recovery\WindowsRE\Registry.exe
    "C:\Recovery\WindowsRE\Registry.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6a48bab-9e26-4cf8-8058-e756b5582577.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4100
    - - C:\Recovery\WindowsRE\Registry.exe
        
        C:\Recovery\WindowsRE\Registry.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5204
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\230786ec-246f-4ccc-8f77-31d97f946363.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Recovery\WindowsRE\Registry.exe
        
        C:\Recovery\WindowsRE\Registry.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa514f66-639d-413b-b893-d7612b8a9147.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Recovery\WindowsRE\Registry.exe
        
        C:\Recovery\WindowsRE\Registry.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c406866-8b3b-4685-b74a-3c875dcccc84.vbs"
        10⤵
        
        PID:4820
        
        C:\Recovery\WindowsRE\Registry.exe
        
        C:\Recovery\WindowsRE\Registry.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28a68f00-6b17-45c7-9f25-972e4445df1f.vbs"
        12⤵
        
        PID:4492
        
        C:\Recovery\WindowsRE\Registry.exe
        
        C:\Recovery\WindowsRE\Registry.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\945b900f-769d-4674-91ca-6d331e83af68.vbs"
        14⤵
        
        PID:5964
        
        C:\Recovery\WindowsRE\Registry.exe
        
        C:\Recovery\WindowsRE\Registry.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b88dc68a-ce9b-4809-a867-2aa8668b9012.vbs"
        16⤵
        
        PID:684
        
        C:\Recovery\WindowsRE\Registry.exe
        
        C:\Recovery\WindowsRE\Registry.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ec61cb4-70ef-4175-a99c-6729d7365cfc.vbs"
        18⤵
        
        PID:5420
        
        C:\Recovery\WindowsRE\Registry.exe
        
        C:\Recovery\WindowsRE\Registry.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29be6c47-f747-4f9a-a2e4-8a684197e6b9.vbs"
        20⤵
        
        PID:1080
        
        C:\Recovery\WindowsRE\Registry.exe
        
        C:\Recovery\WindowsRE\Registry.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3669a2e-d074-4a51-88a7-db142b5c0ef7.vbs"
        22⤵
        
        PID:5048
        
        C:\Recovery\WindowsRE\Registry.exe
        
        C:\Recovery\WindowsRE\Registry.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4547dc50-1d9e-4402-8514-6dbb4beed9bb.vbs"
        24⤵
        
        PID:532
        
        C:\Recovery\WindowsRE\Registry.exe
        
        C:\Recovery\WindowsRE\Registry.exe
        25⤵
        
        PID:2312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\877a2f06-c67b-4839-91f7-9e28ae450930.vbs"
        26⤵
        
        PID:748
        
        C:\Recovery\WindowsRE\Registry.exe
        
        C:\Recovery\WindowsRE\Registry.exe
        27⤵
        
        PID:6040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3edafed-a123-4dab-85cf-e31f360d8f6c.vbs"
        28⤵
        
        PID:1388
        
        C:\Recovery\WindowsRE\Registry.exe
        
        C:\Recovery\WindowsRE\Registry.exe
        29⤵
        
        PID:2852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3abe92a6-2236-4a85-bd56-bfe7493c2aa0.vbs"
        30⤵
        
        PID:3224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3314c0ba-4026-46ba-a90b-5ef715d80375.vbs"
        30⤵
        
        PID:5196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92b75d50-08ad-467b-8423-195cb770d3ad.vbs"
        28⤵
        
        PID:3636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4dda61c-0ce6-4ed3-af36-149c2c64cd6a.vbs"
        26⤵
        
        PID:3384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\198b7d9c-f359-4903-a2f2-07ffa1d465d3.vbs"
        24⤵
        
        PID:4032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf79929e-dcce-4ffb-9e0e-6ac46bd1d5e5.vbs"
        22⤵
        
        PID:1836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\794cf2bb-63f0-4499-82c2-5264925d13b4.vbs"
        20⤵
        
        PID:4604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8becd39f-d55a-43ad-8186-9daa6d43fbc7.vbs"
        18⤵
        
        PID:2652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6a95aa6-d8dc-4fc8-ae75-5885afc50082.vbs"
        16⤵
        
        PID:4700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40c540ce-a066-48ff-99d9-c385f2e2e0fb.vbs"
        14⤵
        
        PID:1688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01dc924f-721e-4de0-8377-6d4d7dd62b3a.vbs"
        12⤵
        
        PID:4176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f96e748-0d8c-4a20-b0bf-52cba42ac584.vbs"
        10⤵
        
        PID:1568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e0ae59e-7d6f-4298-bfd2-e23b0e0af6e1.vbs"
        8⤵
        
        PID:5100
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a83be1b6-55c9-4ce0-87fd-78f9d1b2586c.vbs"
        6⤵
        
        PID:4212
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02da1e2d-323e-4e73-9318-2e2ee5ebd077.vbs"
      4⤵
      PID:3324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\4d7dcf6448637544ea7e961be1ad\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\4d7dcf6448637544ea7e961be1ad\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "12d3790d20dcd64ff72360ebd3b199e31" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\12d3790d20dcd64ff72360ebd3b199e3.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "12d3790d20dcd64ff72360ebd3b199e3" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\12d3790d20dcd64ff72360ebd3b199e3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "12d3790d20dcd64ff72360ebd3b199e31" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\12d3790d20dcd64ff72360ebd3b199e3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\4d7dcf6448637544ea7e961be1ad\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\4d7dcf6448637544ea7e961be1ad\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft\UEV\Templates\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\UEV\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\UEV\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Windows\Registration\CRMLog\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Windows\Registration\CRMLog\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "12d3790d20dcd64ff72360ebd3b199e31" /sc MINUTE /mo 7 /tr "'C:\Windows\Logs\Telephony\12d3790d20dcd64ff72360ebd3b199e3.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "12d3790d20dcd64ff72360ebd3b199e3" /sc ONLOGON /tr "'C:\Windows\Logs\Telephony\12d3790d20dcd64ff72360ebd3b199e3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "12d3790d20dcd64ff72360ebd3b199e31" /sc MINUTE /mo 11 /tr "'C:\Windows\Logs\Telephony\12d3790d20dcd64ff72360ebd3b199e3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe

Filesize
1.6MB

MD5
12bd03dec4a4968a2cb38790b638f498

SHA1
d49714fc44576a2c01af211211e1468d1baa49d6

SHA256
798ef4eabe9627a0e215463143bd00a3906bea1276267c9b1fc265d7300b0221

SHA512
dcd0fde67e2e9348bd984bcf2dd42fd817e83a3a854c9ac11a22f2e2debd07197d4313b5cc408af4e9dd933ce8df677035ce0f1c02826b8694c462c58c251a3c

Download Submit
C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\explorer.exe

Filesize
1.6MB

MD5
7e6b3151234137b6b344d0b18318ff8d

SHA1
befccc25776c943cbc6cbb76d17b4180fcb7f425

SHA256
738576ea7d2feea1b0ac846ee82d50f63a18482de6b5d2cb6d0f9eb88b883578

SHA512
fa0586e9709526a10a32def7b6a8ea3676703252193f7e4fed6f2b609f3fd3aa91c82ebb72d764e706273748038588e5ba45f99b7050cb361b2225d21ea4d6f4

Download Submit
C:\Program Files (x86)\Microsoft.NET\RedistList\Registry.exe

Filesize
1.6MB

MD5
322eaf8fd0a5314f845f26acaa186ce3

SHA1
b56bb6b05fdffb1c3b3e975f5794938a62268e1a

SHA256
d09ccbac955e652030519fb450c7014757b1c3ac61d1c0bbb02bc26d8015d66e

SHA512
0163fc29c13c1042253291bba610c3afe5e323139c86d1cb525d4e243e671a6910b4abe82f29b308f6e09127275a7457b5a242a9f584ae0c6583fdb0cf3e1972

Download Submit
C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe

Filesize
1.6MB

MD5
90ad32491ca6e0ca24bff923bc1b585c

SHA1
ce0ea5caa9406299ae4810306877a3b0c9645a37

SHA256
923dbde1ecca3c1b192400df907a1648775596a9ff73b3b6b042f20ff4f94233

SHA512
2019e933540286b63b36aeb930e8d894e402cd2c2982314ebb0c1ff6a55823d9c9f68f32d72fa23b1c4af15cbeafbfc083c2df2f504b1ef5780d7812cb279fe5

Download Submit
C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe

Filesize
1.6MB

MD5
12d3790d20dcd64ff72360ebd3b199e3

SHA1
548c99a5137a38ed6fefdfdb9fd1d528d7795b74

SHA256
e4f54860982aa850776dbb14e8cd179b9afff0f02a06a7fcf7cada35fee4e6cc

SHA512
32e3da761ac34f1e920190619b2449a96ff2e3ede2cea65b11efbeaf5e049f22645e378bb3187406786b2fd2e8f3a8180ce1d6b3dd75cbd57b8a16a17fdae4fc

Download Submit
C:\Recovery\WindowsRE\lsass.exe

Filesize
1.6MB

MD5
17b620221a43b8eb2f1e66d522e7a10a

SHA1
8b6d3dbc2dbdb3a356bb2fea63d657cb2f4a39b0

SHA256
bf7746db58f46621a2a5eb7cc49705ed356c50f555ebda454626c478446d7e95

SHA512
0bfa10bcc7b7fe1bb84d2460d1a4e24648796aef0ae2df689692b45a4b0cf70b1b5d35cd07b81ab82804a8986ebc3cb14914364ba971fb2992a533dec1b93d96

Download Submit
C:\Recovery\WindowsRE\services.exe

Filesize
1.6MB

MD5
48fb577650999102d1b894419169ab22

SHA1
e7b7964fa5bf1487bc4330e48789ee6c18abed51

SHA256
a5c191606f9f393520f4f466c1f32df156d7d1adf25809abe7da21dcf4048d4c

SHA512
40999e40541468d1d436cce10bab8a1adc64d15a0842f1b81942f2404fcfd63e766a4f104471ac190e949a90f3ef65305fa2032dea03cffdde969b21ac5fe61b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Registry.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2044ef36c414ed6e6c991e5fbe7d5bf1

SHA1
0dbd4be869af1290a771fa295db969dc14b2a1fc

SHA256
1b508c6beaa65e0936d9b64f352c2fb87392666d3a96e6e67cb2ba162302b6c6

SHA512
304045461390f2c001bd141036f0d195845508d78ddd52c8e0132e625566e2f1dc0ae982b58323ad2f08c4d1f9d1771d19eb50ec9405eb991c485a4ab7d55b32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
35be6e176d67a5af3e24a7f54b4a9574

SHA1
900bbb3f3f8a9d38a4e548b4ba60838a9eae41b9

SHA256
c0be8fe9bbed3f82068a8179a28fadfcaef8a524818f34b87b59b5e1b2cae1c7

SHA512
09d15913b88d2eb7529d661c5bb2ee20eef0a7df92b5eaaadb2ebc70ad68d9c38b341b148ac058c895b7f85a54d703c3543b043d8d2a3f0536d21d3c7ebbe15f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cf894941144c587568593db71ccb1243

SHA1
3c7d428e83697342bc3d53a52b6a90f1dac739bc

SHA256
95e4bddd5c8915f1803b4842a2076709a0fc7d3988f62e12719735204e0f43bd

SHA512
3f0f6dcf08471ea1147e56b8baf72b3576289c8e884537d9c295a0b881ecd58d8d2a877b73e88685bea54a037e6ce3600cceb04f3df493827cc95e389053683a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0c87ff349c47ae6e678ea72feb4bb181

SHA1
0668dc890d29354fbb86cfaeae5363d9f2c1fdc8

SHA256
68decb0f61e56ef1ad4a9c69e0c496ac30ead7bdb15ae2830a01a21cb4c243fc

SHA512
32a9a76ddc1de0612c74ce170e86e716fde003306c202c68573ce4dcbb58e2ff59b7bdff77e4c259c869f4443e2c6aa023d1fcae6857ea36e4bf8a3110b58fbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaf0080989fabad865a080216418fbf2

SHA1
935075309ff07f95b5c2ff643661fef989526e15

SHA256
86e6ca8dc0b47aadbc45bbb2a31b758ec729e69998ababdb1a4350924621de9c

SHA512
21721722c94447b4f0d20f03856ea1171c774eb59a8fd239809480ead6c5b7c5a3e43d1e79dfd1bd1dbdadb65269595e9376b3053c1bd6a54bac91e04536e676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3fe089fecc1a7897c40a12707d788ca9

SHA1
97f8ab9020333729ec191b3dbd044c57227b84fc

SHA256
70d80df3a3a68fa45dd114205f58cc05df07e22940ec0f0f6172abfccf671e7c

SHA512
4e4feebea709ed3bbfd82ed507d04566593e9cb7bb02ca1056d8ecb6cbcd3b5118be5dee4ee80bf158565a009c05b217bd4c885fb1e01c7d61f5e3d430c940cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9faf1842282b23924fdccd705e391cb3

SHA1
1d1a188f2e755578ecd01b3175f8847398781369

SHA256
27f0d74169a38ec53713307526298109ddfce4629163203edba5d001a7365a63

SHA512
a080b1314e2fc6b5b7babe371bd982ea7dd557b82286d976f2f713318780f4f72ae7ce66c59878d6540bd2aa7f361f191d4ab04e92b314ed164d7134a8ebe848

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e1c41ab70e6e5907330c398d5789b851

SHA1
39dbfc40fb75793d222369e59ae5d784f5c3b7a3

SHA256
90c7c4c7f4671b52194b8e5d5e43715003581b96ee6418ced8c3bab9329a1fad

SHA512
a5e07a6316a8142a0680d9ae73890daabb18de56540ed1025f1a7a463b7992854b7b31c537d8e1a32deaf8864dfacc88fb2203c22891643f9e1ddc713968c3fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\02da1e2d-323e-4e73-9318-2e2ee5ebd077.vbs

Filesize
486B

MD5
b7ed580917c8563951df26dfc03879b8

SHA1
9ecf57b7b8ed80b7ae44822fb70e02177dcb47b5

SHA256
b2e88c78ce5956532c22522d02849aced1426dfa45c1f07dd827f1c80310e34e

SHA512
4ec0ac76d18e552445a2612d1f8a6b9625d9c1bcf54d6a71f96cb71fb36ecbad1cfd23a8227e62e2edf507b9d18614863aee4a7ed4ea15b5db19689a693311ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\230786ec-246f-4ccc-8f77-31d97f946363.vbs

Filesize
710B

MD5
378f44381ce8ca0aa346cf87b07ca65c

SHA1
5bacdbf6622174839892a5be244ec447cd6e843a

SHA256
e9ae4f9221ef047589af2861155c46786c020af20cf0ea3cd648e60fafbf48ec

SHA512
d92f456e235452783c8c76a85fe7a9ec812de1870c7c11f17614931db627b5101b4d0304ec30729e55444115cdba81fdffba9712ba2e066d976eafb82df6844b

Download Submit
C:\Users\Admin\AppData\Local\Temp\28a68f00-6b17-45c7-9f25-972e4445df1f.vbs

Filesize
710B

MD5
ab9d2bac8d7c89d52b95d0d4f7cc3779

SHA1
b07a1140d9739062f3cb7d693fea8ddff85509aa

SHA256
998495b5880c5bfa5623d62fc672ee11b215148e370a6e41541342d457c4ac17

SHA512
d210b1163d0fe9ff5b9d116acd14a1356487e1113ef42f4171c21ef3b13c8b6059b88ba30d4a226c1a14ee1e3be0ab4987ff40a023d720e5d234b87bdd0d9f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ec61cb4-70ef-4175-a99c-6729d7365cfc.vbs

Filesize
710B

MD5
f8b8eaed2ca04ee818b5bef8033ddfe0

SHA1
26e7a3eb06f58902f5edb73491b7270cc0f1f422

SHA256
fdb8989746045ad69d84ea8fec35ed22fea972503f0d1e3d8f033b9fbfb7e249

SHA512
95311ea53745ceb834cd267de69e4c6573a7f6c423bd1d6e9760c91022db60162a7c904f1b86b6f600347130de730674aedb953966b9481fbeafa34fa96227af

Download Submit
C:\Users\Admin\AppData\Local\Temp\4547dc50-1d9e-4402-8514-6dbb4beed9bb.vbs

Filesize
710B

MD5
5c5c3c0fb0245a9fabf2dc5411b4d469

SHA1
90768dce950f42a39a45e94518e0cf4798ee6201

SHA256
00eb14f252b6dc161594b6fef2fc9308c2fd449727da742911452f95cfa45754

SHA512
d8089f6b67d297ab7e4abb3467bee4e55e56aef8c9207a2e5a43f27aa46ebd381225b3c2b9073d78a45115314ebf649eb842904555364ae3b05d1afee2cc3d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c406866-8b3b-4685-b74a-3c875dcccc84.vbs

Filesize
710B

MD5
d282476648855976302bed7c413f70dd

SHA1
84cc5f4094912ce103fdf5b1497fba9be241f15a

SHA256
937093a3a18a5f4168ab1bfd9e534b5d4d7d7d72a8673c23671a627fbca65860

SHA512
11f71268e0c2fe1f3526af3b9709692f1f8db3712ee264547b33f1b0d693fae7c145196d63119b49fccef787d1e8f301092be07fd749b84d2e4d40aef04fd259

Download Submit
C:\Users\Admin\AppData\Local\Temp\877a2f06-c67b-4839-91f7-9e28ae450930.vbs

Filesize
710B

MD5
debb1ca3b64df8a615aa6724138e55fa

SHA1
9331a12e997c9a7b80ec50ec0fa6d06c67ad541f

SHA256
80242e63ba6ba49dd6b997e34664546882cc257364612c3ab79c5fbb137334b8

SHA512
891ec0a50f7fe361ff747533aabb74c3f9487e64d781f2d0359dc41aa10cb94f052c4a1277635f83d8ca1079ae34474af4976aacd5cde8e5415f30c78eee70a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\945b900f-769d-4674-91ca-6d331e83af68.vbs

Filesize
710B

MD5
45e4934861c8fa002f7995a3b2a5f92a

SHA1
6aacbb216882c6ad1c6624501932c38abb4156f1

SHA256
90d869762c537a5f8528b046a21d9f227d4dd992bf08fd6a0af0e0c385a78004

SHA512
7ba2ae6141f16f676e4c61a771cabe8e6f3090391c5cbeff467a071d0c3900cd9d3482b5c5b91e2891e5a8d42533496c9e427812630294a3780027a6ec044504

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kiqj2e53.aiy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa514f66-639d-413b-b893-d7612b8a9147.vbs

Filesize
710B

MD5
203caa66290f2cbb7314fcd0075a6b84

SHA1
c401596498ce3d89771a0b4fd1480e645dd35b04

SHA256
48551f5199a30a6f539ff56d4f03de18aeba906b64827169c6cb52af2c06de84

SHA512
67c8211d3966131e762a5d22277fe4dd8e847642a5578d30dbf9c88650e97aac7a1de435d47674b8cc956135cd5d42a133ecb27eb7cfbd2216b75cb48fa254f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\b88dc68a-ce9b-4809-a867-2aa8668b9012.vbs

Filesize
710B

MD5
2ce98b064957b759df81c7a843a0944c

SHA1
fc99a69a434d8362db10c7f75083cc8252cdc744

SHA256
e421239ca954136ad636c122fb08e76b44e8face2abbda4a728207dc99788fe0

SHA512
83eca949419288999509ed5fb463b65d3a464d168da54da9aa35a64305a330a77f3d733118afe4d92f91c3cfc008f158b53f976e8931123634679703c29598f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3669a2e-d074-4a51-88a7-db142b5c0ef7.vbs

Filesize
710B

MD5
5bf0faaf284a458aa71e204957a32c60

SHA1
26ca0e858f60c0d1ce60a8b4d95bbd0adcdd8b57

SHA256
947f45ad596de4d409bc98b9f0e3703cb4d192c16d516d223b093e0faa0d364b

SHA512
4869f2301f19bfad6dddebf5252b5bd8a0a62a632d1357a2513d3acd1770b0eacd826005c087bc4d9917d6f8c49bd0c99b41903733844d47c9c0d161bfd6b72b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6a48bab-9e26-4cf8-8058-e756b5582577.vbs

Filesize
710B

MD5
ceeaad898c911f6e06b58c81d2cde9c8

SHA1
a52a2c88316aa327a0d3727c37ad4cb836730139

SHA256
12bfc94dde07dae1afdafbd3c1bccc493cd268c3b56bf0a308b226b4438a4043

SHA512
5eb9cc108149e83422bc068bf406589a6afe10251e3ba7f5ee59373437dd3432d3eabbd7d5bb07ed363aec01c614bc1d2983cb15d50847613fc4bfb2645a2d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQEvZAPO2s.bat

Filesize
199B

MD5
5b01e713701a8ca8a166fb7b042984f3

SHA1
1f9472c9e8b1febd79fc0211dd0f6f832699ac48

SHA256
6f365f5731664f59de21621762ada2478f8d4f560ad8370959299225ea9e183f

SHA512
ef3b855e928fdb09ad9c6cd84b73d75e02e9bf4c9468c91ac35b761e90bb6e9d7a032f6581e19e8de1a4eefba234a15f7dff9e020a2377c81f5f1f76908310d8

Download Submit
memory/836-11-0x000000001C070000-0x000000001C07C000-memory.dmp

Filesize
48KB

Download
memory/836-0-0x00007FFEE6003000-0x00007FFEE6005000-memory.dmp

Filesize
8KB

Download
memory/836-276-0x00007FFEE6000000-0x00007FFEE6AC1000-memory.dmp

Filesize
10.8MB

Download
memory/836-222-0x00007FFEE6000000-0x00007FFEE6AC1000-memory.dmp

Filesize
10.8MB

Download
memory/836-210-0x00007FFEE6003000-0x00007FFEE6005000-memory.dmp

Filesize
8KB

Download
memory/836-3-0x00000000014A0000-0x00000000014BC000-memory.dmp

Filesize
112KB

Download
memory/836-4-0x000000001B850000-0x000000001B8A0000-memory.dmp

Filesize
320KB

Download
memory/836-6-0x0000000002E20000-0x0000000002E36000-memory.dmp

Filesize
88KB

Download
memory/836-7-0x0000000002E40000-0x0000000002E48000-memory.dmp

Filesize
32KB

Download
memory/836-8-0x0000000002E60000-0x0000000002E70000-memory.dmp

Filesize
64KB

Download
memory/836-9-0x0000000002E50000-0x0000000002E58000-memory.dmp

Filesize
32KB

Download
memory/836-1-0x0000000000A30000-0x0000000000BD2000-memory.dmp

Filesize
1.6MB

Download
memory/836-12-0x000000001C080000-0x000000001C08A000-memory.dmp

Filesize
40KB

Download
memory/836-13-0x000000001C090000-0x000000001C09E000-memory.dmp

Filesize
56KB

Download
memory/836-14-0x000000001C0A0000-0x000000001C0A8000-memory.dmp

Filesize
32KB

Download
memory/836-15-0x000000001C0B0000-0x000000001C0B8000-memory.dmp

Filesize
32KB

Download
memory/836-17-0x000000001C0C0000-0x000000001C0CC000-memory.dmp

Filesize
48KB

Download
memory/836-16-0x000000001C1C0000-0x000000001C1CA000-memory.dmp

Filesize
40KB

Download
memory/836-10-0x000000001B8A0000-0x000000001B8AC000-memory.dmp

Filesize
48KB

Download
memory/836-5-0x0000000002E10000-0x0000000002E20000-memory.dmp

Filesize
64KB

Download
memory/836-2-0x00007FFEE6000000-0x00007FFEE6AC1000-memory.dmp

Filesize
10.8MB

Download
memory/1984-277-0x000001CFF6140000-0x000001CFF6162000-memory.dmp

Filesize
136KB

Download