dcrat | 4acea05ab0905a50470e55fcb4575e6feee6e7f5ae857bdd388818cee7a562c6

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
Size

1.6MB
MD5

f78812be8328346fd09f480c9737963a
SHA1

0db02b799e80a1659c9aede03b54a26aef2beb4a
SHA256

5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1
SHA512

4be91e19f7eb4d1475ad142cbe66620320f4ab62dbdf8555fe7701aa1d2ddd19d739c73b4a1c05669282de374ba1a5dca449464154bf141a62e6842250ad79ad
SSDEEP

24576:Usm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:UD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 63 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5564	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5544	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6072	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5400	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3840	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5652	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5776	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5968	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5964	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5608	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5704	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5696	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5636	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5432	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	4876	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	4876	schtasks.exe	86

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral20/memory/5732-1-0x00000000000F0000-0x0000000000292000-memory.dmp	dcrat
behavioral20/files/0x00090000000241c0-28.dat	dcrat
behavioral20/files/0x00070000000241f0-37.dat	dcrat
behavioral20/files/0x000a0000000234d3-48.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 23 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2864	powershell.exe
2868	powershell.exe
1204	powershell.exe
1628	powershell.exe
5320	powershell.exe
1948	powershell.exe
3732	powershell.exe
3416	powershell.exe
3428	powershell.exe
3668	powershell.exe
4148	powershell.exe
3992	powershell.exe
2192	powershell.exe
5904	powershell.exe
2088	powershell.exe
3488	powershell.exe
948	powershell.exe
536	powershell.exe
1296	powershell.exe
3884	powershell.exe
4144	powershell.exe
5684	powershell.exe
2348	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe

Executes dropped EXE 13 IoCs

pid	Process
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
2728	SearchApp.exe
5040	SearchApp.exe
5128	SearchApp.exe
3384	SearchApp.exe
5304	SearchApp.exe
1396	SearchApp.exe
6024	SearchApp.exe
5128	SearchApp.exe
1896	SearchApp.exe
4988	SearchApp.exe
1356	SearchApp.exe
3028	SearchApp.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files\edge_BITS_4736_124933937\eddb19405b7ce1	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\29c1c3cc0f7685	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Program Files (x86)\Common Files\RuntimeBroker.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\dllhost.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Program Files (x86)\Common Files\RuntimeBroker.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Program Files\edge_BITS_4736_124933937\backgroundTaskHost.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Program Files\edge_BITS_4736_124933937\RCX5DB5.tmp	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Program Files\edge_BITS_4736_124933937\backgroundTaskHost.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\reports\sppsvc.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\dllhost.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\unsecapp.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\taskhostw.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Program Files (x86)\Common Files\9e8d7a4ca61bd9	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Program Files\edge_BITS_4736_124933937\RCX5D47.tmp	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\ea9f0e6c9e2dcd	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\dwm.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\6cb0b6c459d5d3	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Program Files\MsEdgeCrashpad\attachments\7a0fd90576e088	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\reports\sppsvc.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\unsecapp.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\taskhostw.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\reports\0a1fd5f707cd16	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\5940a34987c991	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\dwm.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Provisioning\Packages\sihost.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Windows\Provisioning\Packages\66fc9ff0ee96c2	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Windows\Provisioning\Packages\sihost.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Windows\OCR\winlogon.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 63 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4836	schtasks.exe
5608	schtasks.exe
1208	schtasks.exe
824	schtasks.exe
5544	schtasks.exe
4628	schtasks.exe
3628	schtasks.exe
4108	schtasks.exe
3892	schtasks.exe
8	schtasks.exe
3968	schtasks.exe
4588	schtasks.exe
4048	schtasks.exe
3920	schtasks.exe
848	schtasks.exe
3952	schtasks.exe
5052	schtasks.exe
1736	schtasks.exe
5432	schtasks.exe
4076	schtasks.exe
5400	schtasks.exe
1320	schtasks.exe
5968	schtasks.exe
2596	schtasks.exe
5636	schtasks.exe
3316	schtasks.exe
1900	schtasks.exe
5964	schtasks.exe
3388	schtasks.exe
4104	schtasks.exe
2468	schtasks.exe
2912	schtasks.exe
5696	schtasks.exe
2608	schtasks.exe
1052	schtasks.exe
3600	schtasks.exe
3472	schtasks.exe
6072	schtasks.exe
5776	schtasks.exe
2516	schtasks.exe
3136	schtasks.exe
3840	schtasks.exe
2028	schtasks.exe
5704	schtasks.exe
2508	schtasks.exe
4080	schtasks.exe
2968	schtasks.exe
4084	schtasks.exe
1604	schtasks.exe
1852	schtasks.exe
2460	schtasks.exe
1256	schtasks.exe
3644	schtasks.exe
2552	schtasks.exe
4208	schtasks.exe
1000	schtasks.exe
2364	schtasks.exe
4448	schtasks.exe
2480	schtasks.exe
3752	schtasks.exe
5564	schtasks.exe
5652	schtasks.exe
788	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5732	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
2348	powershell.exe
1296	powershell.exe
1948	powershell.exe
3732	powershell.exe
3732	powershell.exe
2348	powershell.exe
2348	powershell.exe
1296	powershell.exe
1296	powershell.exe
1948	powershell.exe
1948	powershell.exe
3732	powershell.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
3884	powershell.exe
3884	powershell.exe
3992	powershell.exe
3992	powershell.exe
1628	powershell.exe
1628	powershell.exe
3428	powershell.exe
3428	powershell.exe
2192	powershell.exe
2192	powershell.exe
1204	powershell.exe
1204	powershell.exe
4148	powershell.exe
4148	powershell.exe
3668	powershell.exe
3668	powershell.exe
2868	powershell.exe
2868	powershell.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	5732	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeDebugPrivilege	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	3428	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	4148	powershell.exe
Token: SeDebugPrivilege	5320	powershell.exe
Token: SeDebugPrivilege	3668	powershell.exe
Token: SeDebugPrivilege	5684	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeDebugPrivilege	5904	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	4144	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	2728	SearchApp.exe
Token: SeDebugPrivilege	5040	SearchApp.exe
Token: SeDebugPrivilege	5128	SearchApp.exe
Token: SeDebugPrivilege	3384	SearchApp.exe
Token: SeDebugPrivilege	5304	SearchApp.exe
Token: SeDebugPrivilege	1396	SearchApp.exe
Token: SeDebugPrivilege	6024	SearchApp.exe
Token: SeDebugPrivilege	5128	SearchApp.exe
Token: SeDebugPrivilege	1896	SearchApp.exe
Token: SeDebugPrivilege	4988	SearchApp.exe
Token: SeDebugPrivilege	1356	SearchApp.exe
Token: SeDebugPrivilege	3028	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5732 wrote to memory of 1948	5732	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	96
PID 5732 wrote to memory of 1948	5732	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	96
PID 5732 wrote to memory of 3732	5732	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	97
PID 5732 wrote to memory of 3732	5732	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	97
PID 5732 wrote to memory of 1296	5732	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	98
PID 5732 wrote to memory of 1296	5732	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	98
PID 5732 wrote to memory of 2348	5732	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	99
PID 5732 wrote to memory of 2348	5732	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	99
PID 5732 wrote to memory of 216	5732	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	104
PID 5732 wrote to memory of 216	5732	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	104
PID 216 wrote to memory of 3992	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	161
PID 216 wrote to memory of 3992	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	161
PID 216 wrote to memory of 3884	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	162
PID 216 wrote to memory of 3884	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	162
PID 216 wrote to memory of 3428	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	163
PID 216 wrote to memory of 3428	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	163
PID 216 wrote to memory of 3416	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	164
PID 216 wrote to memory of 3416	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	164
PID 216 wrote to memory of 4148	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	166
PID 216 wrote to memory of 4148	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	166
PID 216 wrote to memory of 3668	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	167
PID 216 wrote to memory of 3668	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	167
PID 216 wrote to memory of 5320	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	169
PID 216 wrote to memory of 5320	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	169
PID 216 wrote to memory of 948	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	170
PID 216 wrote to memory of 948	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	170
PID 216 wrote to memory of 1628	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	171
PID 216 wrote to memory of 1628	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	171
PID 216 wrote to memory of 2192	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	172
PID 216 wrote to memory of 2192	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	172
PID 216 wrote to memory of 3488	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	173
PID 216 wrote to memory of 3488	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	173
PID 216 wrote to memory of 1204	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	175
PID 216 wrote to memory of 1204	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	175
PID 216 wrote to memory of 2088	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	176
PID 216 wrote to memory of 2088	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	176
PID 216 wrote to memory of 5684	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	177
PID 216 wrote to memory of 5684	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	177
PID 216 wrote to memory of 4144	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	178
PID 216 wrote to memory of 4144	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	178
PID 216 wrote to memory of 2868	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	179
PID 216 wrote to memory of 2868	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	179
PID 216 wrote to memory of 5904	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	180
PID 216 wrote to memory of 5904	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	180
PID 216 wrote to memory of 2864	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	181
PID 216 wrote to memory of 2864	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	181
PID 216 wrote to memory of 536	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	183
PID 216 wrote to memory of 536	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	183
PID 216 wrote to memory of 2728	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	199
PID 216 wrote to memory of 2728	216	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	199
PID 2728 wrote to memory of 5976	2728	SearchApp.exe	201
PID 2728 wrote to memory of 5976	2728	SearchApp.exe	201
PID 2728 wrote to memory of 4208	2728	SearchApp.exe	202
PID 2728 wrote to memory of 4208	2728	SearchApp.exe	202
PID 5976 wrote to memory of 5040	5976	WScript.exe	205
PID 5976 wrote to memory of 5040	5976	WScript.exe	205
PID 5040 wrote to memory of 1960	5040	SearchApp.exe	207
PID 5040 wrote to memory of 1960	5040	SearchApp.exe	207
PID 5040 wrote to memory of 4524	5040	SearchApp.exe	208
PID 5040 wrote to memory of 4524	5040	SearchApp.exe	208
PID 1960 wrote to memory of 5128	1960	WScript.exe	210
PID 1960 wrote to memory of 5128	1960	WScript.exe	210
PID 5128 wrote to memory of 916	5128	SearchApp.exe	212
PID 5128 wrote to memory of 916	5128	SearchApp.exe	212

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
"C:\Users\Admin\AppData\Local\Temp\5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\2f3e0199fccb3f72e8a39924edc6a781\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4736_124933937\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Users\Admin\AppData\Local\Temp\5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
  "C:\Users\Admin\AppData\Local\Temp\5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\34c553de294c1d56d0a800105b\TextInputHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\34c553de294c1d56d0a800105b\unsecapp.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\reports\sppsvc.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\unsecapp.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\SearchApp.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2192
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\taskhostw.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\dwm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Provisioning\Packages\sihost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\2f3e0199fccb3f72e8a39924edc6a781\System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\34c553de294c1d56d0a800105b\SearchApp.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\34c553de294c1d56d0a800105b\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:536
- - C:\Users\Admin\Desktop\SearchApp.exe
    "C:\Users\Admin\Desktop\SearchApp.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c31343fe-598b-40c7-91e3-621daa8d3a94.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5976
    - - C:\Users\Admin\Desktop\SearchApp.exe
        
        C:\Users\Admin\Desktop\SearchApp.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5040
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39fc883c-85e4-4d48-bbbf-2b2708df6fa0.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Users\Admin\Desktop\SearchApp.exe
        
        C:\Users\Admin\Desktop\SearchApp.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4589f911-f5ea-4b38-8afa-dbb0eb8fb9dc.vbs"
        8⤵
        
        PID:916
        
        C:\Users\Admin\Desktop\SearchApp.exe
        
        C:\Users\Admin\Desktop\SearchApp.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06516115-41b6-45ad-8c0d-ed16b814f226.vbs"
        10⤵
        
        PID:3976
        
        C:\Users\Admin\Desktop\SearchApp.exe
        
        C:\Users\Admin\Desktop\SearchApp.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3935536e-9cab-493b-892f-53f904448ed8.vbs"
        12⤵
        
        PID:2868
        
        C:\Users\Admin\Desktop\SearchApp.exe
        
        C:\Users\Admin\Desktop\SearchApp.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b54dff1-2559-4dad-baf7-24ed1ea8a55a.vbs"
        14⤵
        
        PID:2516
        
        C:\Users\Admin\Desktop\SearchApp.exe
        
        C:\Users\Admin\Desktop\SearchApp.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8bcf9d5a-52d5-4e29-a576-9213ac1ff952.vbs"
        16⤵
        
        PID:3980
        
        C:\Users\Admin\Desktop\SearchApp.exe
        
        C:\Users\Admin\Desktop\SearchApp.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ef35114-b7b8-46bb-b4be-a9cf36a682d7.vbs"
        18⤵
        
        PID:3228
        
        C:\Users\Admin\Desktop\SearchApp.exe
        
        C:\Users\Admin\Desktop\SearchApp.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02a55516-68c5-4a0b-b282-c7f9bf610e3f.vbs"
        20⤵
        
        PID:1020
        
        C:\Users\Admin\Desktop\SearchApp.exe
        
        C:\Users\Admin\Desktop\SearchApp.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8372738a-aba8-44de-9e31-ecc1f6c7ab07.vbs"
        22⤵
        
        PID:5856
        
        C:\Users\Admin\Desktop\SearchApp.exe
        
        C:\Users\Admin\Desktop\SearchApp.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce1853ec-e5b9-46bf-9e67-9c4ed30329e3.vbs"
        24⤵
        
        PID:1488
        
        C:\Users\Admin\Desktop\SearchApp.exe
        
        C:\Users\Admin\Desktop\SearchApp.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35ea0aa4-ce1a-4e33-9163-c2c0b9a5631b.vbs"
        26⤵
        
        PID:5428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\212df20c-b38c-4a23-b5a6-1ef32ef77762.vbs"
        26⤵
        
        PID:2900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f400422-82aa-4d5d-bb40-c85eb611bf21.vbs"
        24⤵
        
        PID:2100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\714f8547-a07f-44ac-8b0c-160c4ea17749.vbs"
        22⤵
        
        PID:2852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1171574e-3c14-4ce6-b3b1-e3ef94b41ca7.vbs"
        20⤵
        
        PID:4952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d601bd59-cb54-4869-94f2-e13283c1ebf3.vbs"
        18⤵
        
        PID:3388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95bfc9fb-fe53-4731-a6b0-e13515875388.vbs"
        16⤵
        
        PID:4328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6285b10-e8db-46a4-a13a-c32245aa1e42.vbs"
        14⤵
        
        PID:4784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74ff5a3d-6936-4621-82fb-84e3f8efd50f.vbs"
        12⤵
        
        PID:1464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e27a8ac1-f31f-4595-9653-8f86707e6768.vbs"
        10⤵
        
        PID:1824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a318730c-2fd0-404a-9f12-adeb16e29e3e.vbs"
        8⤵
        
        PID:1504
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44a57300-d928-43c0-b9da-94c5a2ac46f6.vbs"
        6⤵
        
        PID:4524
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cf52bb9-7060-4034-b09b-8372bf5ed99f.vbs"
      4⤵
      PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\edge_BITS_4736_124933937\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4736_124933937\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files\edge_BITS_4736_124933937\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Admin\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\34c553de294c1d56d0a800105b\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\34c553de294c1d56d0a800105b\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\34c553de294c1d56d0a800105b\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\34c553de294c1d56d0a800105b\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\34c553de294c1d56d0a800105b\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\34c553de294c1d56d0a800105b\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\reports\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\reports\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\reports\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Desktop\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Desktop\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\Provisioning\Packages\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Provisioning\Packages\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Windows\Provisioning\Packages\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\34c553de294c1d56d0a800105b\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\34c553de294c1d56d0a800105b\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\34c553de294c1d56d0a800105b\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\MsEdgeCrashpad\attachments\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\34c553de294c1d56d0a800105b\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\34c553de294c1d56d0a800105b\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\34c553de294c1d56d0a800105b\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2f3e0199fccb3f72e8a39924edc6a781\TextInputHost.exe

Filesize
1.6MB

MD5
a96b39bbd7ab0932df87a4e89abcd549

SHA1
e64c0820c00586578fbe1a1cb96d727ec7bcf9dc

SHA256
0d00c40128c00cf8cab7b83147b4e025d21821ab3572cee2779cb4ae2fb4f83b

SHA512
6689364569c6995874a63c7cf66a7291054ae4bbf5d5a84180401169964d8276648ad661d8c86c1316f0e1e0fac4bf22ec14b4524fded18f2c9967ee51d0b28f

Download Submit
C:\Program Files\edge_BITS_4736_124933937\backgroundTaskHost.exe

Filesize
1.6MB

MD5
96e82e833a770e399f76b12b73922291

SHA1
2788f579e83341de864a781ece1d8da12a9edbf1

SHA256
b02415ca4e0cf2e07f3097ecbfe75fc025ef1e6e819f97aa6e0613c2fe5acf90

SHA512
5a933dc8e61e793386c0ab82591552a60a003c7b21b875cceef72d68de0b8ec9a51bbc14d479383a8771bf7b1c9bf504fb0106a942a97b5c2d0351ade0a5ddbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e7d0883e28000a6270cf6b3b3f7b6c5a

SHA1
74d916eb15baa5ce4a168cd80d3d2c45d503daa2

SHA256
63f3369719ec0f4063138a71ba369a25fb4824bc035eaa4072ee6a5a1812480a

SHA512
4b4ade064020959bc677689fa658816c8c498c8117df70a1ae4076533972593b4e2c3bf45d39e28662892e12db07641f14870ef69292e81030f8b3d7c92302f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0b9ebff96ce87bb2948f7decf425a335

SHA1
3172582f4a97c15d0c5162c547fe81b811de8e74

SHA256
9e2d1f92a7985c38161bb08726c708271673b6644d66b327b72e5023a53daf2c

SHA512
4eeaf75114389ca025b6eb589c160f03ddceb2e2c67196f05cdf2da5c946c617816056265a0420dcae13c19781a291ef8c456cd08bca6760bbcdd89a83e96357

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b7e1db446e63a2aae76cd85440a08856

SHA1
c900cc81335dd3ca6337e21f5bcde80f8e8a88f3

SHA256
7305bcde3ba246a9b5c1666079c61596cc2ed2c651a1cd9e20557dba8a78c0e4

SHA512
dd63e28017eec632868489e469dd2ba54f20a3024be44550b729a0384bd55c5aa78171f7416612cd5174047afc544e21678ca164359962312b1d853c9bff04ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b22bcc023ccf6782c755f5b743aa3a52

SHA1
141150057021a07fa6aa03f46c9f2fd5719b3eeb

SHA256
a977c9d6fc409dbc0abbaa17e306eca391657f1f3c974cf1b004826000b8d1b4

SHA512
05c78b755324319a86857f3d249cfc9cc0c6c51a4f8ee94350a1936853e323af668fa8ee224d60eea618f1a7684897c3ce24713365dbeeba02e7718cbe4b3b0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e553990b19dd2934af78d3052e4842cf

SHA1
633078a30d6973c66f2822c7e1d30f2f9b9c7dd8

SHA256
39dc99ba1deee42edf3ce13e33ff98be19c91ba1336eb2df61d5ae6568770ca0

SHA512
86218c02c0639c7154b413eb75eb917e56d2e78044f908f2c07b38a4e9e002142fbc74b0d35d9636135a41f86219d5d11b849897c9408d0c5b3ebcc9e4802154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
71d06dd91d6e240845f49194fa981dc4

SHA1
e9209ae4f90f0c1821241816d88635151c2f1867

SHA256
fa01288aee6554af7d3760b40cd9ad1f6f16bf84256f8bb5fbd5cab8c552e232

SHA512
20dcf696ff516e2eef577e06dc2de2d6c2e23a18ecef51bf27f4473827c5c229596e7ea9ce20400c91654984e91d5e451f04b653f19e64c0b7414d27da65a7e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4d7e01f2da5faf06203d0bdcf32f2aee

SHA1
972128bc0896422301531607773f6af989535547

SHA256
57df11f5726f22f6b65380a63c6ddeeced49bd543781cf05428932500c6e2cef

SHA512
2d446d1ed39875581a11fc433c9fd13c7b5ad4133c50f93cfc18e355339c1dd8937058864250c9e3d659049f4feb8cf8e1ce3fd90716eb5c9b8cd309b9ccc16d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8202723a82f7477bbb09846c2edcf583

SHA1
72bd9892d54f6d93c7798e86dbfa72b86e075c41

SHA256
8070ccb83f012da20d8b4bb6e085e163dbd4e93ab56787933acfd82aef5dcc99

SHA512
f2be04e53918961d879a7a7a6a80da7489954bb531ecf2d219ece4973ca8cf28076758e5d3940b59c2f5233059c830dcd8086a4a41a1266d44a7e9687a31bbbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
90355e74a38e1aab8c3a306b3021da95

SHA1
4636ca6d7a6e4e3fc740a6a220826b5329b76e1f

SHA256
5851b1399bab7cbbbec6259b420ef8b2e6d1e8e9e03938d4ee0c04e3597c7658

SHA512
63e2b243a807d3e9d8aea8829d695e48d1c5731ae1ba2324870ce94bbf37e74ed00d923f28c2816da338380800de840ea05e855aa870451d64d2274eb3d6a785

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2297d8c8249bd58f1603d645778049b4

SHA1
0bc8812a34e12b4e6b9c42ec89374a5873206ebd

SHA256
77232a4c2ff52023ad57a997d05ff0057ad7340df932b132223dcf559109b66b

SHA512
39a1dc3cda029657593a4882536a06380eb3b867d24d2fcee6dd834d4f08467524c6c2f3d8e89372207c3e4cd70a879abdaddfe0b89c0dfa02bf1c77946512a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e72aedd960aa9abe03c753aed3677fc

SHA1
2aef2f996742ae33944720e459adef9984c03923

SHA256
b48c0c7d3da325af1226ee2709051da199b3b260c465466a71506dfe84ce00e4

SHA512
59e29c4d3e816df659d34c2cb306cc55a7b996b12994994e500a5628884451e9ac4840bca779d287114b297471d376fdfcf8d663711bae2ffbeeea973fe1671f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0db76826ef1eb39b10f50c9c98411802

SHA1
88a49701de5a338400b3f5b40deb2608b413ab84

SHA256
f09445a05f2cf45e3d1d8f826bbb4fa78f1fcbf04311a5f5e8e3b7c90e1069ee

SHA512
0247c74dde74f8f1062fd2b28fc57b3bb567e42db8e594f2712fec65e045bdaf4be8c76e9b5f98af48dacdf863091ffa446dfa9583afb4a70c73809cbfa5aaa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2459836356fd0ad328eb74b5f1d0bbec

SHA1
1f95e7c2cc924a67def9359c5bdd074472b13327

SHA256
a75beb90704e50cdf4f3faeb95bb2e59079f13d1da7c3af6e7fc99bac7c63cfb

SHA512
a331dd53aee910e3c4acda76a0163c99fbbcc81092e5143cdba0508254c3e80f326200129be49d5738a14ed459c673061c38fe605a756e6ba50491c87f76a8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\02a55516-68c5-4a0b-b282-c7f9bf610e3f.vbs

Filesize
712B

MD5
72caab7f7800b2c73faa350d1070fc75

SHA1
adeaac5889060884c2efdf334a3db8c75d4fcf37

SHA256
6f515cddbb1995a3c8ce1a58e96739b83e9e27e3d793fe13e5b98099c7b41a95

SHA512
e5ee195ba174766283c758220c4720b862e26444d13bdf4865141937ed2518d6abfcc768d9f71d5d64404fd4d0f285a95693e1298435de49870faaf3d5288a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\06516115-41b6-45ad-8c0d-ed16b814f226.vbs

Filesize
712B

MD5
c1d45c8c6fd258afe17578711b2ab871

SHA1
b6b1ffe9418002c2cb0a390bed9da627c27d08d6

SHA256
641708b170833331ce87aaffbd1ff58c6c2864e27e093c25122f214239f07cc4

SHA512
628f6119fb485ebfd4663c14f1c16785175f2c844a87cac523796dcbaecafd3f0f25cba526fb56a54b085319d0effc409a94ca002cdedbddcf3a896424bb6238

Download Submit
C:\Users\Admin\AppData\Local\Temp\3935536e-9cab-493b-892f-53f904448ed8.vbs

Filesize
712B

MD5
d35b3ad58fbbb3fe811e1fdc01c0d7dd

SHA1
f7c280067b395a1798cad7a548e3000fe18c4310

SHA256
1ce09e4e03db4fce721cd31f51ac35622c013a0dec62e35b9b237bdfcfa3c8eb

SHA512
4633dd5cb3eaed6576aa1d453cc93d21486bcf2ef8d0104ae3a4e71e86671754688d904d962bad9c49d31453d62466272c39a5b32752ffb7274a38740324d4a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\39fc883c-85e4-4d48-bbbf-2b2708df6fa0.vbs

Filesize
712B

MD5
44a3f637ce82420bd72097c40d8e4a7d

SHA1
d7f1eb57b2a0f2716f9ea034bf938a72930abee2

SHA256
0b031510b2cfc8bac4b498ef47eab3d4f0aa24b967cfc32d0a1ba2b0ecbe575b

SHA512
d94a2a954dcc18ab583411e87a285c6e66ab31577d2807722dd314b3667236e3d84f9b51a4b0c0b5a84a59170903c369d2576ccd0c3423dc5a94697bcb3417d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3cf52bb9-7060-4034-b09b-8372bf5ed99f.vbs

Filesize
488B

MD5
3b366cd449a2686bd5b47317d5c57e48

SHA1
bd97aaab09ba6631d6bca56384c2ca8b57fe0345

SHA256
b1dd615e7d672c1519579f111a4adcd73303a3087443592b412d97247bb1151f

SHA512
9e8ec46e10754cf34417fec37f7e6ae02fcf7f434010b8bd968b991e25e0059faa50cfa7160ee3bef84c8f1cbbb21aca95953f374bb8a394bd3975e576f6eed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4589f911-f5ea-4b38-8afa-dbb0eb8fb9dc.vbs

Filesize
712B

MD5
d6eb15a6d3992d7d11b3f9391f5d75d2

SHA1
5316eccf4824f0384e0b5a8b537c6eebf3435397

SHA256
0c4b0ff458d04d62d7aaa5c28bfb473043b934dbf9a1b999df87679bdc1e5270

SHA512
80afe060ff1044f2106175beb656f3dc251339925fdf038afcaf9244de565569a61c323043a16489e2245c60a43419393855f472510c202ec78445ec9bace9bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b54dff1-2559-4dad-baf7-24ed1ea8a55a.vbs

Filesize
712B

MD5
70a2f4b907917a6e3a00c609cff6fb2d

SHA1
7279bd362e55f6a8a2e8fec98b669a9e532d953a

SHA256
8a8564d839ee479002b20a23dedac21181f10693081608d3533c612b543c3bab

SHA512
4cca9aa0ac3a693fa29454f50e99e452b4937f2dddf32d41fb80aeb8a9b678008f0d8995a3418fbc3ee42623b2fafbafdc4db7ca741d4a9499f195cb85c10fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\8bcf9d5a-52d5-4e29-a576-9213ac1ff952.vbs

Filesize
712B

MD5
46c393b0e63bc23f4c2f71816cb42ee0

SHA1
1c6f698841cfc86e33db2df7a96ace072b6b9e36

SHA256
004ec850b69462fb823bf857f9a12e13ebd2a11460154fb5e36f7a733ed05a21

SHA512
1b921f030e3a5d7dcbd7e51c93f6da278e334ac6b58b235901410498fe2aad3aa01afc88252011ee48afd91294ee958e8772713a790cb4f50f7e86a02a16e473

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX58B0.tmp

Filesize
1.6MB

MD5
f78812be8328346fd09f480c9737963a

SHA1
0db02b799e80a1659c9aede03b54a26aef2beb4a

SHA256
5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1

SHA512
4be91e19f7eb4d1475ad142cbe66620320f4ab62dbdf8555fe7701aa1d2ddd19d739c73b4a1c05669282de374ba1a5dca449464154bf141a62e6842250ad79ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0dpv33br.hex.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c31343fe-598b-40c7-91e3-621daa8d3a94.vbs

Filesize
712B

MD5
d8d4969f0b9f51eb3a8556590ab6be8b

SHA1
c62a536fa402a8fdb0cb0b8e83bb15ce1c6e0004

SHA256
c0fed66ffba3f8b1ecd80c8e4200543c7b288ab3e445001139ab6a68e3a6054b

SHA512
e2a3ef279ff5f554b60aceda7f2ed78612daf3979fcdaef53a3dffbd690908d34bd14a195ea3bc4c8f71991b74daf21a8b029840bea1d96aec045c39f25cb582

Download Submit
memory/1396-522-0x000000001CB70000-0x000000001CC72000-memory.dmp

Filesize
1.0MB

Download
memory/2348-74-0x0000017DE7BE0000-0x0000017DE7C02000-memory.dmp

Filesize
136KB

Download
memory/3384-498-0x000000001C720000-0x000000001C822000-memory.dmp

Filesize
1.0MB

Download
memory/5128-486-0x000000001C7C0000-0x000000001C8C2000-memory.dmp

Filesize
1.0MB

Download
memory/5304-510-0x000000001C460000-0x000000001C562000-memory.dmp

Filesize
1.0MB

Download
memory/5732-16-0x000000001B040000-0x000000001B04A000-memory.dmp

Filesize
40KB

Download
memory/5732-11-0x00000000024A0000-0x00000000024AC000-memory.dmp

Filesize
48KB

Download
memory/5732-6-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/5732-7-0x0000000002400000-0x0000000002408000-memory.dmp

Filesize
32KB

Download
memory/5732-8-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/5732-10-0x0000000002480000-0x000000000248C000-memory.dmp

Filesize
48KB

Download
memory/5732-0-0x00007FFE80143000-0x00007FFE80145000-memory.dmp

Filesize
8KB

Download
memory/5732-5-0x0000000000AF0000-0x0000000000B00000-memory.dmp

Filesize
64KB

Download
memory/5732-4-0x0000000002430000-0x0000000002480000-memory.dmp

Filesize
320KB

Download
memory/5732-9-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download
memory/5732-13-0x000000001B010000-0x000000001B01E000-memory.dmp

Filesize
56KB

Download
memory/5732-3-0x00000000023C0000-0x00000000023DC000-memory.dmp

Filesize
112KB

Download
memory/5732-12-0x000000001B000000-0x000000001B00A000-memory.dmp

Filesize
40KB

Download
memory/5732-2-0x00007FFE80140000-0x00007FFE80C01000-memory.dmp

Filesize
10.8MB

Download
memory/5732-14-0x000000001B020000-0x000000001B028000-memory.dmp

Filesize
32KB

Download
memory/5732-17-0x000000001B050000-0x000000001B05C000-memory.dmp

Filesize
48KB

Download
memory/5732-15-0x000000001B030000-0x000000001B038000-memory.dmp

Filesize
32KB

Download
memory/5732-109-0x00007FFE80140000-0x00007FFE80C01000-memory.dmp

Filesize
10.8MB

Download
memory/5732-1-0x00000000000F0000-0x0000000000292000-memory.dmp

Filesize
1.6MB

Download