dcrat | 5e5d5458b8a025c2bc9a6e7998492989732967c9a1019b11d655200adf3686c7

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
Size

1.6MB
MD5

cd1634a0788a7e0c1120930a46dcceed
SHA1

5e990eda55dd6b4f6001898f8f4d828518d05c9b
SHA256

832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90
SHA512

7c4758fdb7fdc7fe06e542b0e64e245c6dae141b4355458e90fb7a600db94ef0d53cb0b18760833112d1e21e42528b03bce6f6196bbe9fe0aa228803e5ac2335
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5280	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5612	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5324	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5328	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5224	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5380	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5668	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3248	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5432	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5492	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5856	4092	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	4092	schtasks.exe	88

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral26/memory/4456-1-0x0000000000EE0000-0x0000000001082000-memory.dmp	dcrat
behavioral26/files/0x00070000000241de-26.dat	dcrat
behavioral26/files/0x0011000000024202-192.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2148	powershell.exe
2916	powershell.exe
5240	powershell.exe
996	powershell.exe
4016	powershell.exe
3156	powershell.exe
5720	powershell.exe
4908	powershell.exe
5608	powershell.exe
2540	powershell.exe
2240	powershell.exe
2616	powershell.exe
5144	powershell.exe
2560	powershell.exe
5400	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe

Executes dropped EXE 14 IoCs

pid	Process
1656	OfficeClickToRun.exe
868	OfficeClickToRun.exe
4756	OfficeClickToRun.exe
1468	OfficeClickToRun.exe
3040	OfficeClickToRun.exe
5224	OfficeClickToRun.exe
4156	OfficeClickToRun.exe
2272	OfficeClickToRun.exe
5796	OfficeClickToRun.exe
2348	OfficeClickToRun.exe
4600	OfficeClickToRun.exe
3588	OfficeClickToRun.exe
4728	OfficeClickToRun.exe
1288	OfficeClickToRun.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\6cb0b6c459d5d3	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX53F4.tmp	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX53F5.tmp	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\RemotePackages\RemoteApps\upfc.exe	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File created	C:\Windows\RemotePackages\RemoteApps\ea1d8f6d871115	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\RCX51F0.tmp	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\upfc.exe	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Windows\Speech\taskhostw.exe	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File created	C:\Windows\Speech\taskhostw.exe	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File created	C:\Windows\Speech\ea9f0e6c9e2dcd	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\RCX51EF.tmp	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Windows\Speech\RCX5609.tmp	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Windows\Speech\RCX560A.tmp	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	OfficeClickToRun.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4792	schtasks.exe
4816	schtasks.exe
2332	schtasks.exe
228	schtasks.exe
3272	schtasks.exe
5432	schtasks.exe
3984	schtasks.exe
5060	schtasks.exe
5328	schtasks.exe
1784	schtasks.exe
4412	schtasks.exe
5612	schtasks.exe
5380	schtasks.exe
3764	schtasks.exe
4300	schtasks.exe
1768	schtasks.exe
3312	schtasks.exe
1088	schtasks.exe
5324	schtasks.exe
1368	schtasks.exe
4112	schtasks.exe
4864	schtasks.exe
3776	schtasks.exe
1232	schtasks.exe
3188	schtasks.exe
1776	schtasks.exe
5492	schtasks.exe
3944	schtasks.exe
3248	schtasks.exe
5856	schtasks.exe
5668	schtasks.exe
5280	schtasks.exe
1300	schtasks.exe
5224	schtasks.exe
1500	schtasks.exe
4900	schtasks.exe
4684	schtasks.exe
4276	schtasks.exe
5020	schtasks.exe
5032	schtasks.exe
1124	schtasks.exe
2892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
2540	powershell.exe
2540	powershell.exe
5608	powershell.exe
5608	powershell.exe
996	powershell.exe
996	powershell.exe
2560	powershell.exe
2560	powershell.exe
3156	powershell.exe
3156	powershell.exe
2240	powershell.exe
2240	powershell.exe
5720	powershell.exe
5720	powershell.exe
4016	powershell.exe
4016	powershell.exe
2148	powershell.exe
2148	powershell.exe
5144	powershell.exe
5144	powershell.exe
5240	powershell.exe
5240	powershell.exe
2916	powershell.exe
2916	powershell.exe
4908	powershell.exe
4908	powershell.exe
2616	powershell.exe
2616	powershell.exe
2616	powershell.exe
5400	powershell.exe
5400	powershell.exe
4908	powershell.exe
5400	powershell.exe
2540	powershell.exe
5608	powershell.exe
996	powershell.exe
5608	powershell.exe
2240	powershell.exe
2560	powershell.exe
2916	powershell.exe
4016	powershell.exe
5240	powershell.exe
5144	powershell.exe
5720	powershell.exe
2148	powershell.exe
3156	powershell.exe
1656	OfficeClickToRun.exe
1656	OfficeClickToRun.exe
868	OfficeClickToRun.exe
4756	OfficeClickToRun.exe
1468	OfficeClickToRun.exe
1468	OfficeClickToRun.exe
3040	OfficeClickToRun.exe
5224	OfficeClickToRun.exe
4156	OfficeClickToRun.exe
4156	OfficeClickToRun.exe
2272	OfficeClickToRun.exe
5796	OfficeClickToRun.exe
2348	OfficeClickToRun.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	5608	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	3156	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	5240	powershell.exe
Token: SeDebugPrivilege	5720	powershell.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	5400	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	5144	powershell.exe
Token: SeDebugPrivilege	4908	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	1656	OfficeClickToRun.exe
Token: SeDebugPrivilege	868	OfficeClickToRun.exe
Token: SeDebugPrivilege	4756	OfficeClickToRun.exe
Token: SeDebugPrivilege	1468	OfficeClickToRun.exe
Token: SeDebugPrivilege	3040	OfficeClickToRun.exe
Token: SeDebugPrivilege	5224	OfficeClickToRun.exe
Token: SeDebugPrivilege	4156	OfficeClickToRun.exe
Token: SeDebugPrivilege	2272	OfficeClickToRun.exe
Token: SeDebugPrivilege	5796	OfficeClickToRun.exe
Token: SeDebugPrivilege	2348	OfficeClickToRun.exe
Token: SeDebugPrivilege	4600	OfficeClickToRun.exe
Token: SeDebugPrivilege	3588	OfficeClickToRun.exe
Token: SeDebugPrivilege	4728	OfficeClickToRun.exe
Token: SeDebugPrivilege	1288	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 996	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	131
PID 4456 wrote to memory of 996	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	131
PID 4456 wrote to memory of 2540	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	132
PID 4456 wrote to memory of 2540	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	132
PID 4456 wrote to memory of 5400	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	133
PID 4456 wrote to memory of 5400	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	133
PID 4456 wrote to memory of 2616	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	134
PID 4456 wrote to memory of 2616	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	134
PID 4456 wrote to memory of 5608	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	136
PID 4456 wrote to memory of 5608	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	136
PID 4456 wrote to memory of 2560	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	137
PID 4456 wrote to memory of 2560	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	137
PID 4456 wrote to memory of 5240	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	139
PID 4456 wrote to memory of 5240	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	139
PID 4456 wrote to memory of 4908	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	140
PID 4456 wrote to memory of 4908	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	140
PID 4456 wrote to memory of 5720	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	141
PID 4456 wrote to memory of 5720	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	141
PID 4456 wrote to memory of 2916	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	142
PID 4456 wrote to memory of 2916	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	142
PID 4456 wrote to memory of 3156	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	143
PID 4456 wrote to memory of 3156	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	143
PID 4456 wrote to memory of 2240	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	144
PID 4456 wrote to memory of 2240	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	144
PID 4456 wrote to memory of 2148	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	145
PID 4456 wrote to memory of 2148	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	145
PID 4456 wrote to memory of 5144	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	146
PID 4456 wrote to memory of 5144	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	146
PID 4456 wrote to memory of 4016	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	148
PID 4456 wrote to memory of 4016	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	148
PID 4456 wrote to memory of 1656	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	161
PID 4456 wrote to memory of 1656	4456	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	161
PID 1656 wrote to memory of 6140	1656	OfficeClickToRun.exe	164
PID 1656 wrote to memory of 6140	1656	OfficeClickToRun.exe	164
PID 1656 wrote to memory of 6076	1656	OfficeClickToRun.exe	165
PID 1656 wrote to memory of 6076	1656	OfficeClickToRun.exe	165
PID 6140 wrote to memory of 868	6140	WScript.exe	174
PID 6140 wrote to memory of 868	6140	WScript.exe	174
PID 868 wrote to memory of 100	868	OfficeClickToRun.exe	178
PID 868 wrote to memory of 100	868	OfficeClickToRun.exe	178
PID 868 wrote to memory of 5884	868	OfficeClickToRun.exe	179
PID 868 wrote to memory of 5884	868	OfficeClickToRun.exe	179
PID 100 wrote to memory of 4756	100	WScript.exe	182
PID 100 wrote to memory of 4756	100	WScript.exe	182
PID 4756 wrote to memory of 5136	4756	OfficeClickToRun.exe	184
PID 4756 wrote to memory of 5136	4756	OfficeClickToRun.exe	184
PID 4756 wrote to memory of 2040	4756	OfficeClickToRun.exe	185
PID 4756 wrote to memory of 2040	4756	OfficeClickToRun.exe	185
PID 5136 wrote to memory of 1468	5136	WScript.exe	195
PID 5136 wrote to memory of 1468	5136	WScript.exe	195
PID 1468 wrote to memory of 4904	1468	OfficeClickToRun.exe	197
PID 1468 wrote to memory of 4904	1468	OfficeClickToRun.exe	197
PID 1468 wrote to memory of 5536	1468	OfficeClickToRun.exe	198
PID 1468 wrote to memory of 5536	1468	OfficeClickToRun.exe	198
PID 4904 wrote to memory of 3040	4904	WScript.exe	200
PID 4904 wrote to memory of 3040	4904	WScript.exe	200
PID 3040 wrote to memory of 4512	3040	OfficeClickToRun.exe	202
PID 3040 wrote to memory of 4512	3040	OfficeClickToRun.exe	202
PID 3040 wrote to memory of 1136	3040	OfficeClickToRun.exe	203
PID 3040 wrote to memory of 1136	3040	OfficeClickToRun.exe	203
PID 4512 wrote to memory of 5224	4512	WScript.exe	204
PID 4512 wrote to memory of 5224	4512	WScript.exe	204
PID 5224 wrote to memory of 2236	5224	OfficeClickToRun.exe	206
PID 5224 wrote to memory of 2236	5224	OfficeClickToRun.exe	206

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
"C:\Users\Admin\AppData\Local\Temp\832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\34c553de294c1d56d0a800105b\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\2f3e0199fccb3f72e8a39924edc6a781\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\2f3e0199fccb3f72e8a39924edc6a781\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4016
- C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe
  "C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8233714-65d6-4133-a5aa-499a0d26d1a6.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6140
  - - C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe
      C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:868
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ead730e-f561-4f76-93bf-89ae86194f0d.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:100
      - C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe
        
        C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f007f27-14a3-4677-a145-be1a52ea0e55.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5136
        
        C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe
        
        C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2e9b184-3050-4cb8-9542-0d15d93390af.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe
        
        C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f271929-6a6f-4f36-89f8-8513c9e7021b.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe
        
        C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c9ba1ca-bfdb-4a04-ae73-2021299b3568.vbs"
        13⤵
        
        PID:2236
        
        C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe
        
        C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd9b4e7c-0c58-4458-a41a-bb90c3e47590.vbs"
        15⤵
        
        PID:4936
        
        C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe
        
        C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ba8a3e3-9355-4186-98a2-d5d3d2210d7a.vbs"
        17⤵
        
        PID:4628
        
        C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe
        
        C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22b7d38f-edfc-44d6-a5db-15e1a1440786.vbs"
        19⤵
        
        PID:1700
        
        C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe
        
        C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1af5ef3-a777-49b9-939a-447055b13b10.vbs"
        21⤵
        
        PID:1492
        
        C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe
        
        C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\545d5c12-492c-4b40-9211-e197f371e9e8.vbs"
        23⤵
        
        PID:1952
        
        C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe
        
        C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4490d344-b9e8-4db3-a42b-4fd08db1cddc.vbs"
        25⤵
        
        PID:4924
        
        C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe
        
        C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90880ac2-3b57-402d-a3f8-9bbc925eca81.vbs"
        27⤵
        
        PID:5392
        
        C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe
        
        C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b31a1a0e-3d14-4d2e-934b-568708f68175.vbs"
        29⤵
        
        PID:5932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca40d9c7-7b57-4a10-bc9f-7f327148c7e6.vbs"
        29⤵
        
        PID:4316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c16af98-145f-4e5b-95e0-ebc5681e2a32.vbs"
        27⤵
        
        PID:2176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\133c8b02-8aab-45cf-890e-6feb1dd9a7c0.vbs"
        25⤵
        
        PID:5404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f5bc856-c409-44f9-af64-a3c3598258c3.vbs"
        23⤵
        
        PID:6048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39a18a4a-456f-440c-be05-6a2f14b04266.vbs"
        21⤵
        
        PID:1656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5df53c0d-ac28-47cc-baec-36067612ca1c.vbs"
        19⤵
        
        PID:1736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85f5ceed-bc89-4690-b346-144e358f7e8e.vbs"
        17⤵
        
        PID:2784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2b1202a-8565-4076-89d8-4cc20d4f1143.vbs"
        15⤵
        
        PID:4792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffc9ea97-15ef-4d7e-b605-958f701b718d.vbs"
        13⤵
        
        PID:3744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4abfaf3b-caac-4215-b24f-1881cb8762f7.vbs"
        11⤵
        
        PID:1136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03d416d0-9270-464d-b860-906a4f050ace.vbs"
        9⤵
        
        PID:5536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16e0b085-bc01-47b9-86be-42fb62ff497a.vbs"
        7⤵
        
        PID:2040
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d322a22-784f-4e0f-8fb9-9d4810fb6434.vbs"
        5⤵
        
        PID:5884
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e1271e4-5cfe-461c-9aeb-fe2724c40dc1.vbs"
    3⤵
    PID:6076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Windows\RemotePackages\RemoteApps\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Windows\RemotePackages\RemoteApps\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Windows\Speech\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\Speech\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\34c553de294c1d56d0a800105b\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\34c553de294c1d56d0a800105b\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\34c553de294c1d56d0a800105b\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\34c553de294c1d56d0a800105b\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2f3e0199fccb3f72e8a39924edc6a781\smss.exe

Filesize
1.6MB

MD5
a5cdb5e1b9c0e3e7e3b93b4aa5d75b9d

SHA1
51e1109fbe9e9d7a7c5dcc14a98cf7d94b27cb46

SHA256
6dd8a6bc808e76be6990d1362c610cf5b9ce38ffd9f6431884007b80c1c9e3cd

SHA512
1a84bbebd9e78655ca8fbd1a4e2dbaddcef55697ed699cd5b99c5ee47b43cb1c8d02fec20fd37248a5aba9f811be2c053b3d1d7674140373c3c8ba9ba71a9736

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
80dfd43d9904cb4bdd37f6934f47ccf8

SHA1
72c0981be679ef6a22cbabbdc3e02a7e80a3eafc

SHA256
a6e60a417d8c6649d78716bcfae64c452ca60367f2280f0b41d5febac503edad

SHA512
793f081a3c5f89a88e4472be0ee26f04f47cbba6a8c5af2710fb8d09a224fc7ded64ff68924325cce0b518f330458cdd0bfafbab9f805ddcc68393aa3f179247

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47d9df7fab0d0c96afdd2ca49f2b5030

SHA1
92583883bcf376062ddef5db2333f066d8d36612

SHA256
0f244dd39698dace2c650435886b1175ea01131e581d6c13888576c07fa40b02

SHA512
1844ce4f35849b70c246127482040986caa1bbae2d81119c77e9841f2a3280aabae0ad0db52fc29fe48023b4f4c073fe759b1f54e70e1562289d5e349c015200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9191187d695b2965f2ceb651f0b37ee8

SHA1
b50a4038fb94c8aa7cff8d6941a4329b5b2ae8c7

SHA256
654a46452391ae3310ff9c6a4c820774e950276014fea044c41f007f6c335833

SHA512
90094f44f83470c88c4fcecb239f70e8e791b3b3da628c00676e3c4791766808b4e31c12beef2a7bc7d6a12d05bd8150888461ed1ef7e9eebc8697f6955d63bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
643f98db244717856667bfd771e9db1c

SHA1
5434950e3506ae0cca216690c8fb5d2b38dd591d

SHA256
5e01aecf68e759cce4264330c3b7bc5b30b0d6c17718e558543c87530cf78256

SHA512
886d498dfce303f191b32d7001197aad7bd5eec12b5885ef620be32750902da2369536b10f451e712380bd7b420c051447b998d42f53ffae9b6a358c4db66a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9038073858225f9afc939a0a2385005d

SHA1
ccd8ee1416a8e738628ffd01f39eca6324000563

SHA256
3fc794e69bf73ea36eccc866688e3ba9303224c00f264f4b771bdb536035240e

SHA512
cb0f4422b84975595744bf183a71527b053cf738f19aa4ed1008c35d5ea6fb9e2c8ae142a81eeae2091abf2a17e24c6beca488a9c3ea6b6d2d989e3a58a52d53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ceb796de20c8360e1e53623d78696e8a

SHA1
52e20d1bb718b5e04290816c3c740d8f89265bcb

SHA256
cdf217f7e76215d14186a36614f8d2bd6f911869af5c12d98827ec42734ce321

SHA512
2d9f010240f49f4ea4537ece426edeccf8f6b1f2013bfb5e5e8412bc54993043e101f205ed5ca93f26d77de3cce1ab7620b7f97792df06d6c803695f9baaf869

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0c87ff349c47ae6e678ea72feb4bb181

SHA1
0668dc890d29354fbb86cfaeae5363d9f2c1fdc8

SHA256
68decb0f61e56ef1ad4a9c69e0c496ac30ead7bdb15ae2830a01a21cb4c243fc

SHA512
32a9a76ddc1de0612c74ce170e86e716fde003306c202c68573ce4dcbb58e2ff59b7bdff77e4c259c869f4443e2c6aa023d1fcae6857ea36e4bf8a3110b58fbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
16a6a93b66d0e764324e2abde988e87f

SHA1
2e79e9a885d4fe41ca396cc4f5d79c5803c87911

SHA256
617d34790965de2672b4ea86c7c078637b1225b70596c064bf3b53bc44dba881

SHA512
32ca76d665bee47070b52df6d9e8e2ffd972558cb2662ff0e851382a4f2824d661f6589c300f7f53efd3226d78f81fa9a7c96819fd2b4b1c7a17a1f02c6bc4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c9ba1ca-bfdb-4a04-ae73-2021299b3568.vbs

Filesize
726B

MD5
7dc57589457ebe284c44be0d96c615b5

SHA1
67480924b98525885515305dbe9d740a1d83903c

SHA256
b0a089c96f097fb685bb8c6c0553e7978851b7b870845e0fcced995664df768c

SHA512
8821b7536a44ef3a099283b5229090a90ee9662a4c51166b767d9acbcb7187d2b1a78d38a282f140b50a7ca1783cf7076ae55d57cb14f4d52acda156d2f9e885

Download Submit
C:\Users\Admin\AppData\Local\Temp\22b7d38f-edfc-44d6-a5db-15e1a1440786.vbs

Filesize
726B

MD5
0a8a7972642bbed5bb4e5edbc3fbf4bb

SHA1
40375aaad40f994e38d9dbda931e25811f7c2557

SHA256
1b664a064c71a8f3b89276194d51e2355afc54bd4c0d7ca44cf61793642188ea

SHA512
1d01614c54e5db77ed02a2ad2e889da786e52b659131459c07e86f0a2d96873e7e295956f0ecc016867b15d9792185475a46db517ad2d8e858bb77868f55c306

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e1271e4-5cfe-461c-9aeb-fe2724c40dc1.vbs

Filesize
502B

MD5
cab3a001ce7a88fb813caf09a43fea50

SHA1
61cd346268c10a6233d7b2fabdcdc0040c9c460a

SHA256
918d56e204f63490b9f03fd432a26c86ea581066dd150db5fb05a9823b21f8cd

SHA512
6ebfec36ed24968e1a1b8225c81eef38d1ac5f683cbfe6b356a36cab7bc86a23b25be0c0ffca378fdd970f5ed26193fb2e00ed82c06733e6547fe34398bd8ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f007f27-14a3-4677-a145-be1a52ea0e55.vbs

Filesize
726B

MD5
f86a183f5ebbd04d13ee758cdcf19be1

SHA1
5448787360ffcae4ca12c1058dd6050449f2c22d

SHA256
d6e9680ab316ebdb45510451c4497189718f21d257983146fde5b20c8569b848

SHA512
95bed1b72b74f40b82b8eea373392c6840e606375fca398d49bccd2fa964317ef86e0c0eae1632b179b9befb2a8cbd3c013d6449a3ea12b5d11e578c7fb207cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4490d344-b9e8-4db3-a42b-4fd08db1cddc.vbs

Filesize
726B

MD5
d080f6c8913bb10b461e7b3a8c7a25a1

SHA1
07f927c418f5daa050f991af98f4e6d8f1fbd8e1

SHA256
ae7755fab03de319e173a08e7efa161c33d7ad16e2f14b34bc96887ace3484e4

SHA512
36bf0c0348b8b7a5fcfb29b1400f83064892fcb6d46c09e37ae4e218893f7efc8c32edebb3509fc8ab08ffd579749ac480815d7592f807bf18d6ee6a9cce1317

Download Submit
C:\Users\Admin\AppData\Local\Temp\545d5c12-492c-4b40-9211-e197f371e9e8.vbs

Filesize
726B

MD5
dd9f1759cabf585710947f868edd3c25

SHA1
e266ff820d2ef7b95cb019266e692bea09891802

SHA256
6e48fce4aa297f8248a76b4e2eab1c938b16cd2149871c760923b4f5943cdeda

SHA512
8c23f826a531c5ea0b36077d3d662bcacade41d873eb948c8e6f92861fd55325d8dc05c8a17c7b2818849fc35618fb63ef775ae4dd0ab3908a87245438491186

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ead730e-f561-4f76-93bf-89ae86194f0d.vbs

Filesize
725B

MD5
f4e2cbc7931be8f03b4583f00451a3e1

SHA1
37619968efe5781ea2a75a509a4017a86e90a40f

SHA256
3ba64fb6bc68acf8d39d6d9089c607d40e05205facb8d23226216db3bc145e48

SHA512
1087ff39bb6f1da865c744596b0f5e35aeb3ad8a66aaa4e3e34133575d3d36c5e62ab877b44c83245f931fe75fc5137ebf3469562c69cb6e740d054e1d00c4aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f271929-6a6f-4f36-89f8-8513c9e7021b.vbs

Filesize
726B

MD5
2def3a6889cabd098449bb64621d868e

SHA1
ed368f7a0c16e9757526932d7a5016019eb23a8d

SHA256
b853a9dfc64139c1b0e3708909d1252bc78c72caf101ccbb29126b80cebe1c6d

SHA512
9b4add6b1d1a9b39bc23ff2b81ebe383f2ff3e8c66a2ec7164019eaf009c522c7992fc3d101d81205e26482798ecbd93f129c795c81b5bcaebf6a805aaae149f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ba8a3e3-9355-4186-98a2-d5d3d2210d7a.vbs

Filesize
726B

MD5
27b088dab262ca204cc96b909bc88a03

SHA1
c9c0617a0740ded480aaca9b24a39cb2ea695d07

SHA256
3c1ab40f27158336ed1beb7b66bca03c8544666a31c0ae7a072aba325fb45d6b

SHA512
0352c8675f9b5bfbf1f873a54d0afe00e8ed4dd98cb2ebd96a3d7887f22ba695f0b1f73e4410829794c1f3ddb5dc0f8de1066964d30b7a4be568fcab42d94ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ec4wewsf.h05.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1af5ef3-a777-49b9-939a-447055b13b10.vbs

Filesize
726B

MD5
65babe8045232392750042e79a36dfe6

SHA1
22d7486efa87efa9d9931417404806b366fc1310

SHA256
f0ecf0686043059c6a7fd72f94819ec5d45e6cfac8028fc7a53ce62e3bf92bb7

SHA512
5db30942b24b63079cfb96c6560325fbd351f749845e3e76cdffeebe6b69bc71237866aed1bc279b2f6045a47dd766bb78b2803472fdc2db0fa3f85579e49872

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd9b4e7c-0c58-4458-a41a-bb90c3e47590.vbs

Filesize
726B

MD5
69b90fcbe4951e0f2f447c8e183b0971

SHA1
98c697285dc3e562712fa28014575253ab04a968

SHA256
8154c7f7326587ff503953efb1cc143dc564e7e56824bad131370a59ffe64bf9

SHA512
9e24e5540ca71f744cc38ffb090a474772fe5137acd4ac8a867a43bfbc4f8a91460987b36a79b38f70628447634d38358e47fbb77f5bc2ff9c72a600b55ff1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2e9b184-3050-4cb8-9542-0d15d93390af.vbs

Filesize
726B

MD5
b5c0c90922cbd10c554df64fba88b457

SHA1
1c2192d3f1d09b86e48789fccb1ff142e6e8876a

SHA256
6d381acdeee896aa48bcef8dc7d7f5fdb5694f91f1c32e579b008168679e51c0

SHA512
88137a3335a31ce988d41aa5d52223bb0aac329d6f6769f53e2c1e0634c26c0855e411b57a21e2b8e49580f190c2aa6104a57198505700c168eb35282aa0fc3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8233714-65d6-4133-a5aa-499a0d26d1a6.vbs

Filesize
726B

MD5
6c8c8d8a8412228e08ed8b213b800a2e

SHA1
4009b72c0dd40ba16d8ae506062fec296f6b9344

SHA256
9afd4712d7d54791bbb183c3a69e95a8c5dc810369ac3c00159607863e51ad16

SHA512
b681f1e07b03c747a0250d7aae8a75a925b950e5fa53a347d3a31f32ab0ab11cbb1c67e7d1088acce82150b6a39043c82ac83d23df936fd08aa542620060b60a

Download Submit
C:\Windows\Speech\taskhostw.exe

Filesize
1.6MB

MD5
cd1634a0788a7e0c1120930a46dcceed

SHA1
5e990eda55dd6b4f6001898f8f4d828518d05c9b

SHA256
832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90

SHA512
7c4758fdb7fdc7fe06e542b0e64e245c6dae141b4355458e90fb7a600db94ef0d53cb0b18760833112d1e21e42528b03bce6f6196bbe9fe0aa228803e5ac2335

Download Submit
memory/2540-257-0x0000025FDFF50000-0x0000025FDFF72000-memory.dmp

Filesize
136KB

Download
memory/4456-12-0x000000001C340000-0x000000001C34A000-memory.dmp

Filesize
40KB

Download
memory/4456-10-0x000000001C320000-0x000000001C32C000-memory.dmp

Filesize
48KB

Download
memory/4456-247-0x00007FF97AB10000-0x00007FF97B5D1000-memory.dmp

Filesize
10.8MB

Download
memory/4456-195-0x00007FF97AB13000-0x00007FF97AB15000-memory.dmp

Filesize
8KB

Download
memory/4456-17-0x000000001C590000-0x000000001C59C000-memory.dmp

Filesize
48KB

Download
memory/4456-16-0x000000001C580000-0x000000001C58A000-memory.dmp

Filesize
40KB

Download
memory/4456-15-0x000000001C570000-0x000000001C578000-memory.dmp

Filesize
32KB

Download
memory/4456-14-0x000000001C560000-0x000000001C568000-memory.dmp

Filesize
32KB

Download
memory/4456-13-0x000000001C350000-0x000000001C35E000-memory.dmp

Filesize
56KB

Download
memory/4456-0-0x00007FF97AB13000-0x00007FF97AB15000-memory.dmp

Filesize
8KB

Download
memory/4456-11-0x000000001C330000-0x000000001C33C000-memory.dmp

Filesize
48KB

Download
memory/4456-395-0x00007FF97AB10000-0x00007FF97B5D1000-memory.dmp

Filesize
10.8MB

Download
memory/4456-1-0x0000000000EE0000-0x0000000001082000-memory.dmp

Filesize
1.6MB

Download
memory/4456-9-0x000000001C310000-0x000000001C318000-memory.dmp

Filesize
32KB

Download
memory/4456-8-0x000000001BCF0000-0x000000001BD00000-memory.dmp

Filesize
64KB

Download
memory/4456-6-0x00000000032A0000-0x00000000032B6000-memory.dmp

Filesize
88KB

Download
memory/4456-7-0x000000001BCE0000-0x000000001BCE8000-memory.dmp

Filesize
32KB

Download
memory/4456-5-0x0000000003290000-0x00000000032A0000-memory.dmp

Filesize
64KB

Download
memory/4456-4-0x000000001C360000-0x000000001C3B0000-memory.dmp

Filesize
320KB

Download
memory/4456-3-0x0000000001870000-0x000000000188C000-memory.dmp

Filesize
112KB

Download
memory/4456-2-0x00007FF97AB10000-0x00007FF97B5D1000-memory.dmp

Filesize
10.8MB

Download
memory/4756-460-0x000000001BB80000-0x000000001BBB5000-memory.dmp

Filesize
212KB

Download