dcrat | 400c24bdb9b7dabfcd9a8a2f137550f338014d833d169c6e6f4252910fb95feb

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2e433f395cc3b1c1ccf0cc50a676434.exe
Size

1.6MB
MD5

a2e433f395cc3b1c1ccf0cc50a676434
SHA1

1995c6f844060333376d1cbf7a20bacbc8d713ef
SHA256

259c93890754af6391901806acbdf6215a3f5210cb9a27fa6852f5c0aa73435b
SHA512

a5433232b4cd34e56ead2e7c04ab3290545e7dd93504ceac92b7ce5b090298b31245ac336cae789ec5419abc5d4e00bf6c0111456f5b772aca5e8deeb346be81
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4260	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3812	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	2980	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	2980	schtasks.exe	88

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral12/memory/2192-1-0x0000000000E20000-0x0000000000FC2000-memory.dmp	dcrat
behavioral12/files/0x00070000000240f3-26.dat	dcrat
behavioral12/files/0x000c000000023f22-45.dat	dcrat
behavioral12/files/0x000c000000024101-68.dat	dcrat
behavioral12/files/0x00090000000240ed-79.dat	dcrat
behavioral12/files/0x000a000000024105-102.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3136	powershell.exe
2456	powershell.exe
2396	powershell.exe
3240	powershell.exe
4956	powershell.exe
2240	powershell.exe
4548	powershell.exe
1060	powershell.exe
4028	powershell.exe
4772	powershell.exe
4848	powershell.exe
4380	powershell.exe
4484	powershell.exe
392	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	a2e433f395cc3b1c1ccf0cc50a676434.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	a2e433f395cc3b1c1ccf0cc50a676434.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	spoolsv.exe

Executes dropped EXE 14 IoCs

pid	Process
1164	a2e433f395cc3b1c1ccf0cc50a676434.exe
1668	spoolsv.exe
1072	spoolsv.exe
1496	spoolsv.exe
3736	spoolsv.exe
2188	spoolsv.exe
3780	spoolsv.exe
772	spoolsv.exe
2536	spoolsv.exe
2264	spoolsv.exe
4824	spoolsv.exe
4424	spoolsv.exe
3064	spoolsv.exe
5016	spoolsv.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\RCX82F6.tmp	a2e433f395cc3b1c1ccf0cc50a676434.exe
File created	C:\Program Files (x86)\Windows Portable Devices\24dbde2999530e	a2e433f395cc3b1c1ccf0cc50a676434.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe	a2e433f395cc3b1c1ccf0cc50a676434.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCX7BBD.tmp	a2e433f395cc3b1c1ccf0cc50a676434.exe
File opened for modification	C:\Program Files (x86)\Adobe\RuntimeBroker.exe	a2e433f395cc3b1c1ccf0cc50a676434.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\SearchApp.exe	a2e433f395cc3b1c1ccf0cc50a676434.exe
File created	C:\Program Files\Mozilla Firefox\fonts\unsecapp.exe	a2e433f395cc3b1c1ccf0cc50a676434.exe
File created	C:\Program Files (x86)\WindowsPowerShell\SearchApp.exe	a2e433f395cc3b1c1ccf0cc50a676434.exe
File created	C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe	a2e433f395cc3b1c1ccf0cc50a676434.exe
File created	C:\Program Files (x86)\Adobe\RuntimeBroker.exe	a2e433f395cc3b1c1ccf0cc50a676434.exe
File created	C:\Program Files (x86)\WindowsPowerShell\38384e6a620884	a2e433f395cc3b1c1ccf0cc50a676434.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCX7BBC.tmp	a2e433f395cc3b1c1ccf0cc50a676434.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\unsecapp.exe	a2e433f395cc3b1c1ccf0cc50a676434.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCX8063.tmp	a2e433f395cc3b1c1ccf0cc50a676434.exe
File created	C:\Program Files\Mozilla Firefox\fonts\29c1c3cc0f7685	a2e433f395cc3b1c1ccf0cc50a676434.exe
File created	C:\Program Files (x86)\Adobe\9e8d7a4ca61bd9	a2e433f395cc3b1c1ccf0cc50a676434.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCX80D2.tmp	a2e433f395cc3b1c1ccf0cc50a676434.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\RCX82E6.tmp	a2e433f395cc3b1c1ccf0cc50a676434.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	a2e433f395cc3b1c1ccf0cc50a676434.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	a2e433f395cc3b1c1ccf0cc50a676434.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	spoolsv.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4976	schtasks.exe
1312	schtasks.exe
392	schtasks.exe
400	schtasks.exe
2424	schtasks.exe
3140	schtasks.exe
4260	schtasks.exe
2536	schtasks.exe
1604	schtasks.exe
3648	schtasks.exe
1440	schtasks.exe
2056	schtasks.exe
2648	schtasks.exe
880	schtasks.exe
1712	schtasks.exe
4672	schtasks.exe
4928	schtasks.exe
4360	schtasks.exe
4948	schtasks.exe
4964	schtasks.exe
3736	schtasks.exe
2420	schtasks.exe
2876	schtasks.exe
4088	schtasks.exe
4796	schtasks.exe
648	schtasks.exe
376	schtasks.exe
3244	schtasks.exe
3136	schtasks.exe
3812	schtasks.exe
5044	schtasks.exe
8	schtasks.exe
2232	schtasks.exe
1288	schtasks.exe
4996	schtasks.exe
2060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2192	a2e433f395cc3b1c1ccf0cc50a676434.exe
2192	a2e433f395cc3b1c1ccf0cc50a676434.exe
2192	a2e433f395cc3b1c1ccf0cc50a676434.exe
2192	a2e433f395cc3b1c1ccf0cc50a676434.exe
2192	a2e433f395cc3b1c1ccf0cc50a676434.exe
2192	a2e433f395cc3b1c1ccf0cc50a676434.exe
2192	a2e433f395cc3b1c1ccf0cc50a676434.exe
4772	powershell.exe
4772	powershell.exe
4956	powershell.exe
4956	powershell.exe
3240	powershell.exe
3240	powershell.exe
4380	powershell.exe
4380	powershell.exe
4484	powershell.exe
4484	powershell.exe
2396	powershell.exe
2396	powershell.exe
4848	powershell.exe
4848	powershell.exe
2456	powershell.exe
2456	powershell.exe
4484	powershell.exe
2396	powershell.exe
4772	powershell.exe
4956	powershell.exe
3240	powershell.exe
4380	powershell.exe
4848	powershell.exe
2456	powershell.exe
1164	a2e433f395cc3b1c1ccf0cc50a676434.exe
4028	powershell.exe
4028	powershell.exe
392	powershell.exe
392	powershell.exe
3136	powershell.exe
3136	powershell.exe
1060	powershell.exe
1060	powershell.exe
4548	powershell.exe
4548	powershell.exe
2240	powershell.exe
2240	powershell.exe
392	powershell.exe
4028	powershell.exe
1060	powershell.exe
4548	powershell.exe
3136	powershell.exe
2240	powershell.exe
1668	spoolsv.exe
1072	spoolsv.exe
1496	spoolsv.exe
1496	spoolsv.exe
3736	spoolsv.exe
3736	spoolsv.exe
2188	spoolsv.exe
2188	spoolsv.exe
3780	spoolsv.exe
772	spoolsv.exe
2536	spoolsv.exe
2264	spoolsv.exe
4824	spoolsv.exe
4424	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	a2e433f395cc3b1c1ccf0cc50a676434.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	3240	powershell.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	1164	a2e433f395cc3b1c1ccf0cc50a676434.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeDebugPrivilege	3136	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	1668	spoolsv.exe
Token: SeDebugPrivilege	1072	spoolsv.exe
Token: SeDebugPrivilege	1496	spoolsv.exe
Token: SeDebugPrivilege	3736	spoolsv.exe
Token: SeDebugPrivilege	2188	spoolsv.exe
Token: SeDebugPrivilege	3780	spoolsv.exe
Token: SeDebugPrivilege	772	spoolsv.exe
Token: SeDebugPrivilege	2536	spoolsv.exe
Token: SeDebugPrivilege	2264	spoolsv.exe
Token: SeDebugPrivilege	4824	spoolsv.exe
Token: SeDebugPrivilege	4424	spoolsv.exe
Token: SeDebugPrivilege	3064	spoolsv.exe
Token: SeDebugPrivilege	5016	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2456	2192	a2e433f395cc3b1c1ccf0cc50a676434.exe	113
PID 2192 wrote to memory of 2456	2192	a2e433f395cc3b1c1ccf0cc50a676434.exe	113
PID 2192 wrote to memory of 4484	2192	a2e433f395cc3b1c1ccf0cc50a676434.exe	114
PID 2192 wrote to memory of 4484	2192	a2e433f395cc3b1c1ccf0cc50a676434.exe	114
PID 2192 wrote to memory of 4380	2192	a2e433f395cc3b1c1ccf0cc50a676434.exe	115
PID 2192 wrote to memory of 4380	2192	a2e433f395cc3b1c1ccf0cc50a676434.exe	115
PID 2192 wrote to memory of 4848	2192	a2e433f395cc3b1c1ccf0cc50a676434.exe	116
PID 2192 wrote to memory of 4848	2192	a2e433f395cc3b1c1ccf0cc50a676434.exe	116
PID 2192 wrote to memory of 3240	2192	a2e433f395cc3b1c1ccf0cc50a676434.exe	117
PID 2192 wrote to memory of 3240	2192	a2e433f395cc3b1c1ccf0cc50a676434.exe	117
PID 2192 wrote to memory of 4772	2192	a2e433f395cc3b1c1ccf0cc50a676434.exe	118
PID 2192 wrote to memory of 4772	2192	a2e433f395cc3b1c1ccf0cc50a676434.exe	118
PID 2192 wrote to memory of 2396	2192	a2e433f395cc3b1c1ccf0cc50a676434.exe	119
PID 2192 wrote to memory of 2396	2192	a2e433f395cc3b1c1ccf0cc50a676434.exe	119
PID 2192 wrote to memory of 4956	2192	a2e433f395cc3b1c1ccf0cc50a676434.exe	120
PID 2192 wrote to memory of 4956	2192	a2e433f395cc3b1c1ccf0cc50a676434.exe	120
PID 2192 wrote to memory of 4700	2192	a2e433f395cc3b1c1ccf0cc50a676434.exe	129
PID 2192 wrote to memory of 4700	2192	a2e433f395cc3b1c1ccf0cc50a676434.exe	129
PID 4700 wrote to memory of 2468	4700	cmd.exe	131
PID 4700 wrote to memory of 2468	4700	cmd.exe	131
PID 4700 wrote to memory of 1164	4700	cmd.exe	134
PID 4700 wrote to memory of 1164	4700	cmd.exe	134
PID 1164 wrote to memory of 2240	1164	a2e433f395cc3b1c1ccf0cc50a676434.exe	151
PID 1164 wrote to memory of 2240	1164	a2e433f395cc3b1c1ccf0cc50a676434.exe	151
PID 1164 wrote to memory of 4548	1164	a2e433f395cc3b1c1ccf0cc50a676434.exe	152
PID 1164 wrote to memory of 4548	1164	a2e433f395cc3b1c1ccf0cc50a676434.exe	152
PID 1164 wrote to memory of 392	1164	a2e433f395cc3b1c1ccf0cc50a676434.exe	153
PID 1164 wrote to memory of 392	1164	a2e433f395cc3b1c1ccf0cc50a676434.exe	153
PID 1164 wrote to memory of 4028	1164	a2e433f395cc3b1c1ccf0cc50a676434.exe	154
PID 1164 wrote to memory of 4028	1164	a2e433f395cc3b1c1ccf0cc50a676434.exe	154
PID 1164 wrote to memory of 3136	1164	a2e433f395cc3b1c1ccf0cc50a676434.exe	155
PID 1164 wrote to memory of 3136	1164	a2e433f395cc3b1c1ccf0cc50a676434.exe	155
PID 1164 wrote to memory of 1060	1164	a2e433f395cc3b1c1ccf0cc50a676434.exe	156
PID 1164 wrote to memory of 1060	1164	a2e433f395cc3b1c1ccf0cc50a676434.exe	156
PID 1164 wrote to memory of 2344	1164	a2e433f395cc3b1c1ccf0cc50a676434.exe	163
PID 1164 wrote to memory of 2344	1164	a2e433f395cc3b1c1ccf0cc50a676434.exe	163
PID 2344 wrote to memory of 3116	2344	cmd.exe	165
PID 2344 wrote to memory of 3116	2344	cmd.exe	165
PID 2344 wrote to memory of 1668	2344	cmd.exe	166
PID 2344 wrote to memory of 1668	2344	cmd.exe	166
PID 1668 wrote to memory of 2820	1668	spoolsv.exe	167
PID 1668 wrote to memory of 2820	1668	spoolsv.exe	167
PID 1668 wrote to memory of 1548	1668	spoolsv.exe	168
PID 1668 wrote to memory of 1548	1668	spoolsv.exe	168
PID 2820 wrote to memory of 1072	2820	WScript.exe	170
PID 2820 wrote to memory of 1072	2820	WScript.exe	170
PID 1072 wrote to memory of 4760	1072	spoolsv.exe	171
PID 1072 wrote to memory of 4760	1072	spoolsv.exe	171
PID 1072 wrote to memory of 4336	1072	spoolsv.exe	172
PID 1072 wrote to memory of 4336	1072	spoolsv.exe	172
PID 4760 wrote to memory of 1496	4760	WScript.exe	174
PID 4760 wrote to memory of 1496	4760	WScript.exe	174
PID 1496 wrote to memory of 4460	1496	spoolsv.exe	175
PID 1496 wrote to memory of 4460	1496	spoolsv.exe	175
PID 1496 wrote to memory of 3600	1496	spoolsv.exe	176
PID 1496 wrote to memory of 3600	1496	spoolsv.exe	176
PID 4460 wrote to memory of 3736	4460	WScript.exe	180
PID 4460 wrote to memory of 3736	4460	WScript.exe	180
PID 3736 wrote to memory of 3228	3736	spoolsv.exe	181
PID 3736 wrote to memory of 3228	3736	spoolsv.exe	181
PID 3736 wrote to memory of 4816	3736	spoolsv.exe	182
PID 3736 wrote to memory of 4816	3736	spoolsv.exe	182
PID 3228 wrote to memory of 2188	3228	WScript.exe	183
PID 3228 wrote to memory of 2188	3228	WScript.exe	183

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a2e433f395cc3b1c1ccf0cc50a676434.exe
"C:\Users\Admin\AppData\Local\Temp\a2e433f395cc3b1c1ccf0cc50a676434.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a2e433f395cc3b1c1ccf0cc50a676434.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PJAVlmCtXs.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2468
- - C:\Users\Admin\AppData\Local\Temp\a2e433f395cc3b1c1ccf0cc50a676434.exe
    "C:\Users\Admin\AppData\Local\Temp\a2e433f395cc3b1c1ccf0cc50a676434.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a2e433f395cc3b1c1ccf0cc50a676434.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2240
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4028
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\WmiPrvSE.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\taskhostw.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1060
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0uTMsHaN7R.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2344
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:3116
    - - C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe
        
        "C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1668
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\822e3e3c-50b4-476a-a23f-5b97ce52d405.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01d14966-3923-496b-8e1c-9bf269abdfd3.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7cfffbd0-b694-4bda-a202-ec9e4d343147.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d43063a-ef5f-47d0-bce0-f8b37b9e2eed.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cf049f5-656e-4c21-a4ad-5e89804ed1b9.vbs"
        14⤵
        
        PID:3792
        
        C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8af58076-690f-4d29-adbd-05c777aee3c1.vbs"
        16⤵
        
        PID:880
        
        C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1803c330-3abe-4771-be74-04d4d4ecd7e8.vbs"
        18⤵
        
        PID:3204
        
        C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\268901b6-821b-4913-b3cc-9b6824d23b1f.vbs"
        20⤵
        
        PID:1712
        
        C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8bc1925a-3b22-485d-a038-a383d989b28a.vbs"
        22⤵
        
        PID:4536
        
        C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf136e84-5d11-44f2-9ddc-7a552ae8c27b.vbs"
        24⤵
        
        PID:2436
        
        C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd6087e2-d3e4-48db-aefb-4234435ef9a6.vbs"
        26⤵
        
        PID:1264
        
        C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\103f2fef-5e34-4f43-8b99-0621b2072706.vbs"
        28⤵
        
        PID:1352
        
        C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe
        
        C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd3cd506-9cb6-4830-9810-be5b8f7e0233.vbs"
        30⤵
        
        PID:352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb716165-9d0a-4c74-a8a4-63120bd03e53.vbs"
        30⤵
        
        PID:2264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22e3d8d9-c88d-4d20-802d-1fdb7391009b.vbs"
        28⤵
        
        PID:5096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b172bc1d-a7d3-4245-9831-90d122ca7679.vbs"
        26⤵
        
        PID:3736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4396a136-7d83-4117-ab00-ab25fb5c5ee3.vbs"
        24⤵
        
        PID:3488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01772b40-94c7-41d4-a80a-8f841ff22bed.vbs"
        22⤵
        
        PID:2064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b2f4302-cc0f-4a27-b049-f7868b774a8b.vbs"
        20⤵
        
        PID:4776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97dfd6ef-35c8-433b-a520-6a10b24bfb92.vbs"
        18⤵
        
        PID:648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c3a7189-d35f-479f-bcf1-5c238c2cf1ab.vbs"
        16⤵
        
        PID:452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49c34971-f754-4fc2-92b8-18b7ebdb54b2.vbs"
        14⤵
        
        PID:2460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecd26695-0204-4a55-a4cd-e04f7d9b6776.vbs"
        12⤵
        
        PID:4816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99213127-634b-485a-ae59-0abb615b4345.vbs"
        10⤵
        
        PID:3600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8196492e-b159-4c4c-b266-01dd71226e5a.vbs"
        8⤵
        
        PID:4336
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd251840-9515-4198-9a57-bbaba3da67de.vbs"
        6⤵
        
        PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Templates\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\All Users\Templates\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Templates\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\fonts\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\fonts\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Saved Games\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Saved Games\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Cookies\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Cookies\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Cookies\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\d9c22b4eaa3c0b9c12c7\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\d9c22b4eaa3c0b9c12c7\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\RuntimeBroker.exe

Filesize
1.6MB

MD5
b2d6c3c6955780f585ef06c197561c27

SHA1
7692115abc5572c621adff0825cd2aa4dbedca57

SHA256
c5f35e7b201e1578fc39a1941de49584b5510e7074536b8b015a0a661a9b54b7

SHA512
3e033845a6b740029170b84dcde94c9b79f59bbaace17ff86aaeb14369dc2b78f73ce29bf6e8dbef20a3a2fad2885d1b661510f81d7fbbe137131f8d196816a2

Download Submit
C:\Program Files (x86)\WindowsPowerShell\SearchApp.exe

Filesize
1.6MB

MD5
a2e433f395cc3b1c1ccf0cc50a676434

SHA1
1995c6f844060333376d1cbf7a20bacbc8d713ef

SHA256
259c93890754af6391901806acbdf6215a3f5210cb9a27fa6852f5c0aa73435b

SHA512
a5433232b4cd34e56ead2e7c04ab3290545e7dd93504ceac92b7ce5b090298b31245ac336cae789ec5419abc5d4e00bf6c0111456f5b772aca5e8deeb346be81

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\unsecapp.exe

Filesize
1.6MB

MD5
4e8552f2a29b5efca16352e416ad7ee4

SHA1
09cc58339c12ea88ebafa2a43ac0df497060ec77

SHA256
b3af9c2b879fb2226f253b82b943402e5f7a56eb3c26556d6e91a42644f78ddb

SHA512
e6b0a111db7e94ff8fde33aa9bda44b359268af9ed3e8c30a39b5799c77975241e9da344a9b02be1ef4745df6543e10a4f2b061c15e58402cd98cae98c5ba502

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\a2e433f395cc3b1c1ccf0cc50a676434.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c79cf713064165d9921621736789b679

SHA1
4d8b3c69ddab8dd528496de06ce7e6e6c2758389

SHA256
6de25d006efb9912c4460725c3ff494adc8585749971235d743dae6cb568068e

SHA512
22dbec206c054253a245c7eac9cbfa4d62b49a11b02adea88b6dc8e1ee4243d46e8f61efa5374d43260ff686dbd3c769b7e14bbc6d5fb2f8999f258a904a04a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
08bb0c2688fc08624e11a31024e29947

SHA1
dab0789759282767104987fa06d6acd5ed8bc616

SHA256
d96effa05d39e4fb1e83f96a753616c0a26559acaa8415d7087a41ca091f42c4

SHA512
30afdd978294eded7257fe8bb3538fd491572ad265498a8764d1a09d7255ad3b352ec3384770f50f97e180b0107eb24318d164c3751256c330a3478e4366999a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
19c1c95807d53fcb88e1e2289e645f0b

SHA1
832c029a7433b229e66296b6f8a4ba56b0246298

SHA256
73f393ffbdb24758131fa51669790c37ed233802f1ed85f7bdfd058e0b5fb83f

SHA512
f528e937baf51c0b85aa25277bd8d12a10e5f8a78187b32eaaacd0dfceba6f3bf90cf21945e299f52fe1110e48ebabe1a8df868e94a72d8899e7f4f49848aa71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
672e8b21617ca3b368c6c154913fcfff

SHA1
cb3dab8c008b5fba2af958ce2c416c01baa6a98b

SHA256
b6ce484f4dcfab37c7fac91278a1d66c8b122865f12511634b8c5eac3fc081ec

SHA512
98b45d5545237042c9d4e99e6aa2d514bb643c80cccd1f79ca8e6412a7949fc235f2f6a5fc12a7f772e1af2343ab2e2fb863d161f1d0da3326e636c52513c7ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1e3c555747900d8c9652a014303474aa

SHA1
1b2057ff00b20996fe74977d7e336be9d4625283

SHA256
6a419c7390f12be16e2d1e752539a2a429f41e35ce0381bee1d824571769e2f1

SHA512
067ea6a394f54acfc44d64fdf11463a74cb5d6bba3fe253e7625455754c528bd678fd1c679e949e928b7fc11b563c256b0b0e33474f7c58eb0735d7aacd3232d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9c9ba33cd48817e01f6a1c06b918a431

SHA1
e42d1708845b94d14461bd8b11f2b3f75bf21920

SHA256
e9a7789e19d87cec0d3f5d50630fb9cc571f6fc0a665501f217c4773a97f6bdb

SHA512
d920cb972abcf232f6575f45efa422a116f396f2351616c908df13731a3372f1fce1cab4286251c9afdcbd3d9dacdd9e17e26a2e11a5bfa76723ff3ec7d21f2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b4b6d4cc52b5a3a71149b1f33d94d5de

SHA1
97d3dbdd24919eab70e3b14c68797cefc07e90dd

SHA256
da8c02ce00d5b1e6d4c3667465c7bbc14d7cd5227eb634f3d9690afd488267fe

SHA512
fc894f03709b83df7d2fca2779e1e60549078b67bcdbff0b61c8e5a802982210ae971309c1f92577573299288963ab5c95c6b38cbaedf53dc6062812c57a97af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
104B

MD5
57e2dd15f07fea1e98925ddb2759d22e

SHA1
911ea3bd14d5ba50dcdc42c305f45c35a23635b5

SHA256
a74365e75520bf4f1c11b9939c879fd0b20aef110b3fb61996d320c5ed518e02

SHA512
c53fc6d5047d342879c1356ba661dfa8349f449b14a21eaf49eec2b453ca207c3c577bf2ac8d219d1258c6be2c9b1941874dce9a2d86d265921d1c1845683670

Download Submit
C:\Users\Admin\AppData\Local\Temp\01d14966-3923-496b-8e1c-9bf269abdfd3.vbs

Filesize
723B

MD5
315d69ac6924cb9d509f1d0b1721dc4c

SHA1
bbf1e9ad084818533c2346d489353108509f7977

SHA256
a1f9a7b733af51adcb5dc3db77ed37fcf52ef3032cb85f87f5dcd0239e1019f0

SHA512
8990476a70734ee9a92d7363112728d8abd4d23b86cdfd29a1e929dd7e9ecf83ef8e395923daf431685af282c3a05c2985161554d062e791ed1645063957249f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cf049f5-656e-4c21-a4ad-5e89804ed1b9.vbs

Filesize
723B

MD5
98ec6cdc26a90def9f283045441ceb7d

SHA1
7fad80acc736751add72b4e5b678ae13f9ca85e4

SHA256
eab04fcdb41d1fd7d1851ba41cdae29e162d1c93bd58979fdcc61c8278fa5c32

SHA512
0cfb27ff57fdb1e7de994fbd311358e14c4e6ad7165f39efcefb71bfefad4f8b80c4afbe06d4d99d1e7e4d8dfde622776e2df62eac44449dfd772f9f953412ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d43063a-ef5f-47d0-bce0-f8b37b9e2eed.vbs

Filesize
723B

MD5
6a768b252a5c23a51868b3ecf6f6f72a

SHA1
7137a9e13fd85bee566d4b943a151a2f7cc428aa

SHA256
92e9d107c54760b18c4b7aaa6958fe4deac4662dd7fe48630f3b76156f1d8afc

SHA512
eb1ae650cff9cfbf6867154afcea5c8ebc6c3db5c0b33a6c90435e4654b78ad92b60e7743192a5daa52d4150840f56aaa3088dfa9b8f8f0ad456881723869e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\0uTMsHaN7R.bat

Filesize
212B

MD5
e9d490941023acc48639e874013eac71

SHA1
f0158f641dbe7d4412e1156d969c2abfb3544d73

SHA256
d9423c52deedcae530560ccfad9b060ec9f1e5fd84615fdd5e3923348cb1e044

SHA512
aa8dc45a2c7b6d80a5f3c29086fd97c42f15bfc15fb9e046bb192f0712d25526e565952250c5b64883250a4a34f3e8b021b0dbb28974e9f560b4fdf1909c44f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1803c330-3abe-4771-be74-04d4d4ecd7e8.vbs

Filesize
722B

MD5
936d9f0898e2c474ac7700a396ceccdd

SHA1
2eb9532329a800282b782995b047c5f82e8bb68a

SHA256
fa96e9c6e559b32d97d2d22f3560677a7c609052e5cf7ac60bbcb936845a5088

SHA512
b4b87c3a12f09c6247d3b650e857ab11c07eca97bacaef57667aeba775135e868a3e945cf9bd9bd3f110de1253c80aae6471fd197f493c0192b9a812791ae344

Download Submit
C:\Users\Admin\AppData\Local\Temp\268901b6-821b-4913-b3cc-9b6824d23b1f.vbs

Filesize
723B

MD5
2468947a962d413e6a7e89a833118101

SHA1
b5af71005edda131bf93d3ab6c9cac297eff4920

SHA256
2a0b3398f5c6b3231a1f0b899444f1fce44e46403a6ba23014768ef18998ea2b

SHA512
c0b3397ca5f13abf18a0902d544ea6dcbd6436c5ffae61c9d2e45e8d24eba046e2e5c00c537118a2345db020ee3da0913ac028bfe2dc2c66df30d98b5440c685

Download Submit
C:\Users\Admin\AppData\Local\Temp\7cfffbd0-b694-4bda-a202-ec9e4d343147.vbs

Filesize
723B

MD5
6cc43479a9fc5d7de73541c336db822b

SHA1
3be6e9f105c8e08f0ccde329523faeed97eaa83e

SHA256
30c557102d4d3bf7ba08ff7d26d3cb90163cc5e334d20dc8c2f3e883106aadc1

SHA512
86fcdeef0489b4a8bfd2cc9bfaa3930ed78481c9c4d048fb674debecab66876c7c9eca991cfd608350b7a6197f220ca518304a8c1e76f88ee9310e95ebf52f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\822e3e3c-50b4-476a-a23f-5b97ce52d405.vbs

Filesize
723B

MD5
895ff9f380e1535ee7368a36168f54ec

SHA1
15c50987753bc3ca8f61ae200d6c61305756a21f

SHA256
9811b5819a48a19a6dc00a465dd7e56901fed72b4ed74bf2be729b1c3baf6272

SHA512
1ead5e61c38c8de562b0ee8ff5a7ba1fc757fefe46134c5a3159cf55dabae27622f6a50b6b4f3fd3f1182c1d4423d1ba7ac4756ee932e35e8d078fba6518bdf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\8af58076-690f-4d29-adbd-05c777aee3c1.vbs

Filesize
723B

MD5
1ded6184542e962bfd77984889c4fa3a

SHA1
888e0a62107d7c88b0b6a1fc8abae7966b830d04

SHA256
23a7a0d9082ab61c7cc0ce1a6538ab7317851202627790b614a5e71ce6058321

SHA512
093015b4d55d0e7b65e38bdef0bbd3eef2e269c6b3513e0abd3bde17be35f247468e7a404cfba3da357d2c5c8d03f2139a3feac7bb6ba56de52c7ae621e9349c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8bc1925a-3b22-485d-a038-a383d989b28a.vbs

Filesize
723B

MD5
7162ed34b948eb99b0270f2f764f324d

SHA1
1e6c2857c12ef8ecf2dc409677b6595e7f870fe8

SHA256
6eb2ae196743d6e6d535389685020444a147766b2e95c3a5e4c221ae16b60461

SHA512
84cec554714ac656d345eb8a7c40ab90f49549ace8c2325a74aaf00fd81cbbc282c1fde41729b2c0e2a9217a3bebb95146707d87a4124d7c868f97b0aa06d4b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\PJAVlmCtXs.bat

Filesize
235B

MD5
683816ef2b7879755b6562972548706f

SHA1
3ee841ab76f83b12a5fcf35c21e874614fe22ba8

SHA256
e5b96e3f005797a691b1135b0e863fd09a6a5df5e924d27d5db15ec5089f4ae5

SHA512
2f241937f6b8777a525bc232380db52d03d00cb0cbfef8112158d6f89dc423be08407919464b6b7e7659694caa22e9286b2c97db9859dfc2ca4ae3189d1e2c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nerjbqfh.tjg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd251840-9515-4198-9a57-bbaba3da67de.vbs

Filesize
499B

MD5
9fc3d2097c15ef9e5e74f90f63adb1cb

SHA1
3522ae0363218bd56c38e8391cbf319e3f61bdaf

SHA256
de4d30f78c952fc21f7d57267fc6ff283dfbd711c17eab2e41227a374af28397

SHA512
10fe919623d90fe811de720340ee15121f7516efd5311e911ab7c4b9f7b7a9426045fc24b65f58f63541f6913b40f73ea83865fa51cb71b5e3427b17ee70ea99

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf136e84-5d11-44f2-9ddc-7a552ae8c27b.vbs

Filesize
723B

MD5
9cc16ced264a657b0b34725e47ecdfd7

SHA1
fc27a3bfed904963c45355b2eeac1584dc324076

SHA256
578d16d33327d5582ef9294b6aac32cf0f6121bbea8fdfc43ae695bdfbe7ce7e

SHA512
1cd3ee5ababe8a8d0f0dd183d53230fc3a49f2a8e0e5c00bf88f3da4732c7890fc157ba3cde772e7df0b6b450a885053e6e79e6d0be3fda928760605655b9770

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd6087e2-d3e4-48db-aefb-4234435ef9a6.vbs

Filesize
723B

MD5
ee44808a2ef8dc41d4323a5f141d1300

SHA1
f4dea4218293864b271fd5ef4acd9beccd2ddfd0

SHA256
728233cfe0f003001caa7771cbb84e75315d8d9cd7eb4aaf3f7c07f5778b2bb5

SHA512
31aabe5c542da612a5097197470ac16240068edb1b7afba0a4a00b52280c04153ac8b1707a2d1e3cbaf9c279d22391b9b2a855b0327f7ff677fbe6a5a1f51ece

Download Submit
C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\spoolsv.exe

Filesize
1.6MB

MD5
18839b869da2dd4e61cc81f8d948ea0b

SHA1
40a74572af29c676b3cbea3fbc076177545a1864

SHA256
887aeeebe0a2eac1b68c23d844e0574c7fa88a48f1e4fd84cf3a0b246b5ac2bf

SHA512
043296f195e298e4a2d61e50a8703a7f3146dc3d1ee6b8adc767cd60e8c3888ce496d128eec951f1b75cc67e69beefc21a78623c2ec38645b46be71bf444f353

Download Submit
C:\Users\Default\Saved Games\spoolsv.exe

Filesize
1.6MB

MD5
63db8dbe12a7dbf6211c317c4a8c4170

SHA1
81d258cc18f1eb3409c3a761b22f15d951bd9b6a

SHA256
17f11b3c0cbabf66b5abb26b2da41d2ba324b69ac0fe0f2b003a6fa8e678ee5c

SHA512
43b4b46229fa735e641258a37794c8704aa4ef50af3071d3d229952336a25420f802d58fe27ef09d4b053ac17e53922794293f323b0b17d4dacd5f9f7160e82f

Download Submit
memory/2192-16-0x000000001C4B0000-0x000000001C4BA000-memory.dmp

Filesize
40KB

Download
memory/2192-11-0x000000001BC50000-0x000000001BC5C000-memory.dmp

Filesize
48KB

Download
memory/2192-1-0x0000000000E20000-0x0000000000FC2000-memory.dmp

Filesize
1.6MB

Download
memory/2192-12-0x000000001BC60000-0x000000001BC6A000-memory.dmp

Filesize
40KB

Download
memory/2192-13-0x000000001BC70000-0x000000001BC7E000-memory.dmp

Filesize
56KB

Download
memory/2192-14-0x000000001C490000-0x000000001C498000-memory.dmp

Filesize
32KB

Download
memory/2192-17-0x000000001C4C0000-0x000000001C4CC000-memory.dmp

Filesize
48KB

Download
memory/2192-15-0x000000001C4A0000-0x000000001C4A8000-memory.dmp

Filesize
32KB

Download
memory/2192-0-0x00007FFF9F3E3000-0x00007FFF9F3E5000-memory.dmp

Filesize
8KB

Download
memory/2192-133-0x00007FFF9F3E0000-0x00007FFF9FEA1000-memory.dmp

Filesize
10.8MB

Download
memory/2192-9-0x000000001BC30000-0x000000001BC38000-memory.dmp

Filesize
32KB

Download
memory/2192-10-0x000000001BC40000-0x000000001BC4C000-memory.dmp

Filesize
48KB

Download
memory/2192-4-0x000000001C290000-0x000000001C2E0000-memory.dmp

Filesize
320KB

Download
memory/2192-6-0x00000000017C0000-0x00000000017D6000-memory.dmp

Filesize
88KB

Download
memory/2192-8-0x000000001BC20000-0x000000001BC30000-memory.dmp

Filesize
64KB

Download
memory/2192-7-0x000000001BC10000-0x000000001BC18000-memory.dmp

Filesize
32KB

Download
memory/2192-5-0x00000000017B0000-0x00000000017C0000-memory.dmp

Filesize
64KB

Download
memory/2192-3-0x0000000001780000-0x000000000179C000-memory.dmp

Filesize
112KB

Download
memory/2192-2-0x00007FFF9F3E0000-0x00007FFF9FEA1000-memory.dmp

Filesize
10.8MB

Download
memory/4772-132-0x000001F17F6B0000-0x000001F17F6D2000-memory.dmp

Filesize
136KB

Download