dcrat | 5de218dd00c5b6536a8ea373bbe9b9f2079f788a113b847fbd5c39932170a6e6

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
Size

1.6MB
MD5

66d07aba299e88d9fd0562bdde9ef487
SHA1

3187acda67ed22501f39f2b436d064faf9464045
SHA256

d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914
SHA512

64ec5f70e2e57279280b2bd2aa6503138b362e2777be368037102acba1875361e8299460e6075e04aa9f754c9597d63c89d27b80f7b054c766675ef0e8aff875
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	4544	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	4544	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	4544	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	4544	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6032	4544	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	4544	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3728	4544	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	4544	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	4544	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	4544	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	4544	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	4544	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	4544	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	4544	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	4544	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	4544	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	4544	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	4544	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	4544	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	4544	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	4544	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	4544	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	4544	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	4544	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	4544	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5820	4544	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	4544	schtasks.exe	88

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral4/memory/3428-1-0x0000000000460000-0x0000000000602000-memory.dmp	dcrat
behavioral4/files/0x0007000000024296-26.dat	dcrat
behavioral4/files/0x0009000000022b81-97.dat	dcrat
behavioral4/files/0x0005000000022b87-106.dat	dcrat
behavioral4/files/0x0005000000022b8e-119.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2740	powershell.exe
4624	powershell.exe
4780	powershell.exe
4256	powershell.exe
2508	powershell.exe
2736	powershell.exe
3784	powershell.exe
2480	powershell.exe
1284	powershell.exe
4200	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe

Executes dropped EXE 15 IoCs

pid	Process
1972	backgroundTaskHost.exe
4204	backgroundTaskHost.exe
4812	backgroundTaskHost.exe
5588	backgroundTaskHost.exe
5200	backgroundTaskHost.exe
3036	backgroundTaskHost.exe
5580	backgroundTaskHost.exe
3476	backgroundTaskHost.exe
5852	backgroundTaskHost.exe
1828	backgroundTaskHost.exe
2456	backgroundTaskHost.exe
3976	backgroundTaskHost.exe
5672	backgroundTaskHost.exe
2408	backgroundTaskHost.exe
3948	backgroundTaskHost.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\System\de-DE\unsecapp.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files\edge_BITS_4664_724051295\RCX6E73.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX7830.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files (x86)\Common Files\System\de-DE\unsecapp.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files\edge_BITS_4664_724051295\9a627ef98702ab	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX7831.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files (x86)\Common Files\System\de-DE\29c1c3cc0f7685	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files (x86)\Windows Portable Devices\0a1fd5f707cd16	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\de-DE\RCX6A39.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\de-DE\RCX6A3A.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files\edge_BITS_4664_724051295\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Program Files\edge_BITS_4664_724051295\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Program Files\edge_BITS_4664_724051295\RCX6EF1.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Windows\diagnostics\scheduled\Maintenance\sppsvc.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Windows\Web\Wallpaper\Theme2\eddb19405b7ce1	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File created	C:\Windows\Boot\EFI\sr-Latn-RS\SppExtComObj.exe	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme2\RCX6824.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme2\RCX6825.tmp	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	backgroundTaskHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1644	schtasks.exe
4728	schtasks.exe
4732	schtasks.exe
4684	schtasks.exe
3720	schtasks.exe
4060	schtasks.exe
4672	schtasks.exe
5820	schtasks.exe
4768	schtasks.exe
3000	schtasks.exe
3944	schtasks.exe
4700	schtasks.exe
4140	schtasks.exe
748	schtasks.exe
4840	schtasks.exe
4760	schtasks.exe
4496	schtasks.exe
1064	schtasks.exe
3796	schtasks.exe
4648	schtasks.exe
4876	schtasks.exe
1764	schtasks.exe
376	schtasks.exe
4812	schtasks.exe
6032	schtasks.exe
3728	schtasks.exe
2732	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
4624	powershell.exe
4624	powershell.exe
4200	powershell.exe
4200	powershell.exe
3784	powershell.exe
3784	powershell.exe
2740	powershell.exe
2740	powershell.exe
2736	powershell.exe
2736	powershell.exe
4780	powershell.exe
4780	powershell.exe
4256	powershell.exe
4256	powershell.exe
1284	powershell.exe
1284	powershell.exe
2508	powershell.exe
2508	powershell.exe
2480	powershell.exe
2480	powershell.exe
4780	powershell.exe
3784	powershell.exe
4200	powershell.exe
4624	powershell.exe
2740	powershell.exe
4256	powershell.exe
2736	powershell.exe
1284	powershell.exe
2480	powershell.exe
2508	powershell.exe
1972	backgroundTaskHost.exe
1972	backgroundTaskHost.exe
4204	backgroundTaskHost.exe
4812	backgroundTaskHost.exe
5588	backgroundTaskHost.exe
5588	backgroundTaskHost.exe
5200	backgroundTaskHost.exe
5200	backgroundTaskHost.exe
3036	backgroundTaskHost.exe
3036	backgroundTaskHost.exe
5580	backgroundTaskHost.exe
5580	backgroundTaskHost.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeDebugPrivilege	4200	powershell.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	4256	powershell.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	1972	backgroundTaskHost.exe
Token: SeDebugPrivilege	4204	backgroundTaskHost.exe
Token: SeDebugPrivilege	4812	backgroundTaskHost.exe
Token: SeDebugPrivilege	5588	backgroundTaskHost.exe
Token: SeDebugPrivilege	5200	backgroundTaskHost.exe
Token: SeDebugPrivilege	3036	backgroundTaskHost.exe
Token: SeDebugPrivilege	5580	backgroundTaskHost.exe
Token: SeDebugPrivilege	3476	backgroundTaskHost.exe
Token: SeDebugPrivilege	5852	backgroundTaskHost.exe
Token: SeDebugPrivilege	1828	backgroundTaskHost.exe
Token: SeDebugPrivilege	2456	backgroundTaskHost.exe
Token: SeDebugPrivilege	3976	backgroundTaskHost.exe
Token: SeDebugPrivilege	5672	backgroundTaskHost.exe
Token: SeDebugPrivilege	2408	backgroundTaskHost.exe
Token: SeDebugPrivilege	3948	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 2736	3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	123
PID 3428 wrote to memory of 2736	3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	123
PID 3428 wrote to memory of 4200	3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	124
PID 3428 wrote to memory of 4200	3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	124
PID 3428 wrote to memory of 1284	3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	125
PID 3428 wrote to memory of 1284	3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	125
PID 3428 wrote to memory of 2480	3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	127
PID 3428 wrote to memory of 2480	3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	127
PID 3428 wrote to memory of 2508	3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	129
PID 3428 wrote to memory of 2508	3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	129
PID 3428 wrote to memory of 4256	3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	130
PID 3428 wrote to memory of 4256	3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	130
PID 3428 wrote to memory of 4780	3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	131
PID 3428 wrote to memory of 4780	3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	131
PID 3428 wrote to memory of 4624	3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	132
PID 3428 wrote to memory of 4624	3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	132
PID 3428 wrote to memory of 3784	3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	134
PID 3428 wrote to memory of 3784	3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	134
PID 3428 wrote to memory of 2740	3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	135
PID 3428 wrote to memory of 2740	3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	135
PID 3428 wrote to memory of 1972	3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	143
PID 3428 wrote to memory of 1972	3428	d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe	143
PID 1972 wrote to memory of 3260	1972	backgroundTaskHost.exe	145
PID 1972 wrote to memory of 3260	1972	backgroundTaskHost.exe	145
PID 1972 wrote to memory of 4480	1972	backgroundTaskHost.exe	146
PID 1972 wrote to memory of 4480	1972	backgroundTaskHost.exe	146
PID 3260 wrote to memory of 4204	3260	WScript.exe	148
PID 3260 wrote to memory of 4204	3260	WScript.exe	148
PID 4204 wrote to memory of 1700	4204	backgroundTaskHost.exe	149
PID 4204 wrote to memory of 1700	4204	backgroundTaskHost.exe	149
PID 4204 wrote to memory of 2120	4204	backgroundTaskHost.exe	150
PID 4204 wrote to memory of 2120	4204	backgroundTaskHost.exe	150
PID 1700 wrote to memory of 4812	1700	WScript.exe	151
PID 1700 wrote to memory of 4812	1700	WScript.exe	151
PID 4812 wrote to memory of 4644	4812	backgroundTaskHost.exe	152
PID 4812 wrote to memory of 4644	4812	backgroundTaskHost.exe	152
PID 4812 wrote to memory of 5016	4812	backgroundTaskHost.exe	153
PID 4812 wrote to memory of 5016	4812	backgroundTaskHost.exe	153
PID 4644 wrote to memory of 5588	4644	WScript.exe	160
PID 4644 wrote to memory of 5588	4644	WScript.exe	160
PID 5588 wrote to memory of 2808	5588	backgroundTaskHost.exe	162
PID 5588 wrote to memory of 2808	5588	backgroundTaskHost.exe	162
PID 5588 wrote to memory of 5568	5588	backgroundTaskHost.exe	163
PID 5588 wrote to memory of 5568	5588	backgroundTaskHost.exe	163
PID 2808 wrote to memory of 5200	2808	WScript.exe	168
PID 2808 wrote to memory of 5200	2808	WScript.exe	168
PID 5200 wrote to memory of 5692	5200	backgroundTaskHost.exe	169
PID 5200 wrote to memory of 5692	5200	backgroundTaskHost.exe	169
PID 5200 wrote to memory of 380	5200	backgroundTaskHost.exe	170
PID 5200 wrote to memory of 380	5200	backgroundTaskHost.exe	170
PID 5692 wrote to memory of 3036	5692	WScript.exe	171
PID 5692 wrote to memory of 3036	5692	WScript.exe	171
PID 3036 wrote to memory of 6044	3036	backgroundTaskHost.exe	172
PID 3036 wrote to memory of 6044	3036	backgroundTaskHost.exe	172
PID 3036 wrote to memory of 860	3036	backgroundTaskHost.exe	173
PID 3036 wrote to memory of 860	3036	backgroundTaskHost.exe	173
PID 6044 wrote to memory of 5580	6044	WScript.exe	174
PID 6044 wrote to memory of 5580	6044	WScript.exe	174
PID 5580 wrote to memory of 4604	5580	backgroundTaskHost.exe	175
PID 5580 wrote to memory of 4604	5580	backgroundTaskHost.exe	175
PID 5580 wrote to memory of 4676	5580	backgroundTaskHost.exe	176
PID 5580 wrote to memory of 4676	5580	backgroundTaskHost.exe	176
PID 4604 wrote to memory of 3476	4604	WScript.exe	177
PID 4604 wrote to memory of 3476	4604	WScript.exe	177

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe
"C:\Users\Admin\AppData\Local\Temp\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\de-DE\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4664_724051295\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
  "C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c305122-b0a7-4d3a-b86b-f004d779910e.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3260
  - - C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
      C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4204
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4a4ea16-3ea9-4d60-933c-69a3b801b26e.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1700
      - C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
        
        C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b04a94f-dfcc-41c5-976f-900eb45e1ee6.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
        
        C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a03074ef-967e-4bf9-8fa9-fcc5dd51ce2e.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
        
        C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b75a66fc-cc12-40b5-a63b-eb076f266224.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:5692
        
        C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
        
        C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f5dd1d6-6a12-4722-adba-21933f12ee54.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:6044
        
        C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
        
        C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4aea5545-88ef-463f-9fe6-7f6216d8ec7b.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
        
        C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1dd85be-f2af-4d46-89be-b1f9e62b59c3.vbs"
        17⤵
        
        PID:2404
        
        C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
        
        C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e97ac511-3e1d-43db-864e-3d562c5a1f0d.vbs"
        19⤵
        
        PID:2664
        
        C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
        
        C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\247845e8-619d-46d6-88fb-3bfe0a6ccdc5.vbs"
        21⤵
        
        PID:3244
        
        C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
        
        C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b58dbfc-eb8e-490a-ab5e-e4aeefdf68ae.vbs"
        23⤵
        
        PID:1060
        
        C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
        
        C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9cc4dc0-ed17-4f0d-9879-304ccf886bb9.vbs"
        25⤵
        
        PID:6132
        
        C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
        
        C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba4d1bd3-52f9-470f-b8af-14d690ce8d20.vbs"
        27⤵
        
        PID:4320
        
        C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
        
        C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47df2a4a-99a2-4b4e-ac79-1dee943a275b.vbs"
        29⤵
        
        PID:2748
        
        C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
        
        C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\010acad8-eff6-49f8-b65f-313937fbf8dd.vbs"
        31⤵
        
        PID:868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f67691c-5f6f-4a69-a333-7b1da2500811.vbs"
        31⤵
        
        PID:4560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb3c0970-44b3-4cd7-8e75-548ab410cb99.vbs"
        29⤵
        
        PID:1696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df4f721c-d86a-4bc9-824c-48c6099fa76d.vbs"
        27⤵
        
        PID:5504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f4d9354-8ac8-44a9-8e06-136efdc998b5.vbs"
        25⤵
        
        PID:4000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b421764-2ee8-428c-940a-726d87f9055e.vbs"
        23⤵
        
        PID:3888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7d4564a-0a34-4c98-af6c-c6b814ec2260.vbs"
        21⤵
        
        PID:4496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc42fb50-f260-40cc-9516-4c32ce258b56.vbs"
        19⤵
        
        PID:5784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\451d66df-e7bc-49bb-b4f9-362e0c40b2b5.vbs"
        17⤵
        
        PID:4828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1363e32f-8cb2-4beb-8ee1-c69805f0ad05.vbs"
        15⤵
        
        PID:4676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28d7d3d7-e5c8-4089-923f-e2742ec6d8ed.vbs"
        13⤵
        
        PID:860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dce0d179-4af6-4bc9-a400-c236dfb4d410.vbs"
        11⤵
        
        PID:380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b777b76-8290-41ef-90a5-4b6d8f3cfdc4.vbs"
        9⤵
        
        PID:5568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\508b946d-40c5-4f6b-a634-16cdee3e07d1.vbs"
        7⤵
        
        PID:5016
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ba6d552-9c7e-41d1-ab86-6f5da089fc4b.vbs"
        5⤵
        
        PID:2120
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec16bafc-675f-460b-9883-e617f818a9f8.vbs"
    3⤵
    PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Windows\Web\Wallpaper\Theme2\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\System\de-DE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\de-DE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\System\de-DE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914d" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914d" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914d" /sc MINUTE /mo 12 /tr "'C:\Program Files\edge_BITS_4664_724051295\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4664_724051295\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914d" /sc MINUTE /mo 7 /tr "'C:\Program Files\edge_BITS_4664_724051295\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Cookies\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Cookies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Cookies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe

Filesize
1.6MB

MD5
f24cd98516effa4536e1e9b6b7a6d5c4

SHA1
d29c5a1fbce20ea2866b1e6319fa103450105c1f

SHA256
c493a87075ee3c939376071edef6894e2fc7c351d31fab8200803d6230137b9c

SHA512
a08e5f81346f232afdd245eb5e63f8f6ab776f197c2195c81d6970626e41c2a00947c539bf31bbf373281c908ae3e726c7bb18cda7f9498e7bea870995b56d0b

Download Submit
C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe

Filesize
1.6MB

MD5
d8aad9072757a45e9044a3fd452f03b0

SHA1
75b25cd43b0356aa418b4e10dec3d6d8e2569a55

SHA256
3dcce2479bbff8d826c5fc6f4861901fe877d0ee397ac1cbd23ec12e80b2b28a

SHA512
a8f44fa08928037a8b77efaa59ec171a80fcf9c6219ab9128bdd3d94d5ec9baf96dce26c7a002d548d644a78668937c146783a9ab03f3aa0ec44198373c4d383

Download Submit
C:\Program Files\edge_BITS_4664_724051295\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe

Filesize
1.6MB

MD5
66d07aba299e88d9fd0562bdde9ef487

SHA1
3187acda67ed22501f39f2b436d064faf9464045

SHA256
d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914

SHA512
64ec5f70e2e57279280b2bd2aa6503138b362e2777be368037102acba1875361e8299460e6075e04aa9f754c9597d63c89d27b80f7b054c766675ef0e8aff875

Download Submit
C:\Program Files\edge_BITS_4664_724051295\d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe

Filesize
1.6MB

MD5
d023915db1cca1380360c0383fa255db

SHA1
2c87d8d232b5159bd9cfbeeaebafb400035a6da7

SHA256
3cc70ca654600f25a9a3727eded2e05588d3b968a6e85bd925eb61892e5be53b

SHA512
ddc202616c08526836323b218f21cb58728dc0bbc93333411c6dc51a825f63966487bb70fd1fce461a06b0923ef6b445767c4ea22925f2914f0887dae3cc855f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\backgroundTaskHost.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4552709998d20ebebb7d79b1e2caba85

SHA1
a136173b2c02a5c678afbfb05d859dcf7fce5e73

SHA256
e96edbb0c4584421178d50c77bb16d7fe8b3839c357c170268dc13c00e8bb435

SHA512
53f623fa2780ceead709084e842a38f01ae921223e2bff2a97e45ad4a792c73e7370e97da4d323a5b857bf446e3295b6422ffa2dbaf68d34a65ebf6751d7d83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
efd2dfedf7e67764ce4dc0c1475d5543

SHA1
be775a500ecf6c234153afad0b8ec07e56ad74fa

SHA256
662c4f869810ea7f43ce3ccbeccc5b80c443161c56a346fb9054fb1fa613a7ad

SHA512
b167fa92f6d63b18e6247445b1c532a2a229a0fc6dcd26c9d1526749f80c7ec01524b7ce497ab94a3df814f9ce4b7394d872d85555323ddcd08798d565f3211e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b0bd0ba1b6d523383ae26f8138bac15f

SHA1
8d2828b9380b09fe6b0a78703a821b9fb8a491e5

SHA256
a9878e55702f457717f86200e3258bfc960d37d5a8c2cab950c1dd842fbbaed1

SHA512
614df5e7b46469db879cf1be2cdc1df3071f0c3f0c1f78c73b81d23d651c54d246e8ca6e1923a34ac2dddc02c63b807c8d328f2d275f98e0997a12a7960bbf45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
92b2deffd5900b3c60f9e6737bc5b67d

SHA1
6ce9b13b44a2d7f5635f909b0bb177ea60dd8d06

SHA256
780876a6d4beab15e3264f97a68092540e927c1a24250a03068c4374d57d0906

SHA512
4658231390e04649f6b393abb54d0b2a68771731ef3780207139d0a66a73e866f70dc4e6a0bc9a92e7e78ea01667c68263a001a0f275087a403afd11a80ee27d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
82da496008a09abc336bf9adbe6453dd

SHA1
a57df6c2432c6bf7ab549a4333e636f9d9dfebd2

SHA256
69def38d01c34269e4e7be79130fc62befb01815c783fef6d4dc116672306810

SHA512
86d1efaf512d5ffc0af6a4508e63ffaa646971192762461957c0a544e77f9f24bbd0576927a6a996a87f147bcd6562bdc27a57caac6aad64354f485a7a7a7197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1b2770b6e93963548483b9857a191b12

SHA1
da1f36e92f6f116ea4d6300b279be899ed6413a8

SHA256
4c2f150efa24585d81d212c3d1618af0777e007596cf7bd76cbf660db384b00b

SHA512
6fe8388503b09ec12528e982fea548c271d5687163db05ede832a0814a0fad6fa7c4ff32ed0cfa48f90c9b2980e2613be1d673fa47eaa2a9ea9540add473b4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f5dd1d6-6a12-4722-adba-21933f12ee54.vbs

Filesize
730B

MD5
c82847275fed391c2b6900b3cb271842

SHA1
e1fe5c78484f7e37d498bf1672be03e4573c8d6c

SHA256
eb524d5523f657ae9081e91793868b8830d636a3e2fb91d6a822292e1b3e7b00

SHA512
6404eb12afc24f1f3948535049402429a287f42e1b5f5c0c5ab6af439746fd739e843e419d3c40a0c4e15059bbb3d7e6d38e8eb36c13be2c4a430a4f3e13fc30

Download Submit
C:\Users\Admin\AppData\Local\Temp\247845e8-619d-46d6-88fb-3bfe0a6ccdc5.vbs

Filesize
730B

MD5
ba45a8ec43cfdeee268bb77fa84a0f03

SHA1
84ddebf3c24d39218ca71d26841e41630e124876

SHA256
3e195b306fd4370b7c715153278b46bdd319966be65a1f7e0588b3b60415086d

SHA512
847fe28c5bef96f5f3da0a2397610f914692a46eaafc533527f93e211d850350ecf982df8923fb300cc52c6bcdef5426fa0b314ee853ab86e9c1184638d02b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b58dbfc-eb8e-490a-ab5e-e4aeefdf68ae.vbs

Filesize
730B

MD5
3eb570f7bc6622a084b8610c996b5af5

SHA1
151f8d916e2711fb357914e71686d719c891d99f

SHA256
76490cfd72a46ef7caa1fa24872d7ddd1b9b8439ff507e77f113b1869a74ec43

SHA512
3b9e96d77e2f0814bd30dd1ab5ee0b2cb5c7173b3afab75d4649132b1c7823e65faf4368903e664e7ad4f238e43bd7d7c2fef928d1c089a435966839ba238f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\4aea5545-88ef-463f-9fe6-7f6216d8ec7b.vbs

Filesize
730B

MD5
0372b9bdb50494c673929511e5e74d6d

SHA1
d46acff1094a808d469481dde1e48330f3018a01

SHA256
00491078d15aa18761d1c21531972b15203100f346d8a088be54bbe3389282f5

SHA512
bbc9ca5ece21c777c9800b3c2f6e1d1b090d5c4a2b1a3c9f570fa792d740c59ed866124b8951595c6f2bf857600f3049877ec278ef104252a0dee6b7fa59da6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b04a94f-dfcc-41c5-976f-900eb45e1ee6.vbs

Filesize
730B

MD5
09587e97eb62e32d56d4e78abc0ede4c

SHA1
b79f9cbb1d059b9486b5e6964e81a05864eaaf69

SHA256
0e3e1450f6044316b1121d335e3fb40f2142e51e3583c0d9f7a6e7210e039b44

SHA512
de6b60375938e49aa08c3d9007a3f7477c7de57267ed6f4417b1458b4effbd1b067708eb66e91f8dd52b3e6d1c31455bd0bb4b24335874a2fe14def7165f400d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c305122-b0a7-4d3a-b86b-f004d779910e.vbs

Filesize
730B

MD5
05aeec7a1a2941f748ed63170b2b7fbd

SHA1
cdb3404b718874f6a006c441448ee134d2efad60

SHA256
61a430681b5d96db26d4d3023de778b523c26c3a1fd38cff7dbf33dbb910dcb0

SHA512
c9822f68ddc6f6672183be9e0aeb1f1bf0477f1aed8147c3f72f6d9e368582a6823218f5a212f8b895d3e4a6c7f876675bc9045ad3b1ad92df45671154821b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pwzsxnmz.uxa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a03074ef-967e-4bf9-8fa9-fcc5dd51ce2e.vbs

Filesize
730B

MD5
38a850a5c99008b4a9af53da4f36dbee

SHA1
f13a157d9653c96615a7466d3be75cb936c151f3

SHA256
44c655abf35d26803fa4c1f40b55ece8f8b29dff7eefed2d12e010c203c01334

SHA512
ad66441d5c23124c3f5ccf530c65cc68505ce3fd0bdde358bee8c5b44061d1e6c194fdfb579d2ce0775fa10ab9face2495fa58d6430c122e828d417b940c6cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\b75a66fc-cc12-40b5-a63b-eb076f266224.vbs

Filesize
730B

MD5
d4ead17d600ae3a91ccb7974d5b9fd5f

SHA1
5fbaa2042c95333fdd8ffb0ba467a8d02eb6f2bf

SHA256
46b8050811ace940fc6f444006b301c427acf29db4f46ffcb62ecefaf3a9b3b0

SHA512
0db5dcb7a6f2cd06f71b4453ed41bb8a226477788a442b4b9b5f5eb99fe19cb85b8c12ee6af50563ef3404497ff34c1cdf51206bd895770cb71f446effed3cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba4d1bd3-52f9-470f-b8af-14d690ce8d20.vbs

Filesize
730B

MD5
0e778a66aa5a7ba23eead9bcd5d3f87a

SHA1
48d130f654b87362ae0651a091c248fc3a2020ce

SHA256
48dae0fee5930aeefb594785c4c10c06c94dba776fabf9b5364e2817edb9c643

SHA512
9f537f087331bff7ec77b0d6b67adc79b255c5f473b36522b414150b5a978459b220ea6a714e7c66349fc2b922b3a8f586ee961e2be104b58195e650fa24a4a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1dd85be-f2af-4d46-89be-b1f9e62b59c3.vbs

Filesize
730B

MD5
5e688da56c0d92c2a785e5e7f16f146f

SHA1
c3cfc5a16cab866499aed57f137ac798c22428cb

SHA256
1d5e7ebe0ff74630e672ff6135bb70a852489e3caaa93c2308c19a8b59badd39

SHA512
3622a08d8dbbdf1605fc526ccb723dd696d45529507e9e8d63f685896f5160f53dcea1f8033c35e0c53cf5b8c29b3fcf172ac15b707ff6bf8b139f77eed1baf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\c9cc4dc0-ed17-4f0d-9879-304ccf886bb9.vbs

Filesize
730B

MD5
c5c98fc94548dd5ad5bac002917deab2

SHA1
5fc4097a3b7ab26c49823289c1b0001ad03b8e76

SHA256
f6578af56fdc6a996595551c496566c2cdfe4881c220a17cfacdb1672f5cd8bb

SHA512
b44d807b0ce45eb032c7455dbd511ac08d2b8c9904e78bc5d8e1cf72febced5b508ad3f6b7b1f73c4604f931023cca6a683216971622030f03311338efaace90

Download Submit
C:\Users\Admin\AppData\Local\Temp\e97ac511-3e1d-43db-864e-3d562c5a1f0d.vbs

Filesize
730B

MD5
ebf5119dca0897c140ea7f901b0dcef8

SHA1
a97d194b5abcc6c117248be4a5db576c87f2e2ba

SHA256
fa0d41bbdeb6dc575c838e00296f377225f2e474687445d899af2b3c7efbd600

SHA512
036721741a2152af5295c00396f87b341e104d761f6bc85e2ff43fba4d47b6483b914d3a0a7e0888e3e4d46313b5302cbaa644829051efdc9c3947d84cbd6c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec16bafc-675f-460b-9883-e617f818a9f8.vbs

Filesize
506B

MD5
e77a7ce68032defa21d74dd40b030303

SHA1
64301a3ed173861a13c522ad0dcbfaca737dc0d5

SHA256
c128ddf45c7c1dbcb17bc3369906b6cd3fbd0b0178cc09c9000e199b26547594

SHA512
3f40d8ec15b11935fd4119d47a5bc4a51cc45cf28832efe4239d5d993ab37f81161f124c2514fca71c2ed5a3f629b08469d4040734a8c1507d3543a6c9fe04f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4a4ea16-3ea9-4d60-933c-69a3b801b26e.vbs

Filesize
730B

MD5
8297ef7510b2cff4d23e869fdbc7beab

SHA1
9d0b3be18acb166a519eefc87b8a5d2dca7e2c05

SHA256
8cad9cdf6d254d8b8f07d99f300b9f5ac5e36029959e637266be9f0ec4db037c

SHA512
fa03e999d3e27868135fed7789394ba25215ffb95283c3364037c35afb53e5acf3dcbc9a31c829e1b0ab76ea3c313ce472833bf2cb15b71025d42e6754b0b58d

Download Submit
memory/3036-387-0x000000001B7E0000-0x000000001B8E2000-memory.dmp

Filesize
1.0MB

Download
memory/3428-8-0x000000001B270000-0x000000001B280000-memory.dmp

Filesize
64KB

Download
memory/3428-17-0x000000001BB00000-0x000000001BB0C000-memory.dmp

Filesize
48KB

Download
memory/3428-10-0x000000001B280000-0x000000001B28C000-memory.dmp

Filesize
48KB

Download
memory/3428-9-0x000000001B260000-0x000000001B268000-memory.dmp

Filesize
32KB

Download
memory/3428-6-0x000000001B230000-0x000000001B246000-memory.dmp

Filesize
88KB

Download
memory/3428-12-0x000000001BAB0000-0x000000001BABA000-memory.dmp

Filesize
40KB

Download
memory/3428-7-0x000000001B250000-0x000000001B258000-memory.dmp

Filesize
32KB

Download
memory/3428-13-0x000000001BAC0000-0x000000001BACE000-memory.dmp

Filesize
56KB

Download
memory/3428-15-0x000000001BAE0000-0x000000001BAE8000-memory.dmp

Filesize
32KB

Download
memory/3428-11-0x000000001B290000-0x000000001B29C000-memory.dmp

Filesize
48KB

Download
memory/3428-1-0x0000000000460000-0x0000000000602000-memory.dmp

Filesize
1.6MB

Download
memory/3428-4-0x000000001B8B0000-0x000000001B900000-memory.dmp

Filesize
320KB

Download
memory/3428-0-0x00007FF9D6623000-0x00007FF9D6625000-memory.dmp

Filesize
8KB

Download
memory/3428-2-0x00007FF9D6620000-0x00007FF9D70E1000-memory.dmp

Filesize
10.8MB

Download
memory/3428-5-0x000000001B220000-0x000000001B230000-memory.dmp

Filesize
64KB

Download
memory/3428-14-0x000000001BAD0000-0x000000001BAD8000-memory.dmp

Filesize
32KB

Download
memory/3428-3-0x0000000000F70000-0x0000000000F8C000-memory.dmp

Filesize
112KB

Download
memory/3428-296-0x00007FF9D6620000-0x00007FF9D70E1000-memory.dmp

Filesize
10.8MB

Download
memory/3428-16-0x000000001BAF0000-0x000000001BAFA000-memory.dmp

Filesize
40KB

Download
memory/3476-411-0x000000001C440000-0x000000001C542000-memory.dmp

Filesize
1.0MB

Download
memory/3784-199-0x000001CBB13D0000-0x000001CBB13F2000-memory.dmp

Filesize
136KB

Download
memory/4204-340-0x000000001BCC0000-0x000000001BDC2000-memory.dmp

Filesize
1.0MB

Download
memory/4812-352-0x000000001BFC0000-0x000000001C0C2000-memory.dmp

Filesize
1.0MB

Download
memory/5200-375-0x000000001BF80000-0x000000001C082000-memory.dmp

Filesize
1.0MB

Download
memory/5580-399-0x000000001C2C0000-0x000000001C3C2000-memory.dmp

Filesize
1.0MB

Download