dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
57s
max time network
62s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
Size

1.6MB
MD5

e38a8ba2db5ea28f0f52d37b4a9d0d45
SHA1

eeb67e1eb72370ce24df9b82c6a7664176dfe064
SHA256

1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6
SHA512

ee6f813b71c0c56c5794cb6b5ba48fdf527a9f0077aaf1a100e1f36c914e28bb6675f8ae90544ada72d0e315b436db8016dffe27467b6891cbbd1ef07d7b661e
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 60 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5124	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5196	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5568	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6100	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5776	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5544	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5532	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5732	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5560	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6000	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5896	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5572	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6080	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6044	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5792	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5460	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5708	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5444	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5800	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5124	632	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	632	schtasks.exe	87

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral8/memory/1232-1-0x0000000000E30000-0x0000000000FD2000-memory.dmp	dcrat
behavioral8/files/0x0007000000024308-26.dat	dcrat
behavioral8/files/0x000900000002430d-41.dat	dcrat
behavioral8/files/0x0008000000021e21-52.dat	dcrat
behavioral8/files/0x000c0000000242d8-75.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1384	powershell.exe
4800	powershell.exe
4972	powershell.exe
4676	powershell.exe
3640	powershell.exe
1852	powershell.exe
5620	powershell.exe
5644	powershell.exe
4740	powershell.exe
5416	powershell.exe
4764	powershell.exe
2460	powershell.exe
5932	powershell.exe
1124	powershell.exe
1808	powershell.exe
6124	powershell.exe
1000	powershell.exe
3196	powershell.exe
5260	powershell.exe
1756	powershell.exe
4776	powershell.exe
4752	powershell.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	spoolsv.exe

Executes dropped EXE 6 IoCs

pid	Process
2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
4920	spoolsv.exe
436	spoolsv.exe
5448	spoolsv.exe
3336	spoolsv.exe
4776	spoolsv.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\edge_BITS_4492_4245689\RCX6A59.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Program Files\edge_BITS_4492_4245689\services.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\Idle.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Program Files\Uninstall Information\winlogon.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX65A2.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Program Files\Crashpad\attachments\StartMenuExperienceHost.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Program Files\Crashpad\attachments\55b276f4edf653	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Program Files\Crashpad\attachments\StartMenuExperienceHost.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Program Files (x86)\Windows Portable Devices\6ccacd8608530f	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Program Files\edge_BITS_4492_4245689\services.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Program Files\edge_BITS_4492_4245689\c5b4cb5e9653cc	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Program Files\edge_BITS_4492_4245689\RCX6A5A.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Program Files (x86)\Windows Portable Devices\Idle.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\wininit.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\56085415360792	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\wininit.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Program Files\Uninstall Information\winlogon.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Program Files\Uninstall Information\cc11b995f2a76d	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX6534.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Offline Web Pages\6ccacd8608530f	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Windows\Offline Web Pages\Idle.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Windows\TAPI\RuntimeBroker.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Windows\TAPI\RuntimeBroker.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Windows\TAPI\9e8d7a4ca61bd9	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Windows\Offline Web Pages\Idle.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Windows\Vss\Writers\Application\dllhost.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Windows\Vss\Writers\Application\dllhost.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Windows\Vss\Writers\Application\5940a34987c991	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	spoolsv.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 60 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4544	schtasks.exe
5792	schtasks.exe
6000	schtasks.exe
3916	schtasks.exe
5532	schtasks.exe
4168	schtasks.exe
4992	schtasks.exe
5732	schtasks.exe
5708	schtasks.exe
1020	schtasks.exe
2420	schtasks.exe
1960	schtasks.exe
3968	schtasks.exe
2824	schtasks.exe
436	schtasks.exe
5800	schtasks.exe
2500	schtasks.exe
5544	schtasks.exe
5572	schtasks.exe
4812	schtasks.exe
5196	schtasks.exe
4576	schtasks.exe
4580	schtasks.exe
5896	schtasks.exe
860	schtasks.exe
3008	schtasks.exe
6080	schtasks.exe
4104	schtasks.exe
5776	schtasks.exe
4360	schtasks.exe
5444	schtasks.exe
1064	schtasks.exe
3828	schtasks.exe
6044	schtasks.exe
4664	schtasks.exe
2400	schtasks.exe
2656	schtasks.exe
4320	schtasks.exe
4384	schtasks.exe
4600	schtasks.exe
4644	schtasks.exe
4816	schtasks.exe
64	schtasks.exe
2380	schtasks.exe
3688	schtasks.exe
4496	schtasks.exe
5560	schtasks.exe
3020	schtasks.exe
5124	schtasks.exe
2792	schtasks.exe
4836	schtasks.exe
6100	schtasks.exe
4456	schtasks.exe
5460	schtasks.exe
4400	schtasks.exe
5124	schtasks.exe
5568	schtasks.exe
1720	schtasks.exe
3736	schtasks.exe
532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1232	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
1232	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
1232	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
1232	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
5620	powershell.exe
5620	powershell.exe
5644	powershell.exe
5644	powershell.exe
5620	powershell.exe
5260	powershell.exe
5260	powershell.exe
1000	powershell.exe
1000	powershell.exe
1384	powershell.exe
1384	powershell.exe
3196	powershell.exe
3196	powershell.exe
3196	powershell.exe
5644	powershell.exe
1000	powershell.exe
1384	powershell.exe
5260	powershell.exe
2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
1756	powershell.exe
1756	powershell.exe
4740	powershell.exe
4740	powershell.exe
4752	powershell.exe
4752	powershell.exe
4800	powershell.exe
4800	powershell.exe
4676	powershell.exe
4676	powershell.exe
2460	powershell.exe
2460	powershell.exe
4764	powershell.exe
4764	powershell.exe
5416	powershell.exe
5416	powershell.exe
1124	powershell.exe
1124	powershell.exe
4776	powershell.exe
4776	powershell.exe
4676	powershell.exe
3640	powershell.exe
3640	powershell.exe
5932	powershell.exe
5932	powershell.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	1232	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
Token: SeDebugPrivilege	5620	powershell.exe
Token: SeDebugPrivilege	5644	powershell.exe
Token: SeDebugPrivilege	5260	powershell.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	3196	powershell.exe
Token: SeDebugPrivilege	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeDebugPrivilege	5416	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	5932	powershell.exe
Token: SeDebugPrivilege	6124	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	4920	spoolsv.exe
Token: SeDebugPrivilege	436	spoolsv.exe
Token: SeDebugPrivilege	5448	spoolsv.exe
Token: SeDebugPrivilege	3336	spoolsv.exe
Token: SeDebugPrivilege	4776	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 5620	1232	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	103
PID 1232 wrote to memory of 5620	1232	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	103
PID 1232 wrote to memory of 1000	1232	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	104
PID 1232 wrote to memory of 1000	1232	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	104
PID 1232 wrote to memory of 5644	1232	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	105
PID 1232 wrote to memory of 5644	1232	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	105
PID 1232 wrote to memory of 3196	1232	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	106
PID 1232 wrote to memory of 3196	1232	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	106
PID 1232 wrote to memory of 5260	1232	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	107
PID 1232 wrote to memory of 5260	1232	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	107
PID 1232 wrote to memory of 1384	1232	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	108
PID 1232 wrote to memory of 1384	1232	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	108
PID 1232 wrote to memory of 2872	1232	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	115
PID 1232 wrote to memory of 2872	1232	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	115
PID 2872 wrote to memory of 4800	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	164
PID 2872 wrote to memory of 4800	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	164
PID 2872 wrote to memory of 1756	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	165
PID 2872 wrote to memory of 1756	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	165
PID 2872 wrote to memory of 4676	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	166
PID 2872 wrote to memory of 4676	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	166
PID 2872 wrote to memory of 4752	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	167
PID 2872 wrote to memory of 4752	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	167
PID 2872 wrote to memory of 4740	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	169
PID 2872 wrote to memory of 4740	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	169
PID 2872 wrote to memory of 4764	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	170
PID 2872 wrote to memory of 4764	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	170
PID 2872 wrote to memory of 4776	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	171
PID 2872 wrote to memory of 4776	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	171
PID 2872 wrote to memory of 5416	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	172
PID 2872 wrote to memory of 5416	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	172
PID 2872 wrote to memory of 1124	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	174
PID 2872 wrote to memory of 1124	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	174
PID 2872 wrote to memory of 4972	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	176
PID 2872 wrote to memory of 4972	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	176
PID 2872 wrote to memory of 2460	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	178
PID 2872 wrote to memory of 2460	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	178
PID 2872 wrote to memory of 5932	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	181
PID 2872 wrote to memory of 5932	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	181
PID 2872 wrote to memory of 3640	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	186
PID 2872 wrote to memory of 3640	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	186
PID 2872 wrote to memory of 1808	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	187
PID 2872 wrote to memory of 1808	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	187
PID 2872 wrote to memory of 6124	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	191
PID 2872 wrote to memory of 6124	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	191
PID 2872 wrote to memory of 1852	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	192
PID 2872 wrote to memory of 1852	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	192
PID 2872 wrote to memory of 4920	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	197
PID 2872 wrote to memory of 4920	2872	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	197
PID 4920 wrote to memory of 5864	4920	spoolsv.exe	199
PID 4920 wrote to memory of 5864	4920	spoolsv.exe	199
PID 4920 wrote to memory of 3380	4920	spoolsv.exe	200
PID 4920 wrote to memory of 3380	4920	spoolsv.exe	200
PID 5864 wrote to memory of 436	5864	WScript.exe	202
PID 5864 wrote to memory of 436	5864	WScript.exe	202
PID 436 wrote to memory of 1804	436	spoolsv.exe	204
PID 436 wrote to memory of 1804	436	spoolsv.exe	204
PID 436 wrote to memory of 4716	436	spoolsv.exe	205
PID 436 wrote to memory of 4716	436	spoolsv.exe	205
PID 1804 wrote to memory of 5448	1804	WScript.exe	206
PID 1804 wrote to memory of 5448	1804	WScript.exe	206
PID 5448 wrote to memory of 5520	5448	spoolsv.exe	208
PID 5448 wrote to memory of 5520	5448	spoolsv.exe	208
PID 5448 wrote to memory of 5232	5448	spoolsv.exe	209
PID 5448 wrote to memory of 5232	5448	spoolsv.exe	209

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
"C:\Users\Admin\AppData\Local\Temp\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\aff403968f1bfcc42131676322798b50\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4492_4245689\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1384
- C:\Users\Admin\AppData\Local\Temp\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
  "C:\Users\Admin\AppData\Local\Temp\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\backgroundTaskHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Application\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\Idle.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\aff403968f1bfcc42131676322798b50\spoolsv.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f9532e701a889cdd91b8\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\aff403968f1bfcc42131676322798b50\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f9532e701a889cdd91b8\sysmon.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\attachments\StartMenuExperienceHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\wininit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f9532e701a889cdd91b8\TextInputHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\aff403968f1bfcc42131676322798b50\taskhostw.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:6124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f9532e701a889cdd91b8\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1852
- - C:\aff403968f1bfcc42131676322798b50\spoolsv.exe
    "C:\aff403968f1bfcc42131676322798b50\spoolsv.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6df3a364-cb30-4051-bee0-92955d783b18.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5864
    - - C:\aff403968f1bfcc42131676322798b50\spoolsv.exe
        
        C:\aff403968f1bfcc42131676322798b50\spoolsv.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:436
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96fa6899-772d-41ec-bdf1-e055951fc826.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\aff403968f1bfcc42131676322798b50\spoolsv.exe
        
        C:\aff403968f1bfcc42131676322798b50\spoolsv.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db6da234-0e4e-4446-b5fa-eab64fc52bd6.vbs"
        8⤵
        
        PID:5520
        
        C:\aff403968f1bfcc42131676322798b50\spoolsv.exe
        
        C:\aff403968f1bfcc42131676322798b50\spoolsv.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed59295d-1bad-4885-a210-bc4eee97b1d6.vbs"
        10⤵
        
        PID:5084
        
        C:\aff403968f1bfcc42131676322798b50\spoolsv.exe
        
        C:\aff403968f1bfcc42131676322798b50\spoolsv.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ae2e85e-9b6f-4559-bc76-6f61cf0a648c.vbs"
        12⤵
        
        PID:5004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10739d93-d4de-48e1-b254-31f8668c025d.vbs"
        12⤵
        
        PID:760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\376b8709-982e-4556-9ce5-adc3dd3af6a6.vbs"
        10⤵
        
        PID:5228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\914b0f4d-4562-488b-8476-7a75fac6009d.vbs"
        8⤵
        
        PID:5232
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2d61ad8-33f9-4d75-9362-ea0193f269a8.vbs"
        6⤵
        
        PID:4716
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cadfab4c-cedc-4e93-a6aa-71bb0c70921c.vbs"
      4⤵
      PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\aff403968f1bfcc42131676322798b50\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\aff403968f1bfcc42131676322798b50\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\edge_BITS_4492_4245689\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4492_4245689\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\edge_BITS_4492_4245689\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\TAPI\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Vss\Writers\Application\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\Application\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Offline Web Pages\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\aff403968f1bfcc42131676322798b50\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\aff403968f1bfcc42131676322798b50\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\f9532e701a889cdd91b8\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\f9532e701a889cdd91b8\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd61" /sc MINUTE /mo 10 /tr "'C:\aff403968f1bfcc42131676322798b50\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd61" /sc MINUTE /mo 14 /tr "'C:\aff403968f1bfcc42131676322798b50\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\f9532e701a889cdd91b8\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\f9532e701a889cdd91b8\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Crashpad\attachments\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Crashpad\attachments\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\f9532e701a889cdd91b8\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\f9532e701a889cdd91b8\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\aff403968f1bfcc42131676322798b50\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\aff403968f1bfcc42131676322798b50\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\f9532e701a889cdd91b8\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\f9532e701a889cdd91b8\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Uninstall Information\winlogon.exe

Filesize
1.6MB

MD5
4dbc1f5b17b2be8ad93bf2cb19697baf

SHA1
29359838b91581cab9b4a1e09127391715dafb95

SHA256
79bfea5a7c28b8a19288d90327868c5bf8f33e2217ab051a3088b65b99251346

SHA512
b8c5518d8b600b22c83db56d2a977d06cd58860ea8d39cde47e5e92c55a71fb09510f3439bdebfa1b5584eafaa097ad8acede15746713d5546a41809a8f49602

Download Submit
C:\Recovery\WindowsRE\SearchApp.exe

Filesize
1.6MB

MD5
a30571774e7cb01378ff56fd4ebac1e0

SHA1
4eae0ed5a6ccf5b9105c9bb09b5760fc4c9b13d4

SHA256
b8b8c9623b212f84e609ee695e647341f4ea181f4059b09c58cdccb9db5fecb5

SHA512
08b9859720c3f6cbb6c321063f96622179d81a0cca2fbabe48d6ea60a1156ebb0218abf9286e3c46aeedcbe8fe253f96ac9b0f486654d8ad336b84e46f510320

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b7e1db446e63a2aae76cd85440a08856

SHA1
c900cc81335dd3ca6337e21f5bcde80f8e8a88f3

SHA256
7305bcde3ba246a9b5c1666079c61596cc2ed2c651a1cd9e20557dba8a78c0e4

SHA512
dd63e28017eec632868489e469dd2ba54f20a3024be44550b729a0384bd55c5aa78171f7416612cd5174047afc544e21678ca164359962312b1d853c9bff04ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
737aca23f199ce589dd1e68bc4969b98

SHA1
8c9cdd6bdf94c5fa42c5b0c29abf0136e4e6fa00

SHA256
6aa59e171898b3dd42a36662ef81d349ce5063a705f1261e881269c59e7c742b

SHA512
ccc0e6fa798aeb92e6e1a14d6ef3dc23e8e829d5ffd10f11129d0e590820711e29997a761dca77b8e790b06e3c7c0d2059137f40f92543eb8048529b1b4d7817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8a1d5945d69caaa5ad4650aa92416db8

SHA1
fce5ff33231a7b99c4e54afac0b356aa72c86aef

SHA256
536f6c89e5a645ed4b13768d4e63be2900f010b341e04729e79c04af7af1d567

SHA512
04a94cfc967dccb836f2a51b86f861f77421f57bfc6826b00a63a86df995e0e873b38a5c930a15a173b3ea4e768776a13860206468d1bb7ec614ce93f8143cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
575c67abdb0b2c72de0d9dd38b94d791

SHA1
27783f259ffd096b21c02c70cb999bf860183124

SHA256
fdf985fb9c56b4462675c41f68555f8762dd7043b15750968208b88be87252bc

SHA512
61b23a15b52cf51b525993e8cfc0b9fd41d1bb28501c96a35f776bfa738390783ad266c2d0383a53770f3662dd118a45114d92afee63b4673e88008a6559b774

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5405317cb25911355558de3d1a3cd64a

SHA1
f4992925f55c096f605e7898fcdc715a3aba3a6f

SHA256
92c6f5c160c6f65f2eb5bac15d46c68f6cb52965ede6468c0b967c7953c3626f

SHA512
a0de4cc464a0067eb94224aae7ef8e9132957a7266584ce09454178c4687280fc4dea4851abdd064a7976afed36a65f6e949251b1ccbd942531416e95c8c938d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b22bcc023ccf6782c755f5b743aa3a52

SHA1
141150057021a07fa6aa03f46c9f2fd5719b3eeb

SHA256
a977c9d6fc409dbc0abbaa17e306eca391657f1f3c974cf1b004826000b8d1b4

SHA512
05c78b755324319a86857f3d249cfc9cc0c6c51a4f8ee94350a1936853e323af668fa8ee224d60eea618f1a7684897c3ce24713365dbeeba02e7718cbe4b3b0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
08526e4d8fed0a382c243c9aa8b1fe45

SHA1
f3da4b97529aaa38230db8bfa34a345bbc211622

SHA256
b5044625d66b7835745c7c4efa14d21aaf4ee42bf971f8bbc44f04416b91441f

SHA512
cbeb569db60eabd89c13b073f1bdf7ba991b6206e75f548396a150b08a0ffed1962d88d664e069c64ac740afbb69941df2f43e81a3f138e2185934967898941d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8320aeea03d40a74715d8b9613f9d0cc

SHA1
09fcf3cf06de496b434aaf3181f5aed78731425e

SHA256
54d89ac6af0379f2fa8afc5137450f796cd22f70da2b6b68a299b23c521eb205

SHA512
7d6fd85c54a4c8a63069fa02cd8b892f448be8b11b97190653864a076bfe5f2d4061b354ce2e3ad8b49a0e482ee90992493bb823f5e6f664dc7ac3937a547dba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17ea263ce8c38396c330fd30047d0522

SHA1
65304731eecbe75dd17c1bafbcc48dbf25e17eb7

SHA256
e82e800314f4323137889614c5094bd5005946be034263b84ca957a992b099e8

SHA512
0799a50c0c6fe5eeca124395e57b38da73ae57554fa0063beb720bba8116e256f91f86c9138e452541e1672b349a4eb4154b3787dda67d481a6f67c97c336eba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ec66606831e595ea115f35d1b61b7105

SHA1
f22d025450dc8dafd9b434b2eb31cb876bcb8109

SHA256
4f17fe98ecf3ea9ec9873ff0a3acdd6ca93eb17e280a01ff6cfeca4422019dec

SHA512
f2922870f0b34b5cd8a75ce3aa94362a43997a752b0e8e9001f63d650225bf15415a75ce8aa333e4d3554a52ca5d40eec7b15ce67e3ee20441cf2680de59ed5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ae2e85e-9b6f-4559-bc76-6f61cf0a648c.vbs

Filesize
723B

MD5
b3532ecdb243edfb427b5584783a06b4

SHA1
c66f3a6c6b0c667455fa85b784c6135e630ec99a

SHA256
c915d258c9fd1ea912977c0411f7ea4d94b8404ccb690ae863409eff67646c8b

SHA512
2b6ea45c4ae09e8018e0d3f9a65de91cc88cfde5492117ca381e58413b00b082c7d43781dd9c950cd68e2b00974a74049ac62e7f4220a9d2d30e8d2dfef8ec70

Download Submit
C:\Users\Admin\AppData\Local\Temp\6df3a364-cb30-4051-bee0-92955d783b18.vbs

Filesize
723B

MD5
ce845f227f3567132d49874221383b6f

SHA1
2921be9dab1ff4989829abfc81d1cadc4107080d

SHA256
d3d0343fb4c2051006406b7b0faaefa1931dbc68bdb82426eeeb92f230633f1d

SHA512
a62d3b4fdb430208973850e3f1bb54866c24afa6dd6ba998d6bd8b357f1048f8bc05a09bf674b97f29d8607bdb64474197edd0e2ff4b954daea70900f451cef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\96fa6899-772d-41ec-bdf1-e055951fc826.vbs

Filesize
722B

MD5
8527140413337250efd7ad98642a363d

SHA1
a74f41c0dd5f00c6ca76afb798ae15fcaa3e5755

SHA256
ba4606097603e4e76c55779b3086d52fe3f25d7db4518be966121d5b7e6b269a

SHA512
7826c347059646fae0bbd77b24335f12dde18387526d644bb3a11ce1779896a2c0cbb95055a7c819a3b7e4b777adcc499ba18e54b1da1fa694f2c93dc4c36420

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f3iugsdm.530.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cadfab4c-cedc-4e93-a6aa-71bb0c70921c.vbs

Filesize
499B

MD5
51a0aef55c7b2e3977a1a01bd46152ae

SHA1
a35f00392c4dbd98c9a43735ec2c3bbec131832a

SHA256
48e337be12944fc3621cf495da17448126a5d9cc3ce01b90ddd5f16077d5d15d

SHA512
41b8894254382b821d44919ba001384ea9cf1a474f7a4b1412c03f083ad18230fad35f861a05b61cef1ab89794cc7f09a6f365fa36fef6a73dfd2f9e126add66

Download Submit
C:\Users\Admin\AppData\Local\Temp\db6da234-0e4e-4446-b5fa-eab64fc52bd6.vbs

Filesize
723B

MD5
5e25dbf68fb1b5440e84a56cb5d991b9

SHA1
5993cc295a6cd01f926e38a10506dbe705fc2b72

SHA256
485e6b2281ac115cf9eac46d78869d8601cea80ab8a9ac02c0f6e8ef22ac5a19

SHA512
48a3b85e8667475628be479a531a37fee7760870c3d08e69bdd4af5594c0a87753ea79923c885b8a0e2d6777c6446017982f5c918ca2367d1b1571610df40a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed59295d-1bad-4885-a210-bc4eee97b1d6.vbs

Filesize
723B

MD5
fc0db44056211fce92d33e4b9791bd0c

SHA1
1590c0eb6522d6849a0df6015014c53c4fe47209

SHA256
586cb910d38fff29f8ce2dd4f642f2266c6c9ae38f707d48f7484af26c318ec1

SHA512
bab8d2a02432f3d54fd07bfe2d20c9834b43f42ab14f6d4104b14cd704536bae4a5f7e48fb9f61ccaf21b1b673b898ec07df061bb11b06db7ba54ab0f5872e46

Download Submit
C:\aff403968f1bfcc42131676322798b50\Idle.exe

Filesize
1.6MB

MD5
3d77fdf0de1dbf9e00ad197b1ae657f8

SHA1
246b822dff05077e6bfd879e4ad20480bb878c9a

SHA256
bbc6c0cc90be3a2b138b3658f519ac4ab79ff0c9c7808cf4d63754c42f916eb3

SHA512
a0615366cb9db362a994275175243befd1a2ef3cc907f76291dfde11c8b9aa1f33f6517a0cd56e0aba20f83041d1f3d69cb2eecac01de4ec0d17ce466efd1b58

Download Submit
C:\f9532e701a889cdd91b8\StartMenuExperienceHost.exe

Filesize
1.6MB

MD5
e38a8ba2db5ea28f0f52d37b4a9d0d45

SHA1
eeb67e1eb72370ce24df9b82c6a7664176dfe064

SHA256
1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6

SHA512
ee6f813b71c0c56c5794cb6b5ba48fdf527a9f0077aaf1a100e1f36c914e28bb6675f8ae90544ada72d0e315b436db8016dffe27467b6891cbbd1ef07d7b661e

Download Submit
memory/1232-11-0x000000001C470000-0x000000001C47C000-memory.dmp

Filesize
48KB

Download
memory/1232-0-0x00007FFA52D83000-0x00007FFA52D85000-memory.dmp

Filesize
8KB

Download
memory/1232-17-0x000000001C4D0000-0x000000001C4DC000-memory.dmp

Filesize
48KB

Download
memory/1232-16-0x000000001C4C0000-0x000000001C4CA000-memory.dmp

Filesize
40KB

Download
memory/1232-156-0x00007FFA52D80000-0x00007FFA53841000-memory.dmp

Filesize
10.8MB

Download
memory/1232-15-0x000000001C4B0000-0x000000001C4B8000-memory.dmp

Filesize
32KB

Download
memory/1232-14-0x000000001C4A0000-0x000000001C4A8000-memory.dmp

Filesize
32KB

Download
memory/1232-13-0x000000001C490000-0x000000001C49E000-memory.dmp

Filesize
56KB

Download
memory/1232-12-0x000000001C480000-0x000000001C48A000-memory.dmp

Filesize
40KB

Download
memory/1232-1-0x0000000000E30000-0x0000000000FD2000-memory.dmp

Filesize
1.6MB

Download
memory/1232-9-0x000000001BC30000-0x000000001BC38000-memory.dmp

Filesize
32KB

Download
memory/1232-10-0x000000001C2B0000-0x000000001C2BC000-memory.dmp

Filesize
48KB

Download
memory/1232-6-0x000000001BBF0000-0x000000001BC06000-memory.dmp

Filesize
88KB

Download
memory/1232-8-0x000000001BC20000-0x000000001BC30000-memory.dmp

Filesize
64KB

Download
memory/1232-7-0x000000001BC10000-0x000000001BC18000-memory.dmp

Filesize
32KB

Download
memory/1232-5-0x0000000003040000-0x0000000003050000-memory.dmp

Filesize
64KB

Download
memory/1232-4-0x000000001C260000-0x000000001C2B0000-memory.dmp

Filesize
320KB

Download
memory/1232-3-0x0000000003160000-0x000000000317C000-memory.dmp

Filesize
112KB

Download
memory/1232-2-0x00007FFA52D80000-0x00007FFA53841000-memory.dmp

Filesize
10.8MB

Download
memory/5620-96-0x00000253BE490000-0x00000253BE4B2000-memory.dmp

Filesize
136KB

Download