dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
147s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
Size

1.6MB
MD5

517861702fe0a89aa5e3af35d9f96661
SHA1

50101d8bff153320694baf54bc7b68e585720d4d
SHA256

1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4
SHA512

da7ee6a8120f6a874c3f018580c05d37412a3cf7ec4346ffcee861bd9a415937c89734864b7d9fc84f09c6262a66f7a945377cf589831a765a2b3d90a48ea488
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5804	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5704	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5708	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6072	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5372	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5772	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6016	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5320	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5164	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5368	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5964	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5856	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6056	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3336	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5916	4772	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5276	4772	schtasks.exe	89

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral12/memory/3044-1-0x0000000000AB0000-0x0000000000C52000-memory.dmp	dcrat
behavioral12/files/0x0006000000021754-28.dat	dcrat
behavioral12/files/0x0006000000022b8b-49.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5004	powershell.exe
4464	powershell.exe
3768	powershell.exe
4140	powershell.exe
1412	powershell.exe
5252	powershell.exe
2012	powershell.exe
4660	powershell.exe
5280	powershell.exe
5068	powershell.exe
4880	powershell.exe
860	powershell.exe
4856	powershell.exe
5072	powershell.exe
1460	powershell.exe
1972	powershell.exe
5324	powershell.exe
5112	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	sppsvc.exe

Executes dropped EXE 14 IoCs

pid	Process
6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
1016	sppsvc.exe
3680	sppsvc.exe
988	sppsvc.exe
4544	sppsvc.exe
3444	sppsvc.exe
4880	sppsvc.exe
540	sppsvc.exe
5892	sppsvc.exe
2808	sppsvc.exe
5360	sppsvc.exe
1264	sppsvc.exe
1456	sppsvc.exe
5260	sppsvc.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\edge_BITS_4640_720052988\WmiPrvSE.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\Common Files\Services\dllhost.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Google\RuntimeBroker.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Google\RuntimeBroker.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\System.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\Common Files\Services\5940a34987c991	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\7-Zip\taskhostw.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\7-Zip\ea9f0e6c9e2dcd	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\Common Files\System\es-ES\System.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Google\9e8d7a4ca61bd9	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Common Files\Services\dllhost.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\7-Zip\taskhostw.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\Common Files\System\es-ES\27d1bcfc3c54e0	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\edge_BITS_4640_720052988\WmiPrvSE.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\edge_BITS_4640_720052988\24dbde2999530e	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	sppsvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5964	schtasks.exe
2184	schtasks.exe
1980	schtasks.exe
2068	schtasks.exe
1596	schtasks.exe
6016	schtasks.exe
3508	schtasks.exe
3980	schtasks.exe
404	schtasks.exe
2820	schtasks.exe
5804	schtasks.exe
2764	schtasks.exe
400	schtasks.exe
2348	schtasks.exe
6056	schtasks.exe
4832	schtasks.exe
2224	schtasks.exe
3336	schtasks.exe
4728	schtasks.exe
2512	schtasks.exe
3944	schtasks.exe
5772	schtasks.exe
5856	schtasks.exe
5916	schtasks.exe
4284	schtasks.exe
5164	schtasks.exe
5372	schtasks.exe
3460	schtasks.exe
5320	schtasks.exe
2992	schtasks.exe
3400	schtasks.exe
4604	schtasks.exe
4912	schtasks.exe
5708	schtasks.exe
1868	schtasks.exe
3828	schtasks.exe
5368	schtasks.exe
5276	schtasks.exe
4964	schtasks.exe
1292	schtasks.exe
4040	schtasks.exe
4360	schtasks.exe
4700	schtasks.exe
1708	schtasks.exe
5076	schtasks.exe
3308	schtasks.exe
5704	schtasks.exe
6072	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3044	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
3044	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
3044	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
3044	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
3044	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
3044	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
3044	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
5280	powershell.exe
5280	powershell.exe
4660	powershell.exe
4660	powershell.exe
5324	powershell.exe
5324	powershell.exe
1972	powershell.exe
1972	powershell.exe
5324	powershell.exe
4660	powershell.exe
1972	powershell.exe
5280	powershell.exe
6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
2012	powershell.exe
2012	powershell.exe
5112	powershell.exe
5112	powershell.exe
1460	powershell.exe
1460	powershell.exe
5068	powershell.exe
5068	powershell.exe
4856	powershell.exe
4856	powershell.exe
5072	powershell.exe
5072	powershell.exe
5252	powershell.exe
5252	powershell.exe
3768	powershell.exe
3768	powershell.exe
4880	powershell.exe
4880	powershell.exe
860	powershell.exe
860	powershell.exe
5004	powershell.exe
5004	powershell.exe
4464	powershell.exe
4464	powershell.exe
4140	powershell.exe
4140	powershell.exe
1412	powershell.exe
1412	powershell.exe
2012	powershell.exe
5068	powershell.exe
5112	powershell.exe
1460	powershell.exe
5004	powershell.exe
4856	powershell.exe
5252	powershell.exe
4880	powershell.exe
3768	powershell.exe
1412	powershell.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	3044	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
Token: SeDebugPrivilege	5280	powershell.exe
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeDebugPrivilege	5324	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	5252	powershell.exe
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeDebugPrivilege	1016	sppsvc.exe
Token: SeDebugPrivilege	3680	sppsvc.exe
Token: SeDebugPrivilege	988	sppsvc.exe
Token: SeDebugPrivilege	4544	sppsvc.exe
Token: SeDebugPrivilege	3444	sppsvc.exe
Token: SeDebugPrivilege	4880	sppsvc.exe
Token: SeDebugPrivilege	540	sppsvc.exe
Token: SeDebugPrivilege	5892	sppsvc.exe
Token: SeDebugPrivilege	2808	sppsvc.exe
Token: SeDebugPrivilege	5360	sppsvc.exe
Token: SeDebugPrivilege	1264	sppsvc.exe
Token: SeDebugPrivilege	1456	sppsvc.exe
Token: SeDebugPrivilege	5260	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 5324	3044	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	100
PID 3044 wrote to memory of 5324	3044	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	100
PID 3044 wrote to memory of 1972	3044	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	101
PID 3044 wrote to memory of 1972	3044	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	101
PID 3044 wrote to memory of 5280	3044	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	102
PID 3044 wrote to memory of 5280	3044	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	102
PID 3044 wrote to memory of 4660	3044	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	103
PID 3044 wrote to memory of 4660	3044	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	103
PID 3044 wrote to memory of 3976	3044	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	108
PID 3044 wrote to memory of 3976	3044	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	108
PID 3976 wrote to memory of 3540	3976	cmd.exe	110
PID 3976 wrote to memory of 3540	3976	cmd.exe	110
PID 3976 wrote to memory of 6008	3976	cmd.exe	115
PID 3976 wrote to memory of 6008	3976	cmd.exe	115
PID 6008 wrote to memory of 4856	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	157
PID 6008 wrote to memory of 4856	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	157
PID 6008 wrote to memory of 5068	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	158
PID 6008 wrote to memory of 5068	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	158
PID 6008 wrote to memory of 5072	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	159
PID 6008 wrote to memory of 5072	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	159
PID 6008 wrote to memory of 5112	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	160
PID 6008 wrote to memory of 5112	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	160
PID 6008 wrote to memory of 5004	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	161
PID 6008 wrote to memory of 5004	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	161
PID 6008 wrote to memory of 4880	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	162
PID 6008 wrote to memory of 4880	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	162
PID 6008 wrote to memory of 1412	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	163
PID 6008 wrote to memory of 1412	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	163
PID 6008 wrote to memory of 1460	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	164
PID 6008 wrote to memory of 1460	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	164
PID 6008 wrote to memory of 5252	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	165
PID 6008 wrote to memory of 5252	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	165
PID 6008 wrote to memory of 2012	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	166
PID 6008 wrote to memory of 2012	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	166
PID 6008 wrote to memory of 3768	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	167
PID 6008 wrote to memory of 3768	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	167
PID 6008 wrote to memory of 860	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	168
PID 6008 wrote to memory of 860	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	168
PID 6008 wrote to memory of 4140	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	169
PID 6008 wrote to memory of 4140	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	169
PID 6008 wrote to memory of 4464	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	170
PID 6008 wrote to memory of 4464	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	170
PID 6008 wrote to memory of 1016	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	185
PID 6008 wrote to memory of 1016	6008	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	185
PID 1016 wrote to memory of 5892	1016	sppsvc.exe	186
PID 1016 wrote to memory of 5892	1016	sppsvc.exe	186
PID 1016 wrote to memory of 3164	1016	sppsvc.exe	187
PID 1016 wrote to memory of 3164	1016	sppsvc.exe	187
PID 5892 wrote to memory of 3680	5892	WScript.exe	188
PID 5892 wrote to memory of 3680	5892	WScript.exe	188
PID 3680 wrote to memory of 1596	3680	sppsvc.exe	189
PID 3680 wrote to memory of 1596	3680	sppsvc.exe	189
PID 3680 wrote to memory of 4488	3680	sppsvc.exe	190
PID 3680 wrote to memory of 4488	3680	sppsvc.exe	190
PID 1596 wrote to memory of 988	1596	WScript.exe	198
PID 1596 wrote to memory of 988	1596	WScript.exe	198
PID 988 wrote to memory of 5648	988	sppsvc.exe	199
PID 988 wrote to memory of 5648	988	sppsvc.exe	199
PID 988 wrote to memory of 1040	988	sppsvc.exe	200
PID 988 wrote to memory of 1040	988	sppsvc.exe	200
PID 5648 wrote to memory of 4544	5648	WScript.exe	201
PID 5648 wrote to memory of 4544	5648	WScript.exe	201
PID 4544 wrote to memory of 2108	4544	sppsvc.exe	202
PID 4544 wrote to memory of 2108	4544	sppsvc.exe	202

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
"C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rbx2xD7zq4.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3540
- - C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
    "C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:6008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\RuntimeBroker.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Services\dllhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\taskhostw.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5004
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\sppsvc.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4880
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\es-ES\System.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1412
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\WmiPrvSE.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4640_720052988\WmiPrvSE.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5252
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\RuntimeBroker.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\backgroundTaskHost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\upfc.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4140
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\conhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4464
  - - C:\Users\Public\Libraries\sppsvc.exe
      "C:\Users\Public\Libraries\sppsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1016
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0173318f-63f9-4764-a913-53e3541764ec.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5892
      - C:\Users\Public\Libraries\sppsvc.exe
        
        C:\Users\Public\Libraries\sppsvc.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\452b9453-8027-43d9-a457-528f0874255b.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Users\Public\Libraries\sppsvc.exe
        
        C:\Users\Public\Libraries\sppsvc.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d301431-ccf8-484c-ac71-1992f1f65dce.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5648
        
        C:\Users\Public\Libraries\sppsvc.exe
        
        C:\Users\Public\Libraries\sppsvc.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b6eb54d-a9b1-4515-9047-8ae81586c9db.vbs"
        11⤵
        
        PID:2108
        
        C:\Users\Public\Libraries\sppsvc.exe
        
        C:\Users\Public\Libraries\sppsvc.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eaeb3ac2-6012-4c45-8890-a8e0ce72add1.vbs"
        13⤵
        
        PID:3144
        
        C:\Users\Public\Libraries\sppsvc.exe
        
        C:\Users\Public\Libraries\sppsvc.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3248dfa8-f8f3-4ddc-b2e0-fa135e7d626d.vbs"
        15⤵
        
        PID:3264
        
        C:\Users\Public\Libraries\sppsvc.exe
        
        C:\Users\Public\Libraries\sppsvc.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8e9ffbc-318c-4a3d-a765-0d7f5906c7fb.vbs"
        17⤵
        
        PID:3900
        
        C:\Users\Public\Libraries\sppsvc.exe
        
        C:\Users\Public\Libraries\sppsvc.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\286f6da1-ba41-4ede-9829-c0b590279046.vbs"
        19⤵
        
        PID:672
        
        C:\Users\Public\Libraries\sppsvc.exe
        
        C:\Users\Public\Libraries\sppsvc.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdc03582-1606-4a29-96ac-5218c433d858.vbs"
        21⤵
        
        PID:1044
        
        C:\Users\Public\Libraries\sppsvc.exe
        
        C:\Users\Public\Libraries\sppsvc.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a883a155-7993-4141-8ab2-6d3c1f91569a.vbs"
        23⤵
        
        PID:4640
        
        C:\Users\Public\Libraries\sppsvc.exe
        
        C:\Users\Public\Libraries\sppsvc.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19533db1-41a6-4963-81c6-6a7d1bd5f3c6.vbs"
        25⤵
        
        PID:5412
        
        C:\Users\Public\Libraries\sppsvc.exe
        
        C:\Users\Public\Libraries\sppsvc.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a9e8ff7-a586-4e49-bae2-efc918609d01.vbs"
        27⤵
        
        PID:4280
        
        C:\Users\Public\Libraries\sppsvc.exe
        
        C:\Users\Public\Libraries\sppsvc.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd35da3e-14ce-4ace-a1ca-b3ede566a642.vbs"
        29⤵
        
        PID:5864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d59ca88-135b-408e-85e0-c885ae8b6573.vbs"
        29⤵
        
        PID:6088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56cb87a5-e913-436f-972a-0c67b2c26fb7.vbs"
        27⤵
        
        PID:2028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\820eb5dd-80e5-4804-98dd-c4578ee5a8d5.vbs"
        25⤵
        
        PID:3124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\736cb3c7-0ec2-4bb3-85f2-7f6fe826726e.vbs"
        23⤵
        
        PID:1500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0c1f90d-b185-415d-b4b3-a39441de373f.vbs"
        21⤵
        
        PID:4684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b01242f8-37d0-4c73-a09c-d584a2cb9cc7.vbs"
        19⤵
        
        PID:4960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e1f2043-82f8-49c6-b166-74dae55ecba7.vbs"
        17⤵
        
        PID:4320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc387bf6-12e6-496e-8746-a1bf5e7ec7fd.vbs"
        15⤵
        
        PID:4828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b026f7c-c352-44fd-8e0b-42511625b86c.vbs"
        13⤵
        
        PID:5664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\711dfb24-a737-4984-b1ca-7c3469d4af8a.vbs"
        11⤵
        
        PID:1284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab200a58-dc99-423a-afbf-75c62a516f1a.vbs"
        9⤵
        
        PID:1040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3220490-d88a-4e6b-b90f-ad315465c47c.vbs"
        7⤵
        
        PID:4488
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce0cb9cd-4046-47c9-8f81-9e18627a1c5c.vbs"
        5⤵
        
        PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\4d7dcf6448637544ea7e961be1ad\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\4d7dcf6448637544ea7e961be1ad\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\4d7dcf6448637544ea7e961be1ad\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\4d7dcf6448637544ea7e961be1ad\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Services\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\Services\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\7-Zip\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Libraries\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\System\es-ES\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\System\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\edge_BITS_4640_720052988\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4640_720052988\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\edge_BITS_4640_720052988\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\4d7dcf6448637544ea7e961be1ad\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\4d7dcf6448637544ea7e961be1ad\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4d7dcf6448637544ea7e961be1ad\spoolsv.exe

Filesize
1.6MB

MD5
d302b94ced8c8e28be71679e15cd5235

SHA1
6cd59cafc6f0b95369f19f507e8aa7085f562477

SHA256
ac14084b40a3b31a4c55e1d52991771f613a36f6131272887460b143c43d6169

SHA512
6130d2affbd712888771afb8303ffcb206a7cc5fa3e3b3c07d652a9f3c02d6aa77a5d24ee4e98e657b72c58ad732ce6aff95f12c1975f8b8b0b157823b33f1a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
efa4168b73a5e8ae56d49bcac4d67861

SHA1
b3fe6b2d9fc05ad7892a2c8b96914764336b3067

SHA256
7aab157fba3a543647a38cc8729ffb962a58cc2093d94566c9e68ff73d134dca

SHA512
a1f305eac9c73c951f22e76f3904c1c6bb518b12d8a74bbea544c845f3d592e7915ec47d6531a3a4e669f6ab12311f3a632ff47a68f36370111d1c82cf8b6e99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
454c5c4b128d34aee2eb765f2a9c0aa9

SHA1
4b6e92db79d964f604fd6b261b3b19ede2aea8a5

SHA256
e1e65d1697b9ac59805f677cbc8eec623a899b75b1389354f0948ad3c1513772

SHA512
17b4e146ef4f8862d06ac975204cca9ef9b077420256df92d94409715b18efb4dc63879154c1c234317a169ac63024ed43b5cb52473882dc46c588af089f25d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
21bfc799247c23be8c83723a21d31bb5

SHA1
53b308a69a2e57ce004951c978ea8e008e29ca56

SHA256
eab1228d3d5af575fdf617768fdd5371ca706e4f48a8f9f4583b58663fbc5be3

SHA512
19e9ed32a3c302ea7d4ff23df4f6dfc7ba72775e18ce47f284db22f9059309448d77fd123984adcef11e647403a01f3cf45bd463857af77ae882be885001e746

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
08526e4d8fed0a382c243c9aa8b1fe45

SHA1
f3da4b97529aaa38230db8bfa34a345bbc211622

SHA256
b5044625d66b7835745c7c4efa14d21aaf4ee42bf971f8bbc44f04416b91441f

SHA512
cbeb569db60eabd89c13b073f1bdf7ba991b6206e75f548396a150b08a0ffed1962d88d664e069c64ac740afbb69941df2f43e81a3f138e2185934967898941d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fdf15f7d08f3f7538ae67e5b3e5d23f4

SHA1
953ff0529053ce3a1930b4f5abba2364a8befbfc

SHA256
9f4964b9cf2c6d4915a8f2b9746dc5ff73d6f327c81370f92e0e7a611b28a707

SHA512
4fee933635376d1467e0be63d12fa897f83cbbf9cdd1ac79cce30dfaa2621d47e137e991b701f1ed9910767904dbfb6b89db2a02ce32edc410c83351f351d7ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c249d1546fa74aeda0e13ad7d0dc2815

SHA1
3fc3ae47b0d7fa3a2acb9347cb94e70c89c2467d

SHA256
9d30870071199e5fd2f9b6c73cec8ac9fe1503c3d60dbcb5591b775e9d166414

SHA512
2eb90f4da8fa278eaf6f46c13fd2477af3ea428d688049a45643c1c047203adee2389e42943b327f52b808cf7cac583f70ffef20f827908d59fc30af97ffc988

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2c30103cc6b103339cfe44137ca0edf0

SHA1
ecdc8c1685831e906cbb8ca6065ab4bb06fe3db4

SHA256
85ea59925c660ced52ba5095323e580d61aa8f8de82f31cdde85a5ed7e75cfae

SHA512
a870be1cb86f955187170d99c7e6200f6871bc7858885d3b2f431bfa6f9af1d3d86a00add6f6f5a0396ed25fc19c4181b985cf08921ad98bf4903568fe59a482

Download Submit
C:\Users\Admin\AppData\Local\Temp\0173318f-63f9-4764-a913-53e3541764ec.vbs

Filesize
712B

MD5
ff84c7e7838a2bb2bfc5bdef8db7e5a5

SHA1
16e67016a9a2b3038fddbd40cd0cd318444c6cdf

SHA256
4c99c7e15bb275264d6d97f6f1fe914a3be9b796477c20cc0a02275a8f62ff73

SHA512
2b296244e79f2fc862d1f22d9e519560064c929bc6e3e056bb2d1f50fc23d797be6513c85501771dba061f0f7691a269d372ad60538e7a15a8c6a3bae3ecaa52

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d301431-ccf8-484c-ac71-1992f1f65dce.vbs

Filesize
711B

MD5
4ed1e3f617c0db2d430816f76cfe752c

SHA1
efeac443dc2f052a80dcfec3c593d7cbd3f57b77

SHA256
999f504404fb5521b5a24169941fd0db0e644c554e5a78955bd4ae4dab839a0b

SHA512
d20e278ace316f861fe5f293530c43840df2cc98b3caf0cdf17ac3b21633dc820f293eb8fed2d7dc6969645a379fc2c115f48ef0536ee7735af99bca400aa1a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\286f6da1-ba41-4ede-9829-c0b590279046.vbs

Filesize
712B

MD5
1fe47667630cb5fe3fd0456f628ae3ec

SHA1
80a2a175e3687b86ece0c3dedb229e900c2290f7

SHA256
40199955d403a40d5a1e194da4a3b9b8d992b92e5ad23a63eec846156ebfa714

SHA512
0b24c49d260d8807d49640b24fb9d1cb2e7f018583e347dc1b3362c43d183449ac8f72511acb5f6c4b1b503a9188f5368fe900de1ef6c3a2218818215c3f90b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3248dfa8-f8f3-4ddc-b2e0-fa135e7d626d.vbs

Filesize
712B

MD5
fbf03ea0ee5fee7807f04ca802af0156

SHA1
fa44dd1cb41308ccf6d8c9b9223a535e6d40f4c7

SHA256
3d5652e44db173d1d4522138f302a92bf1152ffe0efb0d0148e622501c60689c

SHA512
5a1577fa01a12a832d5b3ca47bc5a7506013dc01f1e86cbc6184bb026165e7a7ea8d0f977f8b941c1112ca679e0f26fc71bed6bed24c6307d4a432a89117dcf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b6eb54d-a9b1-4515-9047-8ae81586c9db.vbs

Filesize
712B

MD5
be9cc5ef67783d2c3376da6024eafa6b

SHA1
b34a3b91a5f10f4ece965e100aee479c40397b96

SHA256
a4088f46f5aaec27122a649661a8e223b669f38f455165fb889b5a20d40b6942

SHA512
8315df4ad7d78e538fac7893a43e05434376ed3e16ba00d76d646f90ddab0a239aecef5ff6c83d48b3b7b90a84ffe497f81846b32dad55f8c3b4a8ef354c8fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\452b9453-8027-43d9-a457-528f0874255b.vbs

Filesize
712B

MD5
0f736465237e07ae8bca1cbe63e5cce3

SHA1
8e46e45acc3e64460899965ef13e45e5c937bc01

SHA256
b16652b9f38bf4b0fb91464c5e5446b2f07ce4d87f2db0835078fc545e2161c1

SHA512
5370999a75e3e5431cf29b68a376036162fe2151e667708eff597f293ec3d024d55a2afcfbc61fb006468f1d87d71510cd2d578d0dc64335423cac203d80cf66

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX515D.tmp

Filesize
1.6MB

MD5
517861702fe0a89aa5e3af35d9f96661

SHA1
50101d8bff153320694baf54bc7b68e585720d4d

SHA256
1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4

SHA512
da7ee6a8120f6a874c3f018580c05d37412a3cf7ec4346ffcee861bd9a415937c89734864b7d9fc84f09c6262a66f7a945377cf589831a765a2b3d90a48ea488

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rbx2xD7zq4.bat

Filesize
267B

MD5
6f8ba3fd256a5217eaddbcef90354b01

SHA1
81d4034b440215e94ca7368498f990a69d653f4e

SHA256
8e0a0a0a9603436301b099e4a34279dfb03e95c0a3afbe13c878448596817782

SHA512
9671ed51a275197a8fab0eb02c762ea3bd703be79a814d2b2c7726f04d7b282e15f7add978cba74b4bfc5c96c9bf95450d1d07c8613583759179423b89dc0ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ajtwepte.qkb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a883a155-7993-4141-8ab2-6d3c1f91569a.vbs

Filesize
712B

MD5
cfd50921f26719c979fa6be287db5374

SHA1
bd0c38f35d917a2b34e75769d9daf5d2515ad486

SHA256
6592775e42677d3188839bc54480b2335b08ec9a40459f0d0ff3fc97b09fc671

SHA512
ae096e5d49b20bfa83fd93f9215d1442a87920eb45660bc5beccf9719bb237410d495bef778c8b4fd5e3f4ef8844626efa8bd03a74c39a25b5a6e81450d7de33

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdc03582-1606-4a29-96ac-5218c433d858.vbs

Filesize
712B

MD5
6788853e5d3d6932717ddaf09456438c

SHA1
fb37fb4772a2812f052ecc3db33d79baa6061d39

SHA256
631c103adfda90ad27a5a4c74de07bd64cacb509e00d7ebffba456feae974912

SHA512
7df2aade5cdd6275495645d5f3036648ded75cfbd66ada14718e85c9883bd0ef0558393be1f9c73aecc6e24abd2760684bdbb88db0d996765689200673717f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cb9cd-4046-47c9-8f81-9e18627a1c5c.vbs

Filesize
488B

MD5
539c3972b23f799e42fc7e52836231cf

SHA1
fb26c7c394e2f2385765fbb8cd98c1a09f06040c

SHA256
1a51e7892edf9c8e3f00dbab13b09af87b061cb72c0dfa39793a8187caa98c2f

SHA512
a6bd477e2cb042ca13ca7ec8cf958b8a10cb4ea4bcf6beb8bbdb1ca8062efa670dfc58c89b0416b1b40ebce427d50081d3c5c8d8f133036cbddca2084c3f7655

Download Submit
C:\Users\Admin\AppData\Local\Temp\d8e9ffbc-318c-4a3d-a765-0d7f5906c7fb.vbs

Filesize
711B

MD5
12c7e9d359749888691f235181c6a770

SHA1
e962d8cddb6abf8896bbef08579c7b9aac9b1388

SHA256
9c05e010da4c025a1f0a1748a0ee0ceb42d5855a520e31dfc7db7b72389d6e38

SHA512
752a21a36cf901bb2975c375a965f5428dbedfa41a8d9c99c3962dd7356c6c4a94556136df4da127f68b95f962333fc4c8577ab941467c0495c5b402c14917d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eaeb3ac2-6012-4c45-8890-a8e0ce72add1.vbs

Filesize
712B

MD5
2aa362e3afc0d89eef40281bf5271347

SHA1
0f0b45d80b2981060d3beaa6bf5d8d509ca2c272

SHA256
3e839c43bca89f4c5ec03b6e617fc4b998fa1d6c662224ee663280817d3b5a43

SHA512
36aef9116f296ae54ea6262b38b00f751149e6bac48e01b00d5363b0984be666426d38a85f6d6e2130705d2002e2e702da146fc654613c8c0f0ed4ec5300eca1

Download Submit
memory/3044-17-0x000000001C150000-0x000000001C15C000-memory.dmp

Filesize
48KB

Download
memory/3044-0-0x00007FFFBFE33000-0x00007FFFBFE35000-memory.dmp

Filesize
8KB

Download
memory/3044-1-0x0000000000AB0000-0x0000000000C52000-memory.dmp

Filesize
1.6MB

Download
memory/3044-11-0x000000001C0F0000-0x000000001C0FC000-memory.dmp

Filesize
48KB

Download
memory/3044-12-0x000000001C100000-0x000000001C10A000-memory.dmp

Filesize
40KB

Download
memory/3044-13-0x000000001C110000-0x000000001C11E000-memory.dmp

Filesize
56KB

Download
memory/3044-14-0x000000001C120000-0x000000001C128000-memory.dmp

Filesize
32KB

Download
memory/3044-15-0x000000001C130000-0x000000001C138000-memory.dmp

Filesize
32KB

Download
memory/3044-16-0x000000001C140000-0x000000001C14A000-memory.dmp

Filesize
40KB

Download
memory/3044-107-0x00007FFFBFE30000-0x00007FFFC08F1000-memory.dmp

Filesize
10.8MB

Download
memory/3044-6-0x000000001BEA0000-0x000000001BEB6000-memory.dmp

Filesize
88KB

Download
memory/3044-10-0x000000001BEE0000-0x000000001BEEC000-memory.dmp

Filesize
48KB

Download
memory/3044-9-0x000000001BEC0000-0x000000001BEC8000-memory.dmp

Filesize
32KB

Download
memory/3044-7-0x0000000002E60000-0x0000000002E68000-memory.dmp

Filesize
32KB

Download
memory/3044-8-0x000000001BED0000-0x000000001BEE0000-memory.dmp

Filesize
64KB

Download
memory/3044-5-0x0000000002D20000-0x0000000002D30000-memory.dmp

Filesize
64KB

Download
memory/3044-4-0x000000001BEF0000-0x000000001BF40000-memory.dmp

Filesize
320KB

Download
memory/3044-3-0x0000000002E40000-0x0000000002E5C000-memory.dmp

Filesize
112KB

Download
memory/3044-2-0x00007FFFBFE30000-0x00007FFFC08F1000-memory.dmp

Filesize
10.8MB

Download
memory/4660-69-0x00000249B2850000-0x00000249B2872000-memory.dmp

Filesize
136KB

Download