dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86c8fa2e136e29f51a3670f440b9f0a0.exe
Size

2.5MB
MD5

86c8fa2e136e29f51a3670f440b9f0a0
SHA1

103d45983c01fc861cb7390afe5db10ff2892fc0
SHA256

da49bed9676a8352a71fdd38dc855a01ca72f5dd393a91e9d7ad71ef9a4f11eb
SHA512

7c5f74c7a041c38216dc4a7f1d60d1a622227b8cd5aea5c1c4d200a5ccfabd7cbd2a17b22ca2ff028fc45dd0373df8cf9a5998cbefe7873fa7f9eda7ad117ddb
SSDEEP

49152:BjLLQdzMIwA7G5ALF/CT2vyYSjEf+QSs5saA2R97oF/cZ8ekY4E7Jy:B2l7G5Auotf+Lg4ElM

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	4612	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	4612	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	4612	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6092	4612	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	4612	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	4612	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	4612	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	4612	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	4612	schtasks.exe	86

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2276	powershell.exe
5876	powershell.exe
4376	powershell.exe
5500	powershell.exe
900	powershell.exe
6076	powershell.exe
5644	powershell.exe
1632	powershell.exe
3436	powershell.exe
3920	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	86c8fa2e136e29f51a3670f440b9f0a0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	spoolsv.exe

Executes dropped EXE 16 IoCs

pid	Process
5776	spoolsv.exe
2720	spoolsv.exe
2884	spoolsv.exe
5388	spoolsv.exe
3996	spoolsv.exe
2912	spoolsv.exe
5836	spoolsv.exe
1936	spoolsv.exe
1128	spoolsv.exe
3132	spoolsv.exe
3984	spoolsv.exe
1048	spoolsv.exe
3968	spoolsv.exe
4548	spoolsv.exe
1936	spoolsv.exe
4380	spoolsv.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\DtcInstall\\explorer.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\Windows.Networking.Connectivity\\spoolsv.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\ProgramData\\Microsoft\\Vault\\smss.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\ProgramData\\SoftwareDistribution\\spoolsv.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Microsoft Office\\PackageManifests\\upfc.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\Templates\\csrss.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\mftranscode\\dllhost.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\34c553de294c1d56d0a800105b\\Registry.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\Windows.Networking.Connectivity\f3b6ecef712a24	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\mftranscode\dllhost.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\Windows.Networking.Connectivity\RCXEBB3.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\mftranscode\RCXEFCD.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\mftranscode\RCXEFCE.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\mftranscode\dllhost.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\mftranscode\5940a34987c991	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\Windows.Networking.Connectivity\RCXEB35.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\PackageManifests\upfc.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\ea1d8f6d871115	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\RCXF530.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\RCXF531.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\upfc.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall\RCXE921.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\DtcInstall\explorer.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\DtcInstall\explorer.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\DtcInstall\7a0fd90576e088	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\DtcInstall\RCXE910.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	86c8fa2e136e29f51a3670f440b9f0a0.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	spoolsv.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4656	schtasks.exe
4816	schtasks.exe
4832	schtasks.exe
4780	schtasks.exe
4564	schtasks.exe
6092	schtasks.exe
4712	schtasks.exe
4720	schtasks.exe
4600	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
5500	powershell.exe
5500	powershell.exe
900	powershell.exe
900	powershell.exe
6076	powershell.exe
6076	powershell.exe
5876	powershell.exe
5876	powershell.exe
2276	powershell.exe
2276	powershell.exe
3920	powershell.exe
3920	powershell.exe
4376	powershell.exe
4376	powershell.exe
3436	powershell.exe
3436	powershell.exe
4376	powershell.exe
5644	powershell.exe
5644	powershell.exe
1632	powershell.exe
1632	powershell.exe
3436	powershell.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
5500	powershell.exe
900	powershell.exe
6076	powershell.exe
5876	powershell.exe
6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
3920	powershell.exe
2276	powershell.exe
5644	powershell.exe
1632	powershell.exe
5776	spoolsv.exe
5776	spoolsv.exe
5776	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	6064	86c8fa2e136e29f51a3670f440b9f0a0.exe
Token: SeDebugPrivilege	5500	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	6076	powershell.exe
Token: SeDebugPrivilege	5876	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	3920	powershell.exe
Token: SeDebugPrivilege	4376	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	5644	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	5776	spoolsv.exe
Token: SeDebugPrivilege	2720	spoolsv.exe
Token: SeDebugPrivilege	2884	spoolsv.exe
Token: SeDebugPrivilege	5388	spoolsv.exe
Token: SeDebugPrivilege	3996	spoolsv.exe
Token: SeDebugPrivilege	2912	spoolsv.exe
Token: SeDebugPrivilege	5836	spoolsv.exe
Token: SeDebugPrivilege	1936	spoolsv.exe
Token: SeDebugPrivilege	1128	spoolsv.exe
Token: SeDebugPrivilege	3132	spoolsv.exe
Token: SeDebugPrivilege	3984	spoolsv.exe
Token: SeDebugPrivilege	1048	spoolsv.exe
Token: SeDebugPrivilege	3968	spoolsv.exe
Token: SeDebugPrivilege	4548	spoolsv.exe
Token: SeDebugPrivilege	1936	spoolsv.exe
Token: SeDebugPrivilege	4380	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6064 wrote to memory of 3920	6064	86c8fa2e136e29f51a3670f440b9f0a0.exe	103
PID 6064 wrote to memory of 3920	6064	86c8fa2e136e29f51a3670f440b9f0a0.exe	103
PID 6064 wrote to memory of 3436	6064	86c8fa2e136e29f51a3670f440b9f0a0.exe	104
PID 6064 wrote to memory of 3436	6064	86c8fa2e136e29f51a3670f440b9f0a0.exe	104
PID 6064 wrote to memory of 6076	6064	86c8fa2e136e29f51a3670f440b9f0a0.exe	105
PID 6064 wrote to memory of 6076	6064	86c8fa2e136e29f51a3670f440b9f0a0.exe	105
PID 6064 wrote to memory of 1632	6064	86c8fa2e136e29f51a3670f440b9f0a0.exe	106
PID 6064 wrote to memory of 1632	6064	86c8fa2e136e29f51a3670f440b9f0a0.exe	106
PID 6064 wrote to memory of 900	6064	86c8fa2e136e29f51a3670f440b9f0a0.exe	108
PID 6064 wrote to memory of 900	6064	86c8fa2e136e29f51a3670f440b9f0a0.exe	108
PID 6064 wrote to memory of 5500	6064	86c8fa2e136e29f51a3670f440b9f0a0.exe	109
PID 6064 wrote to memory of 5500	6064	86c8fa2e136e29f51a3670f440b9f0a0.exe	109
PID 6064 wrote to memory of 4376	6064	86c8fa2e136e29f51a3670f440b9f0a0.exe	110
PID 6064 wrote to memory of 4376	6064	86c8fa2e136e29f51a3670f440b9f0a0.exe	110
PID 6064 wrote to memory of 5876	6064	86c8fa2e136e29f51a3670f440b9f0a0.exe	111
PID 6064 wrote to memory of 5876	6064	86c8fa2e136e29f51a3670f440b9f0a0.exe	111
PID 6064 wrote to memory of 2276	6064	86c8fa2e136e29f51a3670f440b9f0a0.exe	113
PID 6064 wrote to memory of 2276	6064	86c8fa2e136e29f51a3670f440b9f0a0.exe	113
PID 6064 wrote to memory of 5644	6064	86c8fa2e136e29f51a3670f440b9f0a0.exe	114
PID 6064 wrote to memory of 5644	6064	86c8fa2e136e29f51a3670f440b9f0a0.exe	114
PID 6064 wrote to memory of 5776	6064	86c8fa2e136e29f51a3670f440b9f0a0.exe	123
PID 6064 wrote to memory of 5776	6064	86c8fa2e136e29f51a3670f440b9f0a0.exe	123
PID 5776 wrote to memory of 5720	5776	spoolsv.exe	124
PID 5776 wrote to memory of 5720	5776	spoolsv.exe	124
PID 5776 wrote to memory of 3104	5776	spoolsv.exe	125
PID 5776 wrote to memory of 3104	5776	spoolsv.exe	125
PID 5720 wrote to memory of 2720	5720	WScript.exe	131
PID 5720 wrote to memory of 2720	5720	WScript.exe	131
PID 2720 wrote to memory of 5696	2720	spoolsv.exe	132
PID 2720 wrote to memory of 5696	2720	spoolsv.exe	132
PID 2720 wrote to memory of 3256	2720	spoolsv.exe	133
PID 2720 wrote to memory of 3256	2720	spoolsv.exe	133
PID 5696 wrote to memory of 2884	5696	WScript.exe	135
PID 5696 wrote to memory of 2884	5696	WScript.exe	135
PID 2884 wrote to memory of 2412	2884	spoolsv.exe	136
PID 2884 wrote to memory of 2412	2884	spoolsv.exe	136
PID 2884 wrote to memory of 1440	2884	spoolsv.exe	137
PID 2884 wrote to memory of 1440	2884	spoolsv.exe	137
PID 2412 wrote to memory of 5388	2412	WScript.exe	146
PID 2412 wrote to memory of 5388	2412	WScript.exe	146
PID 5388 wrote to memory of 5692	5388	spoolsv.exe	147
PID 5388 wrote to memory of 5692	5388	spoolsv.exe	147
PID 5388 wrote to memory of 4804	5388	spoolsv.exe	148
PID 5388 wrote to memory of 4804	5388	spoolsv.exe	148
PID 5692 wrote to memory of 3996	5692	WScript.exe	153
PID 5692 wrote to memory of 3996	5692	WScript.exe	153
PID 3996 wrote to memory of 5440	3996	spoolsv.exe	154
PID 3996 wrote to memory of 5440	3996	spoolsv.exe	154
PID 3996 wrote to memory of 1652	3996	spoolsv.exe	155
PID 3996 wrote to memory of 1652	3996	spoolsv.exe	155
PID 5440 wrote to memory of 2912	5440	WScript.exe	157
PID 5440 wrote to memory of 2912	5440	WScript.exe	157
PID 2912 wrote to memory of 1976	2912	spoolsv.exe	158
PID 2912 wrote to memory of 1976	2912	spoolsv.exe	158
PID 2912 wrote to memory of 2972	2912	spoolsv.exe	159
PID 2912 wrote to memory of 2972	2912	spoolsv.exe	159
PID 1976 wrote to memory of 5836	1976	WScript.exe	161
PID 1976 wrote to memory of 5836	1976	WScript.exe	161
PID 5836 wrote to memory of 4168	5836	spoolsv.exe	162
PID 5836 wrote to memory of 4168	5836	spoolsv.exe	162
PID 5836 wrote to memory of 3008	5836	spoolsv.exe	163
PID 5836 wrote to memory of 3008	5836	spoolsv.exe	163
PID 4168 wrote to memory of 1936	4168	WScript.exe	165
PID 4168 wrote to memory of 1936	4168	WScript.exe	165

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\86c8fa2e136e29f51a3670f440b9f0a0.exe
"C:\Users\Admin\AppData\Local\Temp\86c8fa2e136e29f51a3670f440b9f0a0.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\86c8fa2e136e29f51a3670f440b9f0a0.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\34c553de294c1d56d0a800105b\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DtcInstall\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Vault\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\mftranscode\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\SoftwareDistribution\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\PackageManifests\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5644
- C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
  "C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5776
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0048b7a3-16db-47df-bd5b-87e182607c19.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5720
  - - C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
      C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99cf60aa-c2c6-441a-beef-cb2f84bb6a2f.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5696
      - C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
        
        C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\434fdcb0-a593-4e54-85cb-f36df39a458c.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
        
        C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\597aedfc-7fd0-4b77-ba00-4d1400026b33.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5692
        
        C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
        
        C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\955e9e4f-9d5d-4450-a928-3ba5ce76275c.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:5440
        
        C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
        
        C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd41c695-310b-479a-8927-db5d79e2c768.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
        
        C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcaf80a1-acb4-4daa-96de-2036533619d7.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
        
        C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42f86e1f-fc13-4f80-9c2b-eae53d0f3a20.vbs"
        17⤵
        
        PID:4196
        
        C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
        
        C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\056600b3-ae6c-48bd-ba08-0ab229305309.vbs"
        19⤵
        
        PID:2668
        
        C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
        
        C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc4800b9-5633-48af-8592-32b9bd58fdcd.vbs"
        21⤵
        
        PID:2152
        
        C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
        
        C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af975291-7574-4dae-b821-469eda2cf51e.vbs"
        23⤵
        
        PID:6044
        
        C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
        
        C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\545f047d-07c7-4e7c-8d9a-23f5d4c21437.vbs"
        25⤵
        
        PID:1428
        
        C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
        
        C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2224fe0-92f8-410f-8dd3-f793b9d6b81b.vbs"
        27⤵
        
        PID:2392
        
        C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
        
        C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\acf39230-753f-40fd-9fee-447236b26f14.vbs"
        29⤵
        
        PID:3972
        
        C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
        
        C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d4b3736-4978-4ec6-b9b6-367b65baecb4.vbs"
        31⤵
        
        PID:4784
        
        C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
        
        C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e88ca48f-cb27-485d-be8c-ecda6d494f59.vbs"
        33⤵
        
        PID:4652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2aa1256e-8645-4b2a-a5c5-81ab462b20f0.vbs"
        33⤵
        
        PID:2916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb8f9f7a-cae5-4ec6-8fcb-297e2a0c8550.vbs"
        31⤵
        
        PID:3620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94e9d9f6-07cb-4fd7-add5-b149a8e3bbcb.vbs"
        29⤵
        
        PID:2088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\795deab2-a177-4793-b402-b4cc32adc9d3.vbs"
        27⤵
        
        PID:1952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca0c0205-efad-49a8-aa81-b1bcfb7c768e.vbs"
        25⤵
        
        PID:2136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8809d08-685d-4cd4-86cf-0d16e169e03d.vbs"
        23⤵
        
        PID:3716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08e11ba1-1867-44df-9e69-d3e25b11e957.vbs"
        21⤵
        
        PID:3396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1cb0dbf-4285-4f75-9bdc-b947c4fc9b43.vbs"
        19⤵
        
        PID:5788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72c78188-9fa0-4276-bbd7-c50ed1e02d5a.vbs"
        17⤵
        
        PID:3584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\439a7e43-3e0f-4021-bc9f-0a0ca24e9fe1.vbs"
        15⤵
        
        PID:3008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af5c97ed-abf7-4cd9-bf58-cd422c458032.vbs"
        13⤵
        
        PID:2972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0783fe17-2d92-4f4b-a614-393d9f05b7c7.vbs"
        11⤵
        
        PID:1652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da16e3d5-d11f-481b-b908-67c753458820.vbs"
        9⤵
        
        PID:4804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cff4b707-26d2-4c07-9ff4-3b9902f8ab04.vbs"
        7⤵
        
        PID:1440
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98a8d423-9360-479f-9a8b-66ac53cf7dc2.vbs"
        5⤵
        
        PID:3256
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42c930eb-a1de-4a29-8e4d-b24374af28c8.vbs"
    3⤵
    PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\34c553de294c1d56d0a800105b\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\DtcInstall\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\ProgramData\Microsoft\Vault\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\mftranscode\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\ProgramData\SoftwareDistribution\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
9699cf9bb24ebbc9b1035710e92b7bd2

SHA1
73f0f26db57ea306970a76f42c647bbce02a3f23

SHA256
fd35f3609663bec79a5254866d1c47342fbde3f94808acff8c3eaa19b24f67e5

SHA512
3a433f40f25b5a5c09f8de45ebd0b5485b3b54eb0c1c08a1dbae776629710b8d8f5fee21329d146867e49b5d35108bba6eff3995fb7c6246dbe6fe475eadf0bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e10ceaefa38a8a0c7cf27b2938747eae

SHA1
18dd07de4b7d6f6d0fb7e1feebd78f0a93f6c89e

SHA256
d2f2ece67e3314a38df3789214221bbdd06f9f577470b543f6d094b621fba43b

SHA512
84c811e7d313674fff4c24945d275f2aa88380955679bd3a60c7dbde83a370143f3b1b8a677a8b543a571c9069a9262a3f414ff5aff74a283adb81e6321138ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b8c2d72f155bf26dd2ac91a9c57f0aef

SHA1
19a5ebf872b8c332bbd596dac8b7a36c80a19b54

SHA256
069d7d614ebb7c3dff8dd6d7215be9da1524637352c09171e36441967a0ca9d5

SHA512
8b246bedacc4063e39ac28678be372a52d1b07e2ed0db5ee1e4cf8e9d481836fa6d3e3138d1caa8e6ef692cea1ad42592e24bbef426746ad0227fdeff149caf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
672e8b21617ca3b368c6c154913fcfff

SHA1
cb3dab8c008b5fba2af958ce2c416c01baa6a98b

SHA256
b6ce484f4dcfab37c7fac91278a1d66c8b122865f12511634b8c5eac3fc081ec

SHA512
98b45d5545237042c9d4e99e6aa2d514bb643c80cccd1f79ca8e6412a7949fc235f2f6a5fc12a7f772e1af2343ab2e2fb863d161f1d0da3326e636c52513c7ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
16e669660431a76b6985bae6a3e0ca0f

SHA1
55aead2478e085cc4fa52035dc6d3e9ceb856485

SHA256
df0d9b2a6f0538cdf02e7f2a69db35dbf92a48fb81fcf58c12f1f0ad2ea13fe2

SHA512
ba3a159eca907f8cd6bce2a66b334250e1c6a3b60f14e2cd1ab8dbd0baf33b7b385d834ed1aa3ccb013711cbaf7607d51e7107f1f1783f46595a99a15d5a7d2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
990f2ad22e4ee8bb16d0e84568ff1c04

SHA1
8ee103c2c4969dd252d3f136479e718361e2ace2

SHA256
9e058905555242348650ecae8008fd39cf63bac0f3160637aab912fd54fd2578

SHA512
ab70a31915f4241c23a020a0e1c8ad5b2468c06911ceb4418b5377619953780f14070a2674858b1a7d999b356448ffdb51db6393e56f20defb291866383f5802

Download Submit
C:\Users\Admin\AppData\Local\Temp\0048b7a3-16db-47df-bd5b-87e182607c19.vbs

Filesize
739B

MD5
292ce48048d1893a0e160171ab6a851a

SHA1
3a8ceb742fb0d3d299c53830817b1f269f071a94

SHA256
340fd84742b83813dc9c9531549a37c4759f859301254d6fb9eb966bc3fe15b0

SHA512
5ae675ac9936cfc8ff587849f2edf3a169d6b357baeb1718341abb8acc862e0bcb306b855cff2b7d2a1cf1158368577627fa99773d8f5946ae172dbf131441c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\056600b3-ae6c-48bd-ba08-0ab229305309.vbs

Filesize
739B

MD5
ebdf32dbf06007baab58fd8a87127122

SHA1
daade937dbdf12a6c8f962724b382421f4bbe422

SHA256
9c3920da8653ad220f02ea51997f24a9e9f72b2c7ace811ab052a32085a48dac

SHA512
0ed247c176a5e6ec134cbce8352a084558cccfd6e7a203b16a47498118ccbc1daaa0c8d5574a9613c503235fa6deb451138a94a3fd830e51342a6589b0dac392

Download Submit
C:\Users\Admin\AppData\Local\Temp\42c930eb-a1de-4a29-8e4d-b24374af28c8.vbs

Filesize
515B

MD5
614c70b68b45b2ec0848057a44fd6e37

SHA1
a61566732ec54908e433cf96cf2e553c7ee99740

SHA256
7e2ca0f84674dea5eb7f59ee3572eab7279036e44979cdec216d9b106f3e2cfa

SHA512
92aa80ef955fb696b1e806b9fab197db213a7248e082c78357aea170db48626b543a64209aaafb553bd924c7e51115442d82110c1ebf0f92f0f17fc249a5bb29

Download Submit
C:\Users\Admin\AppData\Local\Temp\42f86e1f-fc13-4f80-9c2b-eae53d0f3a20.vbs

Filesize
739B

MD5
f717a00684db08b72b9fb021ab7f8dcb

SHA1
3e315caa80e9509971e14fc9170eafffa473d40f

SHA256
594e053ade2e5cd10dfc26bcf1bfd3be4b81d901abe8b0265faeae10626fd53b

SHA512
2541ccd30df4c4a2a9cc1c3b55829d8a37a93a699cf68344613f7db8dd5c6555d7feeedad2394bcef2b87053ebf0bee0afee68b803968ea46b688c7b83130770

Download Submit
C:\Users\Admin\AppData\Local\Temp\434fdcb0-a593-4e54-85cb-f36df39a458c.vbs

Filesize
739B

MD5
89a24c36c223e160b78545f157df4e96

SHA1
f7cf34f763b5ac768a059fafcbfd3ad3e5152024

SHA256
8d135ddc1ad6b5d09401aa9756807f0a27df0fa66e784e66d25b3ad5c9f48c36

SHA512
c8e555822c243095b5fe321c0ffd1da1cefa7d8f86259942ef987d16d354a166ff41d03d6c076a5b9c59660e182ee6422980e9484b604fdd58e0160f885f0b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\545f047d-07c7-4e7c-8d9a-23f5d4c21437.vbs

Filesize
739B

MD5
09d307f0a52169cfa364299c35693f4d

SHA1
98a9ca9757258a12aea46279a1185239c539e74a

SHA256
692f74b9dc98992e61c2e6584119714fa294863fc93e769b28ea3ae13b33fa5b

SHA512
9fd4cb2070e4ff5ecc054999e32ff89557dcdbbc6347f989fffc976949e88c975fb107668d749a8fd95335aef408cdb9cc59bae575dae0dc57d45b2ccfc141ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\597aedfc-7fd0-4b77-ba00-4d1400026b33.vbs

Filesize
739B

MD5
c4915534df5f58083b4cecf9d0f22a2b

SHA1
f00da369d62d5c044194eb2ea4323756375a1579

SHA256
33ce215eda0b30830a722ce965bd7731ffcdd8a1116b3428e9f071ebbe4028b2

SHA512
2f0b9c536fb944ab69ae13f528a902d2080cdb87e7e8fc5a1a24f37dbbc83416bfeb42fffdf0838a89ad4772eee5871da083c1b72af045ebc39165ca49e70733

Download Submit
C:\Users\Admin\AppData\Local\Temp\955e9e4f-9d5d-4450-a928-3ba5ce76275c.vbs

Filesize
739B

MD5
6d302832195d65c9b2fa96499f832d4e

SHA1
60eb0948eeb28bd6ffd4b3ecad42fbbbd4364f85

SHA256
80ab3c4644103b9cdc0aca2001cfed24a592a0c67d9834eb14621ba39e3756f0

SHA512
5503e50a5ce01f7ea8ba5456d4010504925a962927fc0aee0fcc1c4fb44deb9c6f768253691bbac531ece1908c4d67b3329bdaf6353042a0d1ebb9b694d64d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\99cf60aa-c2c6-441a-beef-cb2f84bb6a2f.vbs

Filesize
739B

MD5
3d737a0ec07711ad1bdc036f963063cd

SHA1
b609238885d1bcf28fec337a4b01fbe36fc0d88f

SHA256
212cedc78e319840e8c2ed3e6228f113a5eec6f31215d469bfa7951751e6cb87

SHA512
4ad7d3734096c2152bdbe6918f3cc21383a9120723c841e3b806924345a99077b2231cbf9f96026e5d425b68f35b26bbc2c15412a2235f280891adf569136d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nz0yfhe2.2fw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\af975291-7574-4dae-b821-469eda2cf51e.vbs

Filesize
739B

MD5
bfc5ecf2f14bd8b761b33e9875396d36

SHA1
107dcb766eb456e8fa060acb49d0ad778d814e4b

SHA256
42556c2c562af94adede8ac656131349ee377eda0f369975c7f8044ae8f4b42a

SHA512
4ea58b4a491daaf85d55c60499b9ea74a468d20f2ab0a4ab930b8aa01d82254a1833b1b1a312f0e4bfe7b62a7a3508b6bbacc060caae7e10b791be5876e172a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd41c695-310b-479a-8927-db5d79e2c768.vbs

Filesize
739B

MD5
a084f0042c0ad9ba96770757bf32bfff

SHA1
20c36be5c76485786b1dce3d38c1371bc5c82c78

SHA256
acf0f06b8ee0b94871f36cfdddbbd01610f5d0ecf65d48c4d854740c4a967968

SHA512
1c23f5c5defdfa5ac25e018fc7963c24b8bd1663ee2c6b64fb2418ea5fb83b73ba4f9f8ef78fffe2c2f933557323f49bade99f801823dd3580850a09de83b02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2224fe0-92f8-410f-8dd3-f793b9d6b81b.vbs

Filesize
739B

MD5
59c8504530a8c9944f3d409656a1b8d7

SHA1
21d4da03dbb0f723dc999445b0eaac3e7390e6fc

SHA256
0dd4fdd6377a794cd0af5bb84f5ee27e794a87db7f07a2ae44b7d34afbac4a2b

SHA512
1ea14ae7861ee6f7495668fc9d0a9f1b4138dcdcc65ee1955e9af14725dba19a4663bf99894ac076effe25f1aa98c28806d142ec0d325e5c72f68f76653bf1c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc4800b9-5633-48af-8592-32b9bd58fdcd.vbs

Filesize
739B

MD5
847453f4426976294a60b58ffe09bd28

SHA1
23e7fea8c05737b65b6671edf16f6183b5cedeae

SHA256
5a9916ef15f64f647354f66ff5277382f19dfa1d26508b8d5b5f185ebd2229ab

SHA512
9dc0173d9118f92dd0053ad8f741159da860561a1d5959e21b2ab9a686482cff225c17a987fcd8b0575505a5e9a20a8ea84742c7f4c602720c4e9dc4dd8542c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcaf80a1-acb4-4daa-96de-2036533619d7.vbs

Filesize
739B

MD5
c0136975e32214f5983a3fc45e15cf4f

SHA1
aeaa112fba44b406951bf3635c18d54911fa240c

SHA256
67cc059ecf115e492ff018be225e1026adcdc9050c9c50541104a001cdc2cba5

SHA512
cf5b20e0cce17fcb303285b6bb1e7020e6c7fc6c49f9a61364c538df5774847d6ed405632c1716447e541f0f91e5fb35313d0885967fe36753cbe543fdf9f15f

Download Submit
C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe

Filesize
2.5MB

MD5
86c8fa2e136e29f51a3670f440b9f0a0

SHA1
103d45983c01fc861cb7390afe5db10ff2892fc0

SHA256
da49bed9676a8352a71fdd38dc855a01ca72f5dd393a91e9d7ad71ef9a4f11eb

SHA512
7c5f74c7a041c38216dc4a7f1d60d1a622227b8cd5aea5c1c4d200a5ccfabd7cbd2a17b22ca2ff028fc45dd0373df8cf9a5998cbefe7873fa7f9eda7ad117ddb

Download Submit
C:\Windows\System32\Windows.Networking.Connectivity\spoolsv.exe

Filesize
2.5MB

MD5
017a33a2607e2d627ba42b97563bbf94

SHA1
14bb948c4343f65b98b0bdb96f42728df134a498

SHA256
bf6ed8f47ceaf22a21b4c5d81a388a87eb0430c2f7359a8a46c9f0cdf6c6c3bb

SHA512
1001d119452bf496c65afe352959f3fcdae73b4f6c35e4050fff78c91ae15a15c609f82af976e69033ea93a908ba87d7209a8ccf5a450a155c8d00a761cc87ef

Download Submit
memory/900-210-0x00000234CAD70000-0x00000234CAD92000-memory.dmp

Filesize
136KB

Download
memory/1128-426-0x000000001CA70000-0x000000001CB72000-memory.dmp

Filesize
1.0MB

Download
memory/1936-404-0x000000001B350000-0x000000001B362000-memory.dmp

Filesize
72KB

Download
memory/2720-334-0x000000001AFE0000-0x000000001B036000-memory.dmp

Filesize
344KB

Download
memory/2884-346-0x000000001BC50000-0x000000001BC62000-memory.dmp

Filesize
72KB

Download
memory/3132-428-0x000000001B930000-0x000000001B942000-memory.dmp

Filesize
72KB

Download
memory/3132-439-0x000000001CF80000-0x000000001D082000-memory.dmp

Filesize
1.0MB

Download
memory/3984-451-0x000000001C640000-0x000000001C742000-memory.dmp

Filesize
1.0MB

Download
memory/3996-370-0x0000000003330000-0x0000000003342000-memory.dmp

Filesize
72KB

Download
memory/4380-489-0x000000001B390000-0x000000001B3E6000-memory.dmp

Filesize
344KB

Download
memory/5388-358-0x000000001BB00000-0x000000001BB56000-memory.dmp

Filesize
344KB

Download
memory/5776-299-0x0000000000F40000-0x00000000011C6000-memory.dmp

Filesize
2.5MB

Download
memory/5776-321-0x000000001BC70000-0x000000001BCC6000-memory.dmp

Filesize
344KB

Download
memory/6064-14-0x000000001B9D0000-0x000000001B9DC000-memory.dmp

Filesize
48KB

Download
memory/6064-3-0x00000000013D0000-0x00000000013DC000-memory.dmp

Filesize
48KB

Download
memory/6064-8-0x000000001B910000-0x000000001B966000-memory.dmp

Filesize
344KB

Download
memory/6064-5-0x000000001B960000-0x000000001B9B0000-memory.dmp

Filesize
320KB

Download
memory/6064-6-0x0000000001540000-0x0000000001550000-memory.dmp

Filesize
64KB

Download
memory/6064-0-0x00007FF8DB693000-0x00007FF8DB695000-memory.dmp

Filesize
8KB

Download
memory/6064-9-0x0000000002DF0000-0x0000000002DF8000-memory.dmp

Filesize
32KB

Download
memory/6064-10-0x0000000002E00000-0x0000000002E12000-memory.dmp

Filesize
72KB

Download
memory/6064-4-0x0000000002DD0000-0x0000000002DEC000-memory.dmp

Filesize
112KB

Download
memory/6064-7-0x00000000015A0000-0x00000000015B0000-memory.dmp

Filesize
64KB

Download
memory/6064-13-0x000000001B9C0000-0x000000001B9CA000-memory.dmp

Filesize
40KB

Download
memory/6064-12-0x000000001B9B0000-0x000000001B9BA000-memory.dmp

Filesize
40KB

Download
memory/6064-11-0x000000001CA00000-0x000000001CF28000-memory.dmp

Filesize
5.2MB

Download
memory/6064-16-0x000000001B9E0000-0x000000001B9EC000-memory.dmp

Filesize
48KB

Download
memory/6064-15-0x000000001C2A0000-0x000000001C2AA000-memory.dmp

Filesize
40KB

Download
memory/6064-2-0x00007FF8DB690000-0x00007FF8DC151000-memory.dmp

Filesize
10.8MB

Download
memory/6064-17-0x000000001C240000-0x000000001C248000-memory.dmp

Filesize
32KB

Download
memory/6064-1-0x0000000000980000-0x0000000000C06000-memory.dmp

Filesize
2.5MB

Download
memory/6064-301-0x00007FF8DB690000-0x00007FF8DC151000-memory.dmp

Filesize
10.8MB

Download
memory/6064-18-0x000000001C250000-0x000000001C25A000-memory.dmp

Filesize
40KB

Download