dcrat | 7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
Size

1.7MB
MD5

688dfbd7ae580d677742065afa2f2991
SHA1

9742697e260249d2380b8199856b030057670cd1
SHA256

7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750
SHA512

afc474710e071db0caf4d3fd89beddb2a5d6bbfa9e6b93fcd059a33191e66db9bb0b4f4fe0ac4baf5451936c0269a5b8b05355f2076f300bdf852b8a3fb32144
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3328	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	500	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	4344	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	4344	schtasks.exe	84

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3712-1-0x0000000000C00000-0x0000000000DC0000-memory.dmp	dcrat
behavioral2/files/0x000b000000023b9f-30.dat	dcrat
behavioral2/files/0x000a000000023c4f-61.dat	dcrat
behavioral2/files/0x000b000000023b98-83.dat	dcrat
behavioral2/files/0x0009000000023bc8-138.dat	dcrat
behavioral2/files/0x000200000001e75a-161.dat	dcrat
behavioral2/files/0x0009000000023c1d-184.dat	dcrat
behavioral2/memory/2848-323-0x00000000003D0000-0x0000000000590000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
880	powershell.exe
4316	powershell.exe
1376	powershell.exe
4280	powershell.exe
4532	powershell.exe
4492	powershell.exe
2908	powershell.exe
4608	powershell.exe
3084	powershell.exe
2004	powershell.exe
4304	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe

Executes dropped EXE 10 IoCs

pid	Process
2848	dwm.exe
5060	dwm.exe
4672	dwm.exe
2964	dwm.exe
3568	dwm.exe
4548	dwm.exe
3976	dwm.exe
736	dwm.exe
2796	dwm.exe
2188	dwm.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicyUsers\dllhost.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File created	C:\Windows\System32\GroupPolicyUsers\dllhost.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File created	C:\Windows\System32\GroupPolicyUsers\5940a34987c991	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Windows\System32\GroupPolicyUsers\RCXD2D7.tmp	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Windows\System32\GroupPolicyUsers\RCXD2D8.tmp	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows NT\Accessories\es-ES\RCXCDD2.tmp	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\RCXD0D2.tmp	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\Idle.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\Idle.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\RCXD054.tmp	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Program Files\dotnet\RuntimeBroker.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\es-ES\csrss.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File created	C:\Program Files\ModifiableWindowsApps\dllhost.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\dllhost.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\5940a34987c991	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\dllhost.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File created	C:\Program Files\dotnet\9e8d7a4ca61bd9	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\RCXC425.tmp	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\RCXC426.tmp	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\es-ES\RCXCDD3.tmp	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File created	C:\Program Files\Windows NT\Accessories\es-ES\csrss.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File created	C:\Program Files\Windows NT\Accessories\es-ES\886983d96e3d3e	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\6ccacd8608530f	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File created	C:\Program Files\dotnet\RuntimeBroker.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Program Files\dotnet\RCXD569.tmp	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Program Files\dotnet\RCXD5D8.tmp	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Help\en-US\dwm.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File created	C:\Windows\Help\en-US\6cb0b6c459d5d3	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File created	C:\Windows\AppReadiness\66fc9ff0ee96c2	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Windows\Help\en-US\RCXCAD2.tmp	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Windows\AppReadiness\RCXD7ED.tmp	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File created	C:\Windows\schemas\TSWorkSpace\taskhostw.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File created	C:\Windows\AppReadiness\sihost.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Windows\Help\en-US\RCXCB50.tmp	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Windows\Help\en-US\dwm.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Windows\AppReadiness\RCXD7EC.tmp	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
File opened for modification	C:\Windows\AppReadiness\sihost.exe	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1840	schtasks.exe
4936	schtasks.exe
3328	schtasks.exe
760	schtasks.exe
3384	schtasks.exe
4924	schtasks.exe
3124	schtasks.exe
1688	schtasks.exe
1400	schtasks.exe
3100	schtasks.exe
2420	schtasks.exe
4716	schtasks.exe
344	schtasks.exe
4688	schtasks.exe
2656	schtasks.exe
500	schtasks.exe
2356	schtasks.exe
1816	schtasks.exe
1348	schtasks.exe
3240	schtasks.exe
1216	schtasks.exe
3092	schtasks.exe
4072	schtasks.exe
2964	schtasks.exe
3860	schtasks.exe
376	schtasks.exe
3564	schtasks.exe
3044	schtasks.exe
4960	schtasks.exe
4600	schtasks.exe
940	schtasks.exe
2916	schtasks.exe
2224	schtasks.exe
4396	schtasks.exe
2132	schtasks.exe
4840	schtasks.exe
792	schtasks.exe
3960	schtasks.exe
4384	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	3084	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	2848	dwm.exe
Token: SeDebugPrivilege	5060	dwm.exe
Token: SeDebugPrivilege	4672	dwm.exe
Token: SeDebugPrivilege	2964	dwm.exe
Token: SeDebugPrivilege	3568	dwm.exe
Token: SeDebugPrivilege	4548	dwm.exe
Token: SeDebugPrivilege	3976	dwm.exe
Token: SeDebugPrivilege	736	dwm.exe
Token: SeDebugPrivilege	2796	dwm.exe
Token: SeDebugPrivilege	2188	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 3084	3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	126
PID 3712 wrote to memory of 3084	3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	126
PID 3712 wrote to memory of 880	3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	127
PID 3712 wrote to memory of 880	3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	127
PID 3712 wrote to memory of 2004	3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	128
PID 3712 wrote to memory of 2004	3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	128
PID 3712 wrote to memory of 4316	3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	129
PID 3712 wrote to memory of 4316	3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	129
PID 3712 wrote to memory of 4304	3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	130
PID 3712 wrote to memory of 4304	3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	130
PID 3712 wrote to memory of 1376	3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	131
PID 3712 wrote to memory of 1376	3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	131
PID 3712 wrote to memory of 4280	3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	132
PID 3712 wrote to memory of 4280	3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	132
PID 3712 wrote to memory of 4532	3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	133
PID 3712 wrote to memory of 4532	3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	133
PID 3712 wrote to memory of 4492	3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	134
PID 3712 wrote to memory of 4492	3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	134
PID 3712 wrote to memory of 2908	3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	135
PID 3712 wrote to memory of 2908	3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	135
PID 3712 wrote to memory of 4608	3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	136
PID 3712 wrote to memory of 4608	3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	136
PID 3712 wrote to memory of 4424	3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	147
PID 3712 wrote to memory of 4424	3712	7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe	147
PID 4424 wrote to memory of 1776	4424	cmd.exe	150
PID 4424 wrote to memory of 1776	4424	cmd.exe	150
PID 4424 wrote to memory of 2848	4424	cmd.exe	153
PID 4424 wrote to memory of 2848	4424	cmd.exe	153
PID 2848 wrote to memory of 4364	2848	dwm.exe	154
PID 2848 wrote to memory of 4364	2848	dwm.exe	154
PID 2848 wrote to memory of 4516	2848	dwm.exe	155
PID 2848 wrote to memory of 4516	2848	dwm.exe	155
PID 4364 wrote to memory of 5060	4364	WScript.exe	158
PID 4364 wrote to memory of 5060	4364	WScript.exe	158
PID 5060 wrote to memory of 4144	5060	dwm.exe	160
PID 5060 wrote to memory of 4144	5060	dwm.exe	160
PID 5060 wrote to memory of 1920	5060	dwm.exe	161
PID 5060 wrote to memory of 1920	5060	dwm.exe	161
PID 4144 wrote to memory of 4672	4144	WScript.exe	163
PID 4144 wrote to memory of 4672	4144	WScript.exe	163
PID 4672 wrote to memory of 2344	4672	dwm.exe	164
PID 4672 wrote to memory of 2344	4672	dwm.exe	164
PID 4672 wrote to memory of 3628	4672	dwm.exe	165
PID 4672 wrote to memory of 3628	4672	dwm.exe	165
PID 2344 wrote to memory of 2964	2344	WScript.exe	166
PID 2344 wrote to memory of 2964	2344	WScript.exe	166
PID 2964 wrote to memory of 1848	2964	dwm.exe	167
PID 2964 wrote to memory of 1848	2964	dwm.exe	167
PID 2964 wrote to memory of 4396	2964	dwm.exe	168
PID 2964 wrote to memory of 4396	2964	dwm.exe	168
PID 1848 wrote to memory of 3568	1848	WScript.exe	169
PID 1848 wrote to memory of 3568	1848	WScript.exe	169
PID 3568 wrote to memory of 4276	3568	dwm.exe	170
PID 3568 wrote to memory of 4276	3568	dwm.exe	170
PID 3568 wrote to memory of 5056	3568	dwm.exe	171
PID 3568 wrote to memory of 5056	3568	dwm.exe	171
PID 4276 wrote to memory of 4548	4276	WScript.exe	172
PID 4276 wrote to memory of 4548	4276	WScript.exe	172
PID 4548 wrote to memory of 4772	4548	dwm.exe	173
PID 4548 wrote to memory of 4772	4548	dwm.exe	173
PID 4548 wrote to memory of 3852	4548	dwm.exe	174
PID 4548 wrote to memory of 3852	4548	dwm.exe	174
PID 4772 wrote to memory of 3976	4772	WScript.exe	175
PID 4772 wrote to memory of 3976	4772	WScript.exe	175

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe
"C:\Users\Admin\AppData\Local\Temp\7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4608
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dXuYb427TU.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1776
- - C:\Windows\Help\en-US\dwm.exe
    "C:\Windows\Help\en-US\dwm.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f16f8db-9955-4c37-8231-5145f16ae98d.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4364
    - - C:\Windows\Help\en-US\dwm.exe
        
        C:\Windows\Help\en-US\dwm.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5060
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf8ad41f-b41a-4665-af41-a57d4aa4d75d.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\Help\en-US\dwm.exe
        
        C:\Windows\Help\en-US\dwm.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\256d32ed-dc9a-4546-ae8b-79c34a13d392.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\Help\en-US\dwm.exe
        
        C:\Windows\Help\en-US\dwm.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4b91081-a8fe-4b1f-a33a-b40b934ad21f.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\Help\en-US\dwm.exe
        
        C:\Windows\Help\en-US\dwm.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dafb08cc-03fb-4be6-8c51-0a5144d09c77.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\Help\en-US\dwm.exe
        
        C:\Windows\Help\en-US\dwm.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c385511-705c-4144-8fc5-8225a85c6257.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\Help\en-US\dwm.exe
        
        C:\Windows\Help\en-US\dwm.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69116770-a0ef-49db-b644-f2a5cdfee400.vbs"
        16⤵
        
        PID:3520
        
        C:\Windows\Help\en-US\dwm.exe
        
        C:\Windows\Help\en-US\dwm.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecaa499c-42b1-4b59-be56-0c48cbd84cf9.vbs"
        18⤵
        
        PID:4060
        
        C:\Windows\Help\en-US\dwm.exe
        
        C:\Windows\Help\en-US\dwm.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a43648ad-b24e-483a-ab66-d80764f32a32.vbs"
        20⤵
        
        PID:732
        
        C:\Windows\Help\en-US\dwm.exe
        
        C:\Windows\Help\en-US\dwm.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e807ed82-9bde-4703-b3ff-0c6917f4e7f7.vbs"
        22⤵
        
        PID:3720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a292c283-d3b7-4936-85ce-29b546898412.vbs"
        22⤵
        
        PID:2740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2476266-71dd-4ed1-a78f-2c6c43bdabe0.vbs"
        20⤵
        
        PID:1220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1a17eb3-6cde-4d94-a7f3-9417ffa50dec.vbs"
        18⤵
        
        PID:4904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41c5d2e8-610e-43cd-bdb1-f600b070a58a.vbs"
        16⤵
        
        PID:5024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\494c32f6-a2aa-467a-9b0a-a702fb3bbca5.vbs"
        14⤵
        
        PID:3852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab60f91d-776b-4455-8cc9-4bc8c2067cb6.vbs"
        12⤵
        
        PID:5056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ffae08e-c8ac-4ae4-9700-173d064e0305.vbs"
        10⤵
        
        PID:4396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c731573a-0d64-424b-ab6b-dee553936c79.vbs"
        8⤵
        
        PID:3628
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f90a980-b0c1-43e0-8941-cb8b36962f84.vbs"
        6⤵
        
        PID:1920
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\889bd58d-0787-4cf1-8a56-4d88a28435e6.vbs"
      4⤵
      PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Local Settings\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Local Settings\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 5 /tr "'C:\Users\Default\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Users\Default\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 11 /tr "'C:\Users\Default\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Pictures\Saved Pictures\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Saved Pictures\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Pictures\Saved Pictures\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Music\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Admin\Music\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Music\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\Help\en-US\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Help\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\Help\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\System32\GroupPolicyUsers\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\GroupPolicyUsers\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\System32\GroupPolicyUsers\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\dotnet\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Windows\AppReadiness\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\AppReadiness\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Windows\AppReadiness\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\dllhost.exe

Filesize
1.7MB

MD5
688dfbd7ae580d677742065afa2f2991

SHA1
9742697e260249d2380b8199856b030057670cd1

SHA256
7dbbe0919357ceef595d52dc6723aad8c43ebb107952aa8f62dbf05e7682b750

SHA512
afc474710e071db0caf4d3fd89beddb2a5d6bbfa9e6b93fcd059a33191e66db9bb0b4f4fe0ac4baf5451936c0269a5b8b05355f2076f300bdf852b8a3fb32144

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\Idle.exe

Filesize
1.7MB

MD5
c7ff471a5dcf4d8ff37e6d8818ddd80f

SHA1
05e61ed5733c52dc5c1d6dbb6325dd6e276f5f9e

SHA256
0505075b8d3b6e563b242498d812fb3aac1282f788d499038ceee37f408707c6

SHA512
cf9f34fabfbca08d47a7ba31bbdfb274ecaf6ffc3544672fc9ab2ef1a00928cca43f18ee0a6e46426eb0f4975928543f9560f6b707706bc119576ca74ad51004

Download Submit
C:\Program Files\dotnet\RuntimeBroker.exe

Filesize
1.7MB

MD5
4957a78af07ff6e3f322ad4d7cdf3b0b

SHA1
e2b254ea23c25bdd9fc905d83d7ef49f1b8e04fd

SHA256
b35f8b8a12c0f70ab06024872bacb7201151107a0a255244a6d7cab80c0cb475

SHA512
86e68ff68c1249123da161d3551fed35f5cd0e34d04bef6ab7f0cdbaaf5cb87e2be8f985e6879296ba93f1b14c9fe918488c4d5a0b4070fd243125b43cfea08b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c385511-705c-4144-8fc5-8225a85c6257.vbs

Filesize
705B

MD5
17789f0b4e0b66c89a6d72fb22842f2a

SHA1
5a533ee52c39a4207330b629828041858441417f

SHA256
bb35d4017256ab69d6438768c1020208a7de3f8dc7ffa41ec7da191d2bf4713c

SHA512
00f9f3abf77e8947687c4d9ea0ae6de1160df7fcb5cd3f3d7673291be0ca4dd4de1e1de210f21c9f488759effb4d331ffecb4196f322ba2666ef1b25bd6c9587

Download Submit
C:\Users\Admin\AppData\Local\Temp\256d32ed-dc9a-4546-ae8b-79c34a13d392.vbs

Filesize
705B

MD5
cd2448acb68b00cc57b2976dbabc7bd5

SHA1
f8f54931dff32707f20551d97ce1684839d9ad46

SHA256
3a5cfc936ef026e6d7f19e9a76f2224d46ee52a6f7405c46b354a3d021cd50f6

SHA512
bd82dccbb8007403de9eabb51e8ee1784cf5bf2b38357112d656f2bfd9158b7068981f04355369f135a9c350e9c842a7d716d1d9592adea554df4168bc00887c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f16f8db-9955-4c37-8231-5145f16ae98d.vbs

Filesize
705B

MD5
74e033c8c08b3afeebc40eae64701bed

SHA1
15be7f8f5029327753b35d3b0ffae791d20f7c73

SHA256
831d31015d1e007edb9011105bbc0907fd105e39e47393b1f30aec1741476722

SHA512
1581582ef9080c83779f1c7ca5e720e0cc523d147e1ae30ab282612d5d48bf347732f174d33bbcd2fa3b09112b3cc07bc9a1266048167aa3138736a3331f2c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\69116770-a0ef-49db-b644-f2a5cdfee400.vbs

Filesize
705B

MD5
a3071cc77e23814af9cb01c8a4abd5b7

SHA1
6a7c9a9b5c7a3b79db80c35dbe81e0b9468d8d9c

SHA256
e761fee2aebd7d6f8067c310241b107ab65139b2238390da5753d91961150e5a

SHA512
7d9a2629772f22c006e0ebb1c25c665ec86d7a4431b5f763def4f8f30bed52becb828618d6d012191d3f4ff26e9f01cc21f0aaea198a5c48ca7f1d632a7196da

Download Submit
C:\Users\Admin\AppData\Local\Temp\889bd58d-0787-4cf1-8a56-4d88a28435e6.vbs

Filesize
481B

MD5
10dd59e7d35c559007a182a32a4d9d92

SHA1
bd4208a859c0dbdac0bf8d42a4ee40d91c6b7958

SHA256
269a6050a09b810560e198781bc5bb0fa5f652c8e60925ebb7b81108f201a1cd

SHA512
1a073258372d7040225d348276d9d074cee4e3481b34bbd51567a114a7a558df4f9e4b2cbcf596806652bf4da129d6b659f0eed0f0395d340f81ea9e69939556

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ivqvx1uv.dxa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a43648ad-b24e-483a-ab66-d80764f32a32.vbs

Filesize
705B

MD5
0a5424b39b3de36ec5095253b1a70829

SHA1
568b077ff28fa1021a6915144477c243c4478f51

SHA256
0bd3ae82c954fa76576e82e2fdf863cad43bcfd17be0f8fa38ab94616ed513e6

SHA512
f1fc4fb57f6ed04fd23cab1d12ea1e61a6e71598d4ea03fc859aef9b27c0e20a2d2995ac8418325667c752098a6eadf339f666d72c5af6e47ff328931d96e172

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4b91081-a8fe-4b1f-a33a-b40b934ad21f.vbs

Filesize
705B

MD5
20807eb1bb34575ba48d4c67e3902198

SHA1
3b2fb6b112ea905ff6a323bf874bfdf6006d5a19

SHA256
b8702e48bed3da378676ee265aef47c12a70d58ad4108f2696e97d4b0ee9d6e6

SHA512
c5113640b02cf2bec6a346eb93b539d1679b325d0aceba5033e0f4d2e00c656eaef6e76e7f66e0f34193d1b5046067f1d3b65851a931cdaf98afe319575b2d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf8ad41f-b41a-4665-af41-a57d4aa4d75d.vbs

Filesize
705B

MD5
228981b36ae921d528f213c8f0d0594e

SHA1
88e6991e04a911db14a999048222be8f7000d976

SHA256
dc36338bff97d3e97ffe055ccf49ac7cb4853bb7c1dd582cc17fb3914c4c7457

SHA512
d285312f14c80af6af90e1a527bddbff3043fb4727e5c79bebb3c61b08616c8cf6fc945d83416eb098afd0a772108c152368a31d789976f8c878d5c8a2f2df2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dXuYb427TU.bat

Filesize
194B

MD5
fd30de178b013365da541fa451d6a593

SHA1
0455d07b8d25f1ae660b323b06b4a19fe4d036d7

SHA256
578e2decc7ce416e9b11866eb854b20003f0b6f2d30ebfd972637eda8ad054a0

SHA512
849922071a10c652955662ab268a756a2b2ec0d784fb4bb705dd806a4d50c2163219aa00e836d79195cd51b7d1d17d9b73dbd1b9b040d293db505fb46f7d575e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dafb08cc-03fb-4be6-8c51-0a5144d09c77.vbs

Filesize
705B

MD5
59c582da8cc07ec259f7adbe84fbbec2

SHA1
5bfe3a1d03f6f5094469d26748f1d8e53748010c

SHA256
941bdbaf64ebf3365f2284d7c9f34e75c0fd741969f25ab945adb230bc81264c

SHA512
ea4d2587fa3536d09edbb4a5fb8da71a736307450b0ff1614e49c7e5899763b5e1fb4d57d707d8a1c6a16bf7c5a961496cf7b70f385bbdc56cae3a475095de68

Download Submit
C:\Users\Admin\AppData\Local\Temp\e807ed82-9bde-4703-b3ff-0c6917f4e7f7.vbs

Filesize
705B

MD5
3e17d3ea06562cc25af9873cfe55f663

SHA1
febe8f4f844de1111f5d50983009b7f93d769dc1

SHA256
f1c78e0f7a4788806f904c9c48330233360e3fc01cbfa14046a8402b0fa4b71e

SHA512
2aaf24f76126dc7e70908331bc734096f394c1df264dae63876cebde2d588cf9d57cd740fc1683197fb6bbd0c061dd1d0fd206da8a6fb56a15ebad2f9eca43f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecaa499c-42b1-4b59-be56-0c48cbd84cf9.vbs

Filesize
704B

MD5
fb38386f409b9ed24a109c741c6d4c15

SHA1
c6b7603d0127ed131fe3eab9249b39f0f2dca163

SHA256
e6aa08ceb3cfe730e17fd60e3be7cac90123b5fa53e2701c2b21a67acc58b74b

SHA512
a6d87f26193b5d3e51e14ddbd68d4ac923a7b75dbe9d06e50597ee1bdbbfd0d27083065d184d2b692788d0097a8c7ca8263d67c1359f5b302604737660fcc2e8

Download Submit
C:\Users\Admin\AppData\Local\taskhostw.exe

Filesize
1.7MB

MD5
87e6ad4db7a033289f5f854d3b82a448

SHA1
9a363478269335a1d19df4209746a53999539d82

SHA256
1798f2aacac85c043eb7a27ed0a4204babe868ed2f5812038667d78f519a1999

SHA512
befd5582dc37bf4079fc208b760318c9aff67d7c949c4dd3b12c23acf5c9a727706484e0aa59eec8c69a1d26cedccf2455ea07284b2d1b05b1229e2723256090

Download Submit
C:\Users\Admin\Pictures\Saved Pictures\RCXBEA4.tmp

Filesize
1.7MB

MD5
eb66c4c44a65c5f206d3940f7016c632

SHA1
bf86376a521facd35b95a819d9586685766ec375

SHA256
9c3df76a43b4770f4a9d2ad9f51f25ee1a5b2fdd714ced4ff423be65c791ae8c

SHA512
7dcd4e7147de500942ca6063255342842123f6fd1aac7e949e22d7cb7f75b1f2a6243287a02361ce3526fa93323f9f4b6b3b48f1837e42be97856f138e8e08d8

Download Submit
C:\Windows\Help\en-US\RCXCB50.tmp

Filesize
1.7MB

MD5
9b083af442a3697a26e10648a5bb8d27

SHA1
deb5436d13ddb2a2fe06cb8de60eafc8c939ed69

SHA256
27c7f5178bead7fd3d0494e0ed2a5ab69e67719d7533aff482b44fa4900ef33f

SHA512
a5175440920ae64b729f51d17e4167a1c57c5aa491087f4aea81ee72f10b833702fe03f4e1bde808ac8fdb636b12f2c74240e7851248f2eae01a916131acf981

Download Submit
memory/2848-323-0x00000000003D0000-0x0000000000590000-memory.dmp

Filesize
1.8MB

Download
memory/2964-360-0x000000001AE60000-0x000000001AE72000-memory.dmp

Filesize
72KB

Download
memory/3712-14-0x0000000002F70000-0x0000000002F7C000-memory.dmp

Filesize
48KB

Download
memory/3712-0-0x00007FFE0C913000-0x00007FFE0C915000-memory.dmp

Filesize
8KB

Download
memory/3712-203-0x00007FFE0C910000-0x00007FFE0D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/3712-206-0x00007FFE0C910000-0x00007FFE0D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/3712-152-0x00007FFE0C913000-0x00007FFE0C915000-memory.dmp

Filesize
8KB

Download
memory/3712-1-0x0000000000C00000-0x0000000000DC0000-memory.dmp

Filesize
1.8MB

Download
memory/3712-23-0x00007FFE0C910000-0x00007FFE0D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/3712-22-0x00007FFE0C910000-0x00007FFE0D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/3712-19-0x000000001BC40000-0x000000001BC4C000-memory.dmp

Filesize
48KB

Download
memory/3712-16-0x000000001BC60000-0x000000001BC6E000-memory.dmp

Filesize
56KB

Download
memory/3712-17-0x000000001BAB0000-0x000000001BAB8000-memory.dmp

Filesize
32KB

Download
memory/3712-18-0x000000001BBF0000-0x000000001BBFC000-memory.dmp

Filesize
48KB

Download
memory/3712-15-0x000000001BC50000-0x000000001BC5A000-memory.dmp

Filesize
40KB

Download
memory/3712-164-0x00007FFE0C910000-0x00007FFE0D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/3712-13-0x000000001C6F0000-0x000000001CC18000-memory.dmp

Filesize
5.2MB

Download
memory/3712-12-0x0000000002F60000-0x0000000002F72000-memory.dmp

Filesize
72KB

Download
memory/3712-2-0x00007FFE0C910000-0x00007FFE0D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/3712-10-0x0000000002F50000-0x0000000002F58000-memory.dmp

Filesize
32KB

Download
memory/3712-3-0x0000000001570000-0x000000000158C000-memory.dmp

Filesize
112KB

Download
memory/3712-9-0x0000000002F40000-0x0000000002F4C000-memory.dmp

Filesize
48KB

Download
memory/3712-6-0x00000000016B0000-0x00000000016C0000-memory.dmp

Filesize
64KB

Download
memory/3712-7-0x0000000002EC0000-0x0000000002ED6000-memory.dmp

Filesize
88KB

Download
memory/3712-8-0x0000000002F30000-0x0000000002F40000-memory.dmp

Filesize
64KB

Download
memory/3712-5-0x00000000016A0000-0x00000000016A8000-memory.dmp

Filesize
32KB

Download
memory/3712-4-0x0000000002F80000-0x0000000002FD0000-memory.dmp

Filesize
320KB

Download
memory/4304-216-0x000001E36C760000-0x000001E36C782000-memory.dmp

Filesize
136KB

Download
memory/4672-348-0x000000001BE00000-0x000000001BE12000-memory.dmp

Filesize
72KB

Download
memory/5060-336-0x000000001BBE0000-0x000000001BBF2000-memory.dmp

Filesize
72KB

Download