dcrat | 4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
Size

1.7MB
MD5

17ec06d456ef3bb342d301f1a0e7f5ae
SHA1

da6432e5a3cc4f5c52420e0e4adbbb6c22249071
SHA256

4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261
SHA512

bc434febf5ac6600e40134ea72feeef048b895167701bef85c447776a423d533a120bc1feee1173cdeb8b0a13f8d2bddb2d8200b7ec005f3b8aaad430300de28
SSDEEP

49152:D+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:uTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2244	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2244	schtasks.exe	30

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2076-1-0x0000000000A40000-0x0000000000C00000-memory.dmp	dcrat
behavioral1/files/0x0008000000017467-27.dat	dcrat
behavioral1/files/0x000c000000017467-147.dat	dcrat
behavioral1/files/0x0007000000019931-158.dat	dcrat
behavioral1/files/0x0007000000019bf2-169.dat	dcrat
behavioral1/files/0x000c000000019d5c-225.dat	dcrat
behavioral1/memory/2400-320-0x00000000011D0000-0x0000000001390000-memory.dmp	dcrat
behavioral1/memory/2788-331-0x00000000003D0000-0x0000000000590000-memory.dmp	dcrat
behavioral1/memory/1804-343-0x00000000010D0000-0x0000000001290000-memory.dmp	dcrat
behavioral1/memory/3004-355-0x0000000000120000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/344-367-0x0000000000B50000-0x0000000000D10000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1768	powershell.exe
2124	powershell.exe
2180	powershell.exe
2096	powershell.exe
1720	powershell.exe
1692	powershell.exe
2748	powershell.exe
2336	powershell.exe
1892	powershell.exe
1592	powershell.exe
1248	powershell.exe
1584	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe

Executes dropped EXE 9 IoCs

pid	Process
2400	csrss.exe
2788	csrss.exe
1804	csrss.exe
3004	csrss.exe
344	csrss.exe
2976	csrss.exe
1944	csrss.exe
1512	csrss.exe
2248	csrss.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\886983d96e3d3e	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXD66F.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lsass.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\RCXEA7D.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\RCXEA7E.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files\7-Zip\Lang\6203df4a6bafc7	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\csrss.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\csrss.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files\7-Zip\Lang\lsass.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXD66E.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe

Drops file in Windows directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\RCXE46E.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\DigitalLocker\fr-FR\RCXE674.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Windows\Performance\WinSAT\DataStore\lsm.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\de-DE\RCXD3FC.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Windows\Migration\WTR\886983d96e3d3e	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Windows\addins\886983d96e3d3e	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\de-DE\RCXD3FD.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\twain_32\RCXDAE5.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Windows\DigitalLocker\fr-FR\csrss.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Windows\Migration\WTR\csrss.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Windows\addins\csrss.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\Migration\WTR\csrss.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\twain_32\lsm.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\RCXE46F.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\lsm.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\DigitalLocker\fr-FR\RCXE673.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\Migration\WTR\RCXE879.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\addins\csrss.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\Performance\WinSAT\RCXD1F7.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\Performance\WinSAT\dllhost.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Windows\Performance\WinSAT\dllhost.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\DigitalLocker\fr-FR\csrss.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\addins\RCXEC82.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Windows\de-DE\69ddcba757bf72	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\twain_32\RCXDB53.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\de-DE\smss.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\Migration\WTR\RCXE878.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Windows\Performance\WinSAT\DataStore\101b941d020240	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\Performance\WinSAT\RCXD1F8.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Windows\twain_32\lsm.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Windows\twain_32\101b941d020240	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Windows\DigitalLocker\fr-FR\886983d96e3d3e	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\addins\RCXEC83.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Windows\Performance\WinSAT\5940a34987c991	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Windows\de-DE\smss.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2688	schtasks.exe
296	schtasks.exe
1304	schtasks.exe
2280	schtasks.exe
1180	schtasks.exe
2992	schtasks.exe
2180	schtasks.exe
2732	schtasks.exe
2352	schtasks.exe
1736	schtasks.exe
2336	schtasks.exe
2228	schtasks.exe
2852	schtasks.exe
2744	schtasks.exe
2868	schtasks.exe
1416	schtasks.exe
2052	schtasks.exe
2032	schtasks.exe
824	schtasks.exe
1280	schtasks.exe
2860	schtasks.exe
2640	schtasks.exe
1656	schtasks.exe
1896	schtasks.exe
1400	schtasks.exe
1356	schtasks.exe
2232	schtasks.exe
3040	schtasks.exe
1688	schtasks.exe
904	schtasks.exe
1724	schtasks.exe
2328	schtasks.exe
2816	schtasks.exe
1508	schtasks.exe
1924	schtasks.exe
1804	schtasks.exe
1072	schtasks.exe
1232	schtasks.exe
832	schtasks.exe
1780	schtasks.exe
2728	schtasks.exe
2644	schtasks.exe
1528	schtasks.exe
2460	schtasks.exe
2920	schtasks.exe
2196	schtasks.exe
872	schtasks.exe
1776	schtasks.exe
2928	schtasks.exe
2940	schtasks.exe
1788	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2124	powershell.exe
1720	powershell.exe
1248	powershell.exe
1892	powershell.exe
1584	powershell.exe
2180	powershell.exe
1768	powershell.exe
2096	powershell.exe
1592	powershell.exe
1692	powershell.exe
2748	powershell.exe
2336	powershell.exe
2400	csrss.exe
2400	csrss.exe
2400	csrss.exe
2400	csrss.exe
2400	csrss.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2400	csrss.exe
Token: SeDebugPrivilege	2788	csrss.exe
Token: SeDebugPrivilege	1804	csrss.exe
Token: SeDebugPrivilege	3004	csrss.exe
Token: SeDebugPrivilege	344	csrss.exe
Token: SeDebugPrivilege	2976	csrss.exe
Token: SeDebugPrivilege	1944	csrss.exe
Token: SeDebugPrivilege	1512	csrss.exe
Token: SeDebugPrivilege	2248	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2336	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	83
PID 2076 wrote to memory of 2336	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	83
PID 2076 wrote to memory of 2336	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	83
PID 2076 wrote to memory of 1892	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	84
PID 2076 wrote to memory of 1892	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	84
PID 2076 wrote to memory of 1892	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	84
PID 2076 wrote to memory of 2124	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	85
PID 2076 wrote to memory of 2124	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	85
PID 2076 wrote to memory of 2124	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	85
PID 2076 wrote to memory of 2180	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	86
PID 2076 wrote to memory of 2180	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	86
PID 2076 wrote to memory of 2180	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	86
PID 2076 wrote to memory of 2096	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	87
PID 2076 wrote to memory of 2096	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	87
PID 2076 wrote to memory of 2096	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	87
PID 2076 wrote to memory of 1720	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	88
PID 2076 wrote to memory of 1720	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	88
PID 2076 wrote to memory of 1720	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	88
PID 2076 wrote to memory of 1592	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	89
PID 2076 wrote to memory of 1592	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	89
PID 2076 wrote to memory of 1592	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	89
PID 2076 wrote to memory of 1248	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	90
PID 2076 wrote to memory of 1248	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	90
PID 2076 wrote to memory of 1248	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	90
PID 2076 wrote to memory of 1692	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	91
PID 2076 wrote to memory of 1692	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	91
PID 2076 wrote to memory of 1692	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	91
PID 2076 wrote to memory of 1584	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	92
PID 2076 wrote to memory of 1584	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	92
PID 2076 wrote to memory of 1584	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	92
PID 2076 wrote to memory of 1768	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	93
PID 2076 wrote to memory of 1768	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	93
PID 2076 wrote to memory of 1768	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	93
PID 2076 wrote to memory of 2748	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	94
PID 2076 wrote to memory of 2748	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	94
PID 2076 wrote to memory of 2748	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	94
PID 2076 wrote to memory of 2400	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	107
PID 2076 wrote to memory of 2400	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	107
PID 2076 wrote to memory of 2400	2076	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	107
PID 2400 wrote to memory of 2716	2400	csrss.exe	108
PID 2400 wrote to memory of 2716	2400	csrss.exe	108
PID 2400 wrote to memory of 2716	2400	csrss.exe	108
PID 2400 wrote to memory of 2996	2400	csrss.exe	109
PID 2400 wrote to memory of 2996	2400	csrss.exe	109
PID 2400 wrote to memory of 2996	2400	csrss.exe	109
PID 2716 wrote to memory of 2788	2716	WScript.exe	110
PID 2716 wrote to memory of 2788	2716	WScript.exe	110
PID 2716 wrote to memory of 2788	2716	WScript.exe	110
PID 2788 wrote to memory of 2144	2788	csrss.exe	111
PID 2788 wrote to memory of 2144	2788	csrss.exe	111
PID 2788 wrote to memory of 2144	2788	csrss.exe	111
PID 2788 wrote to memory of 2088	2788	csrss.exe	112
PID 2788 wrote to memory of 2088	2788	csrss.exe	112
PID 2788 wrote to memory of 2088	2788	csrss.exe	112
PID 2144 wrote to memory of 1804	2144	WScript.exe	113
PID 2144 wrote to memory of 1804	2144	WScript.exe	113
PID 2144 wrote to memory of 1804	2144	WScript.exe	113
PID 1804 wrote to memory of 1768	1804	csrss.exe	114
PID 1804 wrote to memory of 1768	1804	csrss.exe	114
PID 1804 wrote to memory of 1768	1804	csrss.exe	114
PID 1804 wrote to memory of 2680	1804	csrss.exe	115
PID 1804 wrote to memory of 2680	1804	csrss.exe	115
PID 1804 wrote to memory of 2680	1804	csrss.exe	115
PID 1768 wrote to memory of 3004	1768	WScript.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
"C:\Users\Admin\AppData\Local\Temp\4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Users\All Users\Start Menu\csrss.exe
  "C:\Users\All Users\Start Menu\csrss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f05db4e6-2b99-446f-b19f-c8899ebc6a13.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Users\All Users\Start Menu\csrss.exe
      "C:\Users\All Users\Start Menu\csrss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de84317a-fb5a-46be-b9d0-cf7f4aadbcd9.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2144
      - C:\Users\All Users\Start Menu\csrss.exe
        
        "C:\Users\All Users\Start Menu\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02f2dbb2-4cac-40c3-a847-263f1c01dbe4.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Users\All Users\Start Menu\csrss.exe
        
        "C:\Users\All Users\Start Menu\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe5bacb2-fc8c-48b8-ad6b-e37280306216.vbs"
        9⤵
        
        PID:1996
        
        C:\Users\All Users\Start Menu\csrss.exe
        
        "C:\Users\All Users\Start Menu\csrss.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9883fa71-544d-4372-8fa5-4d51ad580c08.vbs"
        11⤵
        
        PID:3048
        
        C:\Users\All Users\Start Menu\csrss.exe
        
        "C:\Users\All Users\Start Menu\csrss.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37253a1d-fa54-4fe6-9fa5-0680867943b9.vbs"
        13⤵
        
        PID:2676
        
        C:\Users\All Users\Start Menu\csrss.exe
        
        "C:\Users\All Users\Start Menu\csrss.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b32ebfc7-da3d-46aa-b367-0cb2c6a3b880.vbs"
        15⤵
        
        PID:916
        
        C:\Users\All Users\Start Menu\csrss.exe
        
        "C:\Users\All Users\Start Menu\csrss.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\478deb8d-4ba8-46c1-8bd4-b04ed79faba5.vbs"
        17⤵
        
        PID:848
        
        C:\Users\All Users\Start Menu\csrss.exe
        
        "C:\Users\All Users\Start Menu\csrss.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0efad639-77d7-4ba8-93cc-7a4bbc530b81.vbs"
        19⤵
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\234ab98e-0e65-4d6f-9117-bc6c4bc1c9d3.vbs"
        19⤵
        
        PID:792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21e20f6d-7225-4bd6-b1fa-953bb2cd771e.vbs"
        17⤵
        
        PID:1692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e740b4f3-dc7c-40df-8421-a62aea15c145.vbs"
        15⤵
        
        PID:340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81ba4eeb-4011-4519-b917-e331d7a2a8fa.vbs"
        13⤵
        
        PID:1724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f438dba-e146-47d3-94e4-1e6781aac62a.vbs"
        11⤵
        
        PID:2668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64c2f080-2329-4e25-8895-46aea2142cad.vbs"
        9⤵
        
        PID:2216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\286ac9f6-ca90-407d-be12-70de8669bf99.vbs"
        7⤵
        
        PID:2680
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97438882-dde3-42bf-85f1-dd17b2a82129.vbs"
        5⤵
        
        PID:2088
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\983aea8c-d323-4db6-9eb5-fd83de76c80c.vbs"
    3⤵
    PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\SendTo\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SendTo\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\WinSAT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Performance\WinSAT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\twain_32\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\twain_32\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e424682614" /sc MINUTE /mo 6 /tr "'C:\Users\Default\SendTo\4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261" /sc ONLOGON /tr "'C:\Users\Default\SendTo\4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e424682614" /sc MINUTE /mo 14 /tr "'C:\Users\Default\SendTo\4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\WinSAT\DataStore\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\Performance\WinSAT\DataStore\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\DigitalLocker\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe

Filesize
1.7MB

MD5
aeda2dcaab188f602321ceafd46a386a

SHA1
d8ed03de7761a5da8d43264af0821a8fa54e94b6

SHA256
f7ce2d7ad81502e0e04514b6d0e0f6aa90900e142fbf469f0fdf1bacf514312f

SHA512
70f78d4ae110c2daca60330274418e2f0cbb7604d0993f9bffccf5d71f7a6091d52982a4670e8f40a01e4808f21b10b27a216f0c4e535e4d28c1d8e05247952b

Download Submit
C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\RCXEA7D.tmp

Filesize
1.7MB

MD5
efe235080463193e24c2e3ad5d3a43ab

SHA1
763a61c417fb9cb6f3de9397c78fd0e79cb7724a

SHA256
25701da64084095d3df250f3ddd1e9e6065f8b02048a15ad43b61ce35f5e85ce

SHA512
30b40043fa477231a851d5eff32d1a04abec8371c4f0a01290e3b21bdc75b0eff299c44a1e87e28d14fca564422de33f43f388283567d5e4ca0fdcd6a7de25a0

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\csrss.exe

Filesize
1.7MB

MD5
d1e68d1c91913e0421e8677ed457f936

SHA1
53dfde7e2d5bb22ee783f5faacc88091e8d7dc4c

SHA256
73f07968ac955505e5cb476b6dbbd0bde8b9737b368541a346bf21e7941f4e14

SHA512
8c8d0668aed8140e979d2e796f502d0dc7f732199aceef6732b8af324b29d4a0271153bdf9eec8da6cc274e4f33761b045d7368181714efd49bfaf8126fe501e

Download Submit
C:\Users\Admin\AppData\Local\Temp\02f2dbb2-4cac-40c3-a847-263f1c01dbe4.vbs

Filesize
715B

MD5
4eb122be06a99790afea374a5e4a33bd

SHA1
4c13c40633f3429880d1b4053143d4840cda0f69

SHA256
4a3ff575f6f177e95cafa81cd478f5d9a05147f1f5e39309ab9a2f9ef859691a

SHA512
df35b7f098a5932cd67837eb947e9969f640d746c3a2e00333e1b8f78fa56f16af90bc5bbc7656e4d262541d19447098209a31d4e7675717647eece5b47b7b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\0efad639-77d7-4ba8-93cc-7a4bbc530b81.vbs

Filesize
715B

MD5
c815123b3ee6c0d6f1397e4169f566ea

SHA1
d20b0d595deda394160ea0cca98c248501b5cd62

SHA256
e95e375b8635cb502b25e0ab1314b5b7d295f2d35463bb9a69e1005bb54738c7

SHA512
e526e3d8c5608e2e938b3677442ec75ac7a9083a38aa068afd81733dd587e2507c4ca33f8b14cff330d5091e0d08b61fce7fd5e6ab9a676d94dba4a56f6922f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\37253a1d-fa54-4fe6-9fa5-0680867943b9.vbs

Filesize
715B

MD5
68da5ff85c8d5e08ed736d26f3716c9a

SHA1
5e0aab651076a93635b463e0e8b1ae61c24a5d8c

SHA256
d1d8d314d95ed591b989e013e197b352e557d7105a0ed296199b4f7dbd1dad79

SHA512
defebd72267fa44c9c961cc9c590c084ae58fc8f24edaf6cf380594237d5876456b8fd68578dc57ae51dcf61aaadcfc0a4eb62c2455214fa1a7cf9d5831e5e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\478deb8d-4ba8-46c1-8bd4-b04ed79faba5.vbs

Filesize
715B

MD5
b07c3dffb4db9c470299e5e1377e4e8f

SHA1
9834e82872b4c07cd3eccf4be44177eb264c14eb

SHA256
05f1b1498e0399853279c667592654de2153c8a521c75392f329727e05d4d753

SHA512
fb15917a76d15fbe79484c08f5a70ad59169911cc92de51dc1276e9a7e352121c1adfeab4fe1e3350cb2ff636caf7f46e33c609a7dbbef9f46b86b82f732be9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\983aea8c-d323-4db6-9eb5-fd83de76c80c.vbs

Filesize
491B

MD5
ecf665e844044f55b79be78b3375f069

SHA1
cf9d1409f55784e4ca3cb04ad60f2dcefaf0f06c

SHA256
d11856945d0ed8708db284fe10701da38feca89cdcb3bd7fa24b33f3faa83b5e

SHA512
474f84c210f4ec277643c307cd1de649087d0ef1e828dc918d7708f931a86c64d34f1cf91cc796e0177288d849bb2143e9d8d3aebda515458a92b872a1ac9e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\9883fa71-544d-4372-8fa5-4d51ad580c08.vbs

Filesize
714B

MD5
6865053db94b5a90f982c90176c1176e

SHA1
416cd305150cc1eafed8ab11b0d0159d283a24e7

SHA256
89bb1b97d704a4fc9d9160154a7c927be179095d564855f24152317067c35d2c

SHA512
857e035cad65ca1b2e99c60c8193f19596d7a9d43b64a1329db2bd62e86ab0080a050873b45656ac765cd4db1337eaff6297e8bb9f2a3daa8837d040ce7d3c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b32ebfc7-da3d-46aa-b367-0cb2c6a3b880.vbs

Filesize
715B

MD5
585809532c9b4887d39d4f841683e47f

SHA1
a69a692ceba14a5a8c611ebe13c8c0a1f12bc467

SHA256
56714bce2efe315adc518f8de96a4716deb2e1b30cec8c732f673c69ac99c1b1

SHA512
b8cb2905596af4ea0a8009adb29c5c27ad964b387b1bfd9fb55652a8808ccee13967d8adca96b358c906589040c95b6934a44c2b60f97116cb5f405548c670b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\de84317a-fb5a-46be-b9d0-cf7f4aadbcd9.vbs

Filesize
715B

MD5
14ea79fb8869219a0f2362772a4d18a5

SHA1
87af58af2beb29c7353c603f9633875154b13737

SHA256
aadbcd93aafa3997e3b1b8bb9318df9d4a897b575286f532a7876b929823772c

SHA512
42fe027ee60026242ff3b9175d2adc569c88e5acb81ffc93a633e9085cc0edebeeb2980c8a05733473ebc6393093351c34217961705113e74aec7a74fbf9c34f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f05db4e6-2b99-446f-b19f-c8899ebc6a13.vbs

Filesize
715B

MD5
38bc39d20f96d6565a176dd2c3cd95f1

SHA1
7b2d0906c14d9270be968b87a78eb76f1f2e6c2c

SHA256
9bd521b5f04b327bebab65b3b0356878f16bd0ef193d34afbafccf4d2ff51c22

SHA512
fb8edba2350e012c00ab1a82f92c5e5139b5c608840346a071cdfb81a1eebb5aaa2d281b75a8ee0c2146527e92bf8342267a06ad6f96c46add8901e84b7d1d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe5bacb2-fc8c-48b8-ad6b-e37280306216.vbs

Filesize
715B

MD5
8547f139a98519544faf0038d2333194

SHA1
6c0cf15127e1aade07c93421d2e9418f04a9fd4f

SHA256
f958962ddc80e25e4502b9a2f554777ac3690a32bf3cd41e8beb2936f08ef682

SHA512
c244497f4a417509e00ca53bf1b4bc30c28c251529e04b3c7b113c40a96af07072f486a4870c3102b9ff60defaafd053b9e6f31aa3f6530a8e96c30c8ed2b605

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z8D7AOR4FBPWWGRZQVBO.temp

Filesize
7KB

MD5
7bcc612d00cd32e15b3dc377fd9db477

SHA1
e47d1b60c40d28f0ebe9bfde9451a7d0091c6a31

SHA256
b1d3f8be0889185df6b36a23f5ef3f81e50aefd42709d2b7026ea29e720acf7a

SHA512
542ea1356fece626edc4c2a7fac12543e7afc5d074c4fe08b6d3fe51be3ae262f8bb29491689b35f1c7dcaf90290f0203900157eb3ad153559897bae7467695f

Download Submit
C:\Windows\de-DE\smss.exe

Filesize
1.7MB

MD5
17ec06d456ef3bb342d301f1a0e7f5ae

SHA1
da6432e5a3cc4f5c52420e0e4adbbb6c22249071

SHA256
4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261

SHA512
bc434febf5ac6600e40134ea72feeef048b895167701bef85c447776a423d533a120bc1feee1173cdeb8b0a13f8d2bddb2d8200b7ec005f3b8aaad430300de28

Download Submit
C:\Windows\twain_32\lsm.exe

Filesize
1.7MB

MD5
11279f83f18a5a3eacfe03b0d46026fb

SHA1
d896544fbb02c9e8e9f2ca09cd5496c2d71042a2

SHA256
08c3dc90e45e6179bb1ee66f1744d5aa6a9d58c4ea54a58884da0a9519f51025

SHA512
b660dec95391a08eb5d5c9be6d2dc05f1c0fc3b19d1736ffa5c21dd64306aba1d4c36dc0b8d121ae30bd5b661ffda1a039bb22240013b6c863920aea225681e8

Download Submit
memory/344-367-0x0000000000B50000-0x0000000000D10000-memory.dmp

Filesize
1.8MB

Download
memory/1248-319-0x0000000002180000-0x0000000002188000-memory.dmp

Filesize
32KB

Download
memory/1512-401-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/1804-343-0x00000000010D0000-0x0000000001290000-memory.dmp

Filesize
1.8MB

Download
memory/2076-196-0x000007FEF50F3000-0x000007FEF50F4000-memory.dmp

Filesize
4KB

Download
memory/2076-14-0x0000000002330000-0x000000000233E000-memory.dmp

Filesize
56KB

Download
memory/2076-0-0x000007FEF50F3000-0x000007FEF50F4000-memory.dmp

Filesize
4KB

Download
memory/2076-221-0x000007FEF50F0000-0x000007FEF5ADC000-memory.dmp

Filesize
9.9MB

Download
memory/2076-17-0x00000000023F0000-0x00000000023FC000-memory.dmp

Filesize
48KB

Download
memory/2076-245-0x000007FEF50F0000-0x000007FEF5ADC000-memory.dmp

Filesize
9.9MB

Download
memory/2076-13-0x00000000023D0000-0x00000000023DA000-memory.dmp

Filesize
40KB

Download
memory/2076-20-0x000007FEF50F0000-0x000007FEF5ADC000-memory.dmp

Filesize
9.9MB

Download
memory/2076-16-0x00000000023E0000-0x00000000023EC000-memory.dmp

Filesize
48KB

Download
memory/2076-318-0x000007FEF50F0000-0x000007FEF5ADC000-memory.dmp

Filesize
9.9MB

Download
memory/2076-3-0x0000000000290000-0x00000000002AC000-memory.dmp

Filesize
112KB

Download
memory/2076-2-0x000007FEF50F0000-0x000007FEF5ADC000-memory.dmp

Filesize
9.9MB

Download
memory/2076-15-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download
memory/2076-1-0x0000000000A40000-0x0000000000C00000-memory.dmp

Filesize
1.8MB

Download
memory/2076-12-0x0000000000890000-0x000000000089C000-memory.dmp

Filesize
48KB

Download
memory/2076-11-0x0000000000880000-0x0000000000892000-memory.dmp

Filesize
72KB

Download
memory/2076-9-0x00000000006F0000-0x00000000006F8000-memory.dmp

Filesize
32KB

Download
memory/2076-5-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/2076-8-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/2076-7-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/2076-6-0x0000000000350000-0x0000000000366000-memory.dmp

Filesize
88KB

Download
memory/2076-4-0x0000000000180000-0x0000000000188000-memory.dmp

Filesize
32KB

Download
memory/2124-317-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/2248-413-0x0000000000D70000-0x0000000000D82000-memory.dmp

Filesize
72KB

Download
memory/2400-320-0x00000000011D0000-0x0000000001390000-memory.dmp

Filesize
1.8MB

Download
memory/2788-331-0x00000000003D0000-0x0000000000590000-memory.dmp

Filesize
1.8MB

Download
memory/3004-355-0x0000000000120000-0x00000000002E0000-memory.dmp

Filesize
1.8MB

Download