dcrat | 0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253d

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
Size

1.7MB
MD5

784f5cdc78ca7bf50ad113eb9d580290
SHA1

b93e873ee52b7e462c2de9d12c229e9c4e35a9be
SHA256

0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253d
SHA512

e6d13471a5c2269a9b9ba1e5f4f87662c63cfe87e53631615a45a3e8459f37c285eae13e29d3fe67f6589020cd461267714e27e6d93e7218fca6d1c1012ab7d9
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:OTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	1412	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	1412	schtasks.exe	30

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1040-1-0x0000000000F50000-0x0000000001110000-memory.dmp	dcrat
behavioral1/files/0x0005000000018686-27.dat	dcrat
behavioral1/files/0x000b000000018c16-116.dat	dcrat
behavioral1/files/0x0007000000018686-127.dat	dcrat
behavioral1/files/0x00070000000186f1-138.dat	dcrat
behavioral1/files/0x000b000000018739-173.dat	dcrat
behavioral1/files/0x0009000000019284-182.dat	dcrat
behavioral1/files/0x00090000000193a6-255.dat	dcrat
behavioral1/memory/2276-283-0x00000000001B0000-0x0000000000370000-memory.dmp	dcrat
behavioral1/memory/1596-352-0x0000000000A50000-0x0000000000C10000-memory.dmp	dcrat
behavioral1/memory/2744-375-0x0000000000FF0000-0x00000000011B0000-memory.dmp	dcrat
behavioral1/memory/2020-398-0x00000000012C0000-0x0000000001480000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1776	powershell.exe
2372	powershell.exe
2412	powershell.exe
1708	powershell.exe
1328	powershell.exe
2216	powershell.exe
600	powershell.exe
1492	powershell.exe
1616	powershell.exe
1104	powershell.exe
3040	powershell.exe
1736	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe

Executes dropped EXE 7 IoCs

pid	Process
2276	smss.exe
1596	smss.exe
2812	smss.exe
2744	smss.exe
2700	smss.exe
2020	smss.exe
2856	smss.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\886983d96e3d3e	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\RCXD204.tmp	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\RCXE8E1.tmp	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\69ddcba757bf72	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCXDAF1.tmp	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCXDD82.tmp	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\RCXE8E2.tmp	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\RCXF163.tmp	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File created	C:\Program Files\Windows Portable Devices\0a1fd5f707cd16	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File created	C:\Program Files\Mozilla Firefox\fonts\smss.exe	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File created	C:\Program Files\Mozilla Firefox\fonts\69ddcba757bf72	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Program Files\Windows Portable Devices\sppsvc.exe	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\csrss.exe	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\886983d96e3d3e	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\csrss.exe	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCXDD14.tmp	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXD87F.tmp	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCXDA83.tmp	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\RCXF3D5.tmp	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\dwm.exe	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\6cb0b6c459d5d3	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\smss.exe	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\RCXD1D4.tmp	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\smss.exe	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File created	C:\Program Files\Windows Portable Devices\sppsvc.exe	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\24dbde2999530e	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\smss.exe	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\csrss.exe	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\RCXF366.tmp	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\csrss.exe	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXD811.tmp	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\dwm.exe	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\RCXF162.tmp	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ShellNew\RCXD60D.tmp	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Windows\SoftwareDistribution\SelfUpdate\RCXE40E.tmp	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Windows\SoftwareDistribution\SelfUpdate\taskhost.exe	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Windows\tracing\RCXE69F.tmp	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File created	C:\Windows\ShellNew\69ddcba757bf72	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\b75386f1303e64	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File created	C:\Windows\tracing\sppsvc.exe	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File created	C:\Windows\rescache\rc0006\lsm.exe	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCXE19B.tmp	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Windows\Downloaded Program Files\0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File created	C:\Windows\SoftwareDistribution\SelfUpdate\taskhost.exe	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File created	C:\Windows\SoftwareDistribution\SelfUpdate\b75386f1303e64	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File created	C:\Windows\tracing\0a1fd5f707cd16	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Windows\ShellNew\smss.exe	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Windows\ShellNew\RCXD60C.tmp	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCXE19C.tmp	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\taskhost.exe	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Windows\SoftwareDistribution\SelfUpdate\RCXE3A0.tmp	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File created	C:\Windows\ShellNew\smss.exe	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\taskhost.exe	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File created	C:\Windows\Downloaded Program Files\0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File created	C:\Windows\Downloaded Program Files\f0fb9d8bbd6107	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Windows\tracing\RCXE631.tmp	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCXF695.tmp	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Windows\tracing\sppsvc.exe	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCXF626.tmp	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3020	schtasks.exe
2636	schtasks.exe
2660	schtasks.exe
1608	schtasks.exe
1744	schtasks.exe
1724	schtasks.exe
888	schtasks.exe
2040	schtasks.exe
2872	schtasks.exe
2156	schtasks.exe
2760	schtasks.exe
1672	schtasks.exe
1584	schtasks.exe
2324	schtasks.exe
1848	schtasks.exe
3004	schtasks.exe
2224	schtasks.exe
768	schtasks.exe
2236	schtasks.exe
2476	schtasks.exe
1832	schtasks.exe
1912	schtasks.exe
1560	schtasks.exe
1424	schtasks.exe
1104	schtasks.exe
2924	schtasks.exe
1572	schtasks.exe
2916	schtasks.exe
3000	schtasks.exe
2440	schtasks.exe
1720	schtasks.exe
1680	schtasks.exe
2204	schtasks.exe
2824	schtasks.exe
2988	schtasks.exe
2700	schtasks.exe
1628	schtasks.exe
1648	schtasks.exe
1904	schtasks.exe
1692	schtasks.exe
1936	schtasks.exe
2748	schtasks.exe
2860	schtasks.exe
2068	schtasks.exe
1564	schtasks.exe
664	schtasks.exe
2808	schtasks.exe
2644	schtasks.exe
1216	schtasks.exe
1712	schtasks.exe
1332	schtasks.exe
2136	schtasks.exe
2600	schtasks.exe
1740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
600	powershell.exe
1616	powershell.exe
2372	powershell.exe
1492	powershell.exe
1328	powershell.exe
3040	powershell.exe
2216	powershell.exe
1736	powershell.exe
2412	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
Token: SeDebugPrivilege	600	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	2276	smss.exe
Token: SeDebugPrivilege	1596	smss.exe
Token: SeDebugPrivilege	2812	smss.exe
Token: SeDebugPrivilege	2744	smss.exe
Token: SeDebugPrivilege	2700	smss.exe
Token: SeDebugPrivilege	2020	smss.exe
Token: SeDebugPrivilege	2856	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 2372	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	86
PID 1040 wrote to memory of 2372	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	86
PID 1040 wrote to memory of 2372	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	86
PID 1040 wrote to memory of 1492	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	87
PID 1040 wrote to memory of 1492	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	87
PID 1040 wrote to memory of 1492	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	87
PID 1040 wrote to memory of 1776	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	88
PID 1040 wrote to memory of 1776	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	88
PID 1040 wrote to memory of 1776	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	88
PID 1040 wrote to memory of 2412	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	90
PID 1040 wrote to memory of 2412	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	90
PID 1040 wrote to memory of 2412	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	90
PID 1040 wrote to memory of 2216	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	91
PID 1040 wrote to memory of 2216	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	91
PID 1040 wrote to memory of 2216	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	91
PID 1040 wrote to memory of 1708	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	94
PID 1040 wrote to memory of 1708	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	94
PID 1040 wrote to memory of 1708	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	94
PID 1040 wrote to memory of 1616	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	95
PID 1040 wrote to memory of 1616	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	95
PID 1040 wrote to memory of 1616	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	95
PID 1040 wrote to memory of 1104	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	96
PID 1040 wrote to memory of 1104	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	96
PID 1040 wrote to memory of 1104	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	96
PID 1040 wrote to memory of 3040	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	97
PID 1040 wrote to memory of 3040	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	97
PID 1040 wrote to memory of 3040	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	97
PID 1040 wrote to memory of 1736	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	98
PID 1040 wrote to memory of 1736	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	98
PID 1040 wrote to memory of 1736	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	98
PID 1040 wrote to memory of 1328	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	99
PID 1040 wrote to memory of 1328	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	99
PID 1040 wrote to memory of 1328	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	99
PID 1040 wrote to memory of 600	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	100
PID 1040 wrote to memory of 600	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	100
PID 1040 wrote to memory of 600	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	100
PID 1040 wrote to memory of 2276	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	110
PID 1040 wrote to memory of 2276	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	110
PID 1040 wrote to memory of 2276	1040	0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe	110
PID 2276 wrote to memory of 304	2276	smss.exe	111
PID 2276 wrote to memory of 304	2276	smss.exe	111
PID 2276 wrote to memory of 304	2276	smss.exe	111
PID 2276 wrote to memory of 2000	2276	smss.exe	112
PID 2276 wrote to memory of 2000	2276	smss.exe	112
PID 2276 wrote to memory of 2000	2276	smss.exe	112
PID 304 wrote to memory of 1596	304	WScript.exe	113
PID 304 wrote to memory of 1596	304	WScript.exe	113
PID 304 wrote to memory of 1596	304	WScript.exe	113
PID 1596 wrote to memory of 2968	1596	smss.exe	114
PID 1596 wrote to memory of 2968	1596	smss.exe	114
PID 1596 wrote to memory of 2968	1596	smss.exe	114
PID 1596 wrote to memory of 2948	1596	smss.exe	115
PID 1596 wrote to memory of 2948	1596	smss.exe	115
PID 1596 wrote to memory of 2948	1596	smss.exe	115
PID 2968 wrote to memory of 2812	2968	WScript.exe	116
PID 2968 wrote to memory of 2812	2968	WScript.exe	116
PID 2968 wrote to memory of 2812	2968	WScript.exe	116
PID 2812 wrote to memory of 2876	2812	smss.exe	117
PID 2812 wrote to memory of 2876	2812	smss.exe	117
PID 2812 wrote to memory of 2876	2812	smss.exe	117
PID 2812 wrote to memory of 2304	2812	smss.exe	118
PID 2812 wrote to memory of 2304	2812	smss.exe	118
PID 2812 wrote to memory of 2304	2812	smss.exe	118
PID 2876 wrote to memory of 2744	2876	WScript.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
"C:\Users\Admin\AppData\Local\Temp\0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:600
- C:\Program Files\Mozilla Firefox\fonts\smss.exe
  "C:\Program Files\Mozilla Firefox\fonts\smss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be7b1854-3e01-42d3-9968-d893c5d18e78.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:304
  - - C:\Program Files\Mozilla Firefox\fonts\smss.exe
      "C:\Program Files\Mozilla Firefox\fonts\smss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1596
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fcbc050-bad7-4ce9-b421-128bfec1e9f7.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Program Files\Mozilla Firefox\fonts\smss.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\smss.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c35a35c-3669-4eec-ba3c-8ea5229cd75d.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Program Files\Mozilla Firefox\fonts\smss.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\smss.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\064d32dc-a619-4ab7-9f30-154caceb52f3.vbs"
        9⤵
        
        PID:2268
        
        C:\Program Files\Mozilla Firefox\fonts\smss.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\smss.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8567b28b-754a-452b-b00f-1647329e4e83.vbs"
        11⤵
        
        PID:2500
        
        C:\Program Files\Mozilla Firefox\fonts\smss.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\smss.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8958ee7e-7060-4a42-b777-fce1c01bf83f.vbs"
        13⤵
        
        PID:1520
        
        C:\Program Files\Mozilla Firefox\fonts\smss.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\smss.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b79e8ed0-88a1-4509-be99-ad69dbf8c0df.vbs"
        15⤵
        
        PID:2392
        
        C:\Program Files\Mozilla Firefox\fonts\smss.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\smss.exe"
        16⤵
        
        PID:1648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9e79eb9-0c18-4274-ae4a-bf426331f49a.vbs"
        15⤵
        
        PID:2452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5dcaf474-a78b-43b2-9ac6-212d47b43799.vbs"
        13⤵
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cd5e6d5-337e-4656-9a84-ceaf90bc70c1.vbs"
        11⤵
        
        PID:2380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c991703c-7ee6-4cc1-9eca-668a1a87fa55.vbs"
        9⤵
        
        PID:2076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff607487-fdaf-4004-9965-09f0273593ad.vbs"
        7⤵
        
        PID:2304
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f4c7010-72d5-4ab7-83f9-1787f4b43fe2.vbs"
        5⤵
        
        PID:2948
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc5b4da1-8aea-40c7-af2a-ad8082fc6952.vbs"
    3⤵
    PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Package Cache\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellNew\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ShellNew\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellNew\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\fonts\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\fonts\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\Sample Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\SelfUpdate\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\SelfUpdate\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\SoftwareDistribution\SelfUpdate\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\DESIGNER\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Pictures\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN0" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN0" /sc MINUTE /mo 6 /tr "'C:\Windows\Downloaded Program Files\0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\Office14\1033\WmiPrvSE.exe

Filesize
1.7MB

MD5
ce898222cbc3d19e9e2ff6c6d75d55fd

SHA1
b1bcb8529fd16ee6c79cd5e3af97da10e39a16ca

SHA256
7bcdde5aa4257649eea128ee052b43cbf6b0fb29d50e2cd89627ac8560d14d74

SHA512
6a07426b01071c2fd1b14b2f67ce3c898f04af36cd2f50e7fa318b2b19ae4303f9d9ed2efcbd9beac3b017ede84c493e691404eedc254c025afba9e0fc802bf2

Download Submit
C:\Program Files\Mozilla Firefox\fonts\smss.exe

Filesize
1.7MB

MD5
20c06b4185f8cc20f3149a5b1920b9e9

SHA1
3b2f4c356b92fc6dc9707ba715a5ac145559cf69

SHA256
8b10d211aabe36133832851b44ff361136fe267e4c7bf91da7c1253badad5664

SHA512
d5045ef1bdd9b9643dc7d451f4292d087edd859d4b1cf66209753e7f77dd3f7e1fbc9291a14647b48b07c560d1fe97270a4bd9e6110664fff314466c3fba528c

Download Submit
C:\Program Files\Windows Photo Viewer\es-ES\smss.exe

Filesize
1.7MB

MD5
47953d47a10e71d0698af85b6ba36394

SHA1
578badeb2bdc6a801352d2dc90da2f22d96dd0bb

SHA256
d6f2abd5ceeebc119c589cbf6a930211aab48eabfc18a00a39ddde9b9ebdd9c6

SHA512
4a0c904cbd0f94ed17e9b19a59f64ae8c6fc661dc022285b2e6f3c8c317c60e2562f4e3d833bf7bf7ec77155a8b1dac1db27976831ae3cf3d5c8a15739c85d55

Download Submit
C:\Program Files\Windows Portable Devices\sppsvc.exe

Filesize
1.7MB

MD5
784f5cdc78ca7bf50ad113eb9d580290

SHA1
b93e873ee52b7e462c2de9d12c229e9c4e35a9be

SHA256
0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253d

SHA512
e6d13471a5c2269a9b9ba1e5f4f87662c63cfe87e53631615a45a3e8459f37c285eae13e29d3fe67f6589020cd461267714e27e6d93e7218fca6d1c1012ab7d9

Download Submit
C:\Program Files\Windows Portable Devices\sppsvc.exe

Filesize
1.7MB

MD5
813fb37c275dfb126ab7651479213429

SHA1
2a93bd8221c696b88cac1a6736c750283338d5bc

SHA256
cc680e157a5411978beb75c35cfe8adba137022da4124d8d4c59e516b5ea2e1b

SHA512
7a196786e15bdf7f5bbbb86d6203e7b7436be59b8c9bb307734a86287f6b2e081215c0df9d08bd62e0f4eb280c0df650d04188e26171ee098f96ab0a3b485bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\064d32dc-a619-4ab7-9f30-154caceb52f3.vbs

Filesize
723B

MD5
07dabaee5494d700ff8ac2719ecbba8e

SHA1
ca2d5cbfb87b05b9806257f18c322c815a6af6bb

SHA256
6e69beff9ba24d4ad3c16ad9c60283f5228b4d6f02e2bfcbdc382401a871b818

SHA512
05bf2b2db2f166ad92534417f56762e3b8ee0f24597c9021753b1704c4f82cbcebae7211d22f47c8e576c8adfccad75932693b176603fe3fe20a91617c644b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c35a35c-3669-4eec-ba3c-8ea5229cd75d.vbs

Filesize
723B

MD5
09020423555cb1489af16979d6851803

SHA1
1c77777309fe88d6e05d05ebb2ff13cfb055e633

SHA256
4102f22e21da68cfd06c655dc27bb0843e73aac8a9fb4e14280584b703d9a11c

SHA512
15fbbd987ecddc171c3fd03b6c6446ca508e9109390fdf93be50aa926b66ac6ba13129c9fcab385749cfba036d9aef3c1d70304ae63838bf3f8980d1edfc8b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\8567b28b-754a-452b-b00f-1647329e4e83.vbs

Filesize
723B

MD5
34bd203f023266a090e89d7ab39b59a3

SHA1
2090bbae009112332d250abc011fdff04de9ccb3

SHA256
f7f0017cc6d7326e378effd5f809fe7b89331078c2ab40cae172e50b3889c56b

SHA512
875533d7076437bdf08eb52adb5b75271dd9d95e87fc62ba532a3214e6303db301a7ba34317b910292ba3ccc22630fd3867c8737bd024282c6e1d3d3999415cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\8958ee7e-7060-4a42-b777-fce1c01bf83f.vbs

Filesize
723B

MD5
54bc7af8da126cf87071bd53efd3dd19

SHA1
5461f5c1165723cd46fa964a5b9c4e46169742f9

SHA256
0414b5b23c4fb9a44ca2158641ad909dcc930dfba229e9b9cdf5bd537faec675

SHA512
7675c0cc0dddcd96b61d0a7f611ef61d0725f2de29070199a7c33b744c986d6d9e6ce21f3b9b34317f317c33712e264181288f144bd591884e096ffe14f447eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\8fcbc050-bad7-4ce9-b421-128bfec1e9f7.vbs

Filesize
723B

MD5
3a93824c9c5f8f9f40c53d5c3935a443

SHA1
7b35d562bed3862a9d89fabc5533d961f58e4896

SHA256
d3cb5659c7a98523cee321bc0282d4874034593382e6d25c5db1affc17febd10

SHA512
e2ce8666be198b9bf5cbc395563fbdf539f7b2170b78f6d12e749e0572946ac706da6527bd6f9d59fc33386f298d48d756818ba82020230877491af1c029577d

Download Submit
C:\Users\Admin\AppData\Local\Temp\b79e8ed0-88a1-4509-be99-ad69dbf8c0df.vbs

Filesize
723B

MD5
09cf91a0fb2b03495302e47270f5e68b

SHA1
012128220c3f4d535ff7159ed159a98c1b075de0

SHA256
0b77e636417fc05368f760d7d9cba582160258a8a5c6bbbd5979de14d03e890b

SHA512
d77fc398b4d89090156f2701c75cd5e5931d0697f95ab6a59541b966b77d725c98955238b5753460e578bc1f89a57f219715f7fbb16e0fc2975911cd313fc80a

Download Submit
C:\Users\Admin\AppData\Local\Temp\be7b1854-3e01-42d3-9968-d893c5d18e78.vbs

Filesize
723B

MD5
8ed5142802e30675a24305a528321a3a

SHA1
79ec7244d4148fe24ed5dc8b44a7f6695df4d227

SHA256
351ecd86977bce6f195ef11f4cea2e013a14dc2e13de1030b7c1220f4df6e8a3

SHA512
5b8544d72ebdaeead17a9d5e0edae3724be4193a8e5f51e389aaa9097f636f30ddc4db99cd224e00bd89b3f6b49769d85b323e78f30d70d9cf81e149e7e19b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc5b4da1-8aea-40c7-af2a-ad8082fc6952.vbs

Filesize
499B

MD5
8efad20c056ba33db0fa61366731f8a4

SHA1
f0d813bf067d6bce4bb2a8b30aa9a2c1992e665b

SHA256
794d2cdcd8c97acd5c9e0e0f2cb88f4a973f1679d26f02a359422041ceb21580

SHA512
b20ceb317f6b135bc124779586c20e1c06bc566cf2ba07afff22ac7fc3ab614f4b2b670027d2307c373cf488f633d2ce381a8c7b4a5f372984b0b59896ddf14c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
464d079700c8998d18aa4da19a51b4f0

SHA1
37ce7f018c18e73d3c93a8c2a147029f41d0757d

SHA256
0b54dd292aa3d73c95973e3026ed7fcd338335b9ea84e5e358cb2d30209d7313

SHA512
b7420c20691e96d454c8a307828bdf394feb8d6d41b230e221b607a51f2206bedb1b8fdadfa087e81665c12a5b640a72c0dd819e5f69558255e12fdb2bc1c23c

Download Submit
C:\Windows\SoftwareDistribution\SelfUpdate\taskhost.exe

Filesize
1.7MB

MD5
1322ed70b9c2649ea5caa64a69cfe5d2

SHA1
cba98b22110e6af3080a895460a8f820d109d064

SHA256
904157acfc9536918088b5335a8d265375977589cc8b07d8163b987252909e67

SHA512
8c14d002d3aca55bb234d080341e621dd262af441abcf667a11e52efcae42abc98e21b295d382b2d1efc165d64cceff20b0d4f391ae171e82c331a11e5a34ff9

Download Submit
C:\Windows\tracing\sppsvc.exe

Filesize
1.7MB

MD5
dca6e9a6dc626ccb47df2432da8a9db3

SHA1
0ee7e4f823e10539cbae78776b5467d6305baca6

SHA256
bd8e6d30533dd4b79eae8dcb8fe94e4e2bbae872cd7e8b9ca6f22df01fb43662

SHA512
32d45268c9657a954d51f5fe9ec844a568c5ca4700dcc69b67b27637c02a0536e54f6fd962715cc0657c1efd247b4a8db3a52d609c3769bcaf63adb7534096d0

Download Submit
memory/600-322-0x0000000002030000-0x0000000002038000-memory.dmp

Filesize
32KB

Download
memory/1040-12-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

Filesize
48KB

Download
memory/1040-9-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/1040-17-0x0000000000B00000-0x0000000000B0C000-memory.dmp

Filesize
48KB

Download
memory/1040-16-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/1040-15-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/1040-14-0x0000000000AD0000-0x0000000000ADE000-memory.dmp

Filesize
56KB

Download
memory/1040-187-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp

Filesize
4KB

Download
memory/1040-212-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/1040-224-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/1040-13-0x0000000000AC0000-0x0000000000ACA000-memory.dmp

Filesize
40KB

Download
memory/1040-0-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp

Filesize
4KB

Download
memory/1040-293-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/1040-11-0x0000000000A80000-0x0000000000A92000-memory.dmp

Filesize
72KB

Download
memory/1040-20-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/1040-1-0x0000000000F50000-0x0000000001110000-memory.dmp

Filesize
1.8MB

Download
memory/1040-2-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/1040-8-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/1040-7-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/1040-3-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/1040-6-0x0000000000590000-0x00000000005A6000-memory.dmp

Filesize
88KB

Download
memory/1040-5-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/1040-4-0x00000000001C0000-0x00000000001C8000-memory.dmp

Filesize
32KB

Download
memory/1492-321-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/1596-352-0x0000000000A50000-0x0000000000C10000-memory.dmp

Filesize
1.8MB

Download
memory/2020-398-0x00000000012C0000-0x0000000001480000-memory.dmp

Filesize
1.8MB

Download
memory/2276-283-0x00000000001B0000-0x0000000000370000-memory.dmp

Filesize
1.8MB

Download
memory/2744-375-0x0000000000FF0000-0x00000000011B0000-memory.dmp

Filesize
1.8MB

Download