dcrat | 0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81

Analysis

max time kernel
119s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
Size

1.7MB
MD5

72cb277e1913e5e5b20651f1f9f1af40
SHA1

11d7a90ee561e39807428267387ea6c6c434ee24
SHA256

0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81
SHA512

0838d7441404feae5e0fdb62153a1179e8fd8381aca61e49cc70adcfa657c2aedce031f1de34142ff52e48b9f016709f4cc8ccb2d8b949fc621c0a6402bd253d
SSDEEP

49152:/+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:STHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2012	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	2012	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2012	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2012	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	2012	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2012	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2012	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2012	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	2012	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	2012	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	2012	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	2012	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	2012	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	2012	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	2012	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	2012	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2012	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2012	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	2012	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2012	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2012	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	2012	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	2012	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	2012	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	2012	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2012	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3632	2012	schtasks.exe	85

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4068-1-0x00000000007D0000-0x0000000000990000-memory.dmp	dcrat
behavioral2/files/0x000a000000023cbc-32.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2336	powershell.exe
4252	powershell.exe
3440	powershell.exe
4336	powershell.exe
1556	powershell.exe
2932	powershell.exe
4880	powershell.exe
2488	powershell.exe
2272	powershell.exe
2176	powershell.exe
3328	powershell.exe
1988	powershell.exe
2668	powershell.exe
3988	powershell.exe
1856	powershell.exe
2744	powershell.exe
2908	powershell.exe
2400	powershell.exe
1480	powershell.exe
2952	powershell.exe
3632	powershell.exe
220	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 10 IoCs

pid	Process
2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
1056	csrss.exe
4948	csrss.exe
1196	csrss.exe
4036	csrss.exe
2496	csrss.exe
740	csrss.exe
4836	csrss.exe
2212	csrss.exe
2772	csrss.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\pt-PT\csrss.exe	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File opened for modification	C:\Windows\System32\pt-PT\csrss.exe	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File created	C:\Windows\System32\pt-PT\886983d96e3d3e	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File opened for modification	C:\Windows\System32\pt-PT\RCXB354.tmp	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File opened for modification	C:\Windows\System32\pt-PT\RCXB365.tmp	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Idle.exe	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\RCXB57A.tmp	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Idle.exe	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File created	C:\Program Files\Uninstall Information\csrss.exe	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PSReadline\0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PSReadline\084b1a0ed15bba	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File created	C:\Program Files (x86)\Microsoft\6ccacd8608530f	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\RCXB579.tmp	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\powershell.exe	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File created	C:\Program Files\Uninstall Information\886983d96e3d3e	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File opened for modification	C:\Program Files\Uninstall Information\csrss.exe	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\bcastdvr\csrss.exe	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File created	C:\Windows\bcastdvr\886983d96e3d3e	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File opened for modification	C:\Windows\bcastdvr\csrss.exe	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
File created	C:\Windows\Globalization\ELS\SpellDictionaries\WmiPrvSE.exe	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2440	schtasks.exe
1820	schtasks.exe
4844	schtasks.exe
4444	schtasks.exe
3024	schtasks.exe
4964	schtasks.exe
4760	schtasks.exe
1988	schtasks.exe
3520	schtasks.exe
4152	schtasks.exe
3972	schtasks.exe
3116	schtasks.exe
4588	schtasks.exe
3376	schtasks.exe
2800	schtasks.exe
900	schtasks.exe
2608	schtasks.exe
1460	schtasks.exe
4284	schtasks.exe
3128	schtasks.exe
2884	schtasks.exe
2700	schtasks.exe
4208	schtasks.exe
4708	schtasks.exe
2496	schtasks.exe
1068	schtasks.exe
3632	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2336	powershell.exe
2336	powershell.exe
4880	powershell.exe
4880	powershell.exe
1856	powershell.exe
1856	powershell.exe
4252	powershell.exe
4252	powershell.exe
3440	powershell.exe
3440	powershell.exe
2272	powershell.exe
2272	powershell.exe
3988	powershell.exe
3988	powershell.exe
2488	powershell.exe
2488	powershell.exe
2952	powershell.exe
2952	powershell.exe
4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
1480	powershell.exe
1480	powershell.exe
4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2668	powershell.exe
2668	powershell.exe
2952	powershell.exe
2668	powershell.exe
4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2272	powershell.exe
1856	powershell.exe
4880	powershell.exe
3440	powershell.exe
2336	powershell.exe
3988	powershell.exe
4252	powershell.exe
2488	powershell.exe
1480	powershell.exe
2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeDebugPrivilege	3328	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	1056	csrss.exe
Token: SeDebugPrivilege	4948	csrss.exe
Token: SeDebugPrivilege	1196	csrss.exe
Token: SeDebugPrivilege	4036	csrss.exe
Token: SeDebugPrivilege	2496	csrss.exe
Token: SeDebugPrivilege	740	csrss.exe
Token: SeDebugPrivilege	4836	csrss.exe
Token: SeDebugPrivilege	2212	csrss.exe
Token: SeDebugPrivilege	2772	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 2668	4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	92
PID 4068 wrote to memory of 2668	4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	92
PID 4068 wrote to memory of 3988	4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	93
PID 4068 wrote to memory of 3988	4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	93
PID 4068 wrote to memory of 2336	4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	94
PID 4068 wrote to memory of 2336	4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	94
PID 4068 wrote to memory of 4880	4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	95
PID 4068 wrote to memory of 4880	4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	95
PID 4068 wrote to memory of 2952	4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	96
PID 4068 wrote to memory of 2952	4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	96
PID 4068 wrote to memory of 2272	4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	97
PID 4068 wrote to memory of 2272	4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	97
PID 4068 wrote to memory of 2488	4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	98
PID 4068 wrote to memory of 2488	4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	98
PID 4068 wrote to memory of 3440	4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	100
PID 4068 wrote to memory of 3440	4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	100
PID 4068 wrote to memory of 1480	4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	101
PID 4068 wrote to memory of 1480	4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	101
PID 4068 wrote to memory of 1856	4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	102
PID 4068 wrote to memory of 1856	4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	102
PID 4068 wrote to memory of 4252	4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	104
PID 4068 wrote to memory of 4252	4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	104
PID 4068 wrote to memory of 2508	4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	114
PID 4068 wrote to memory of 2508	4068	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	114
PID 2508 wrote to memory of 1988	2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	141
PID 2508 wrote to memory of 1988	2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	141
PID 2508 wrote to memory of 220	2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	142
PID 2508 wrote to memory of 220	2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	142
PID 2508 wrote to memory of 3632	2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	143
PID 2508 wrote to memory of 3632	2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	143
PID 2508 wrote to memory of 2932	2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	144
PID 2508 wrote to memory of 2932	2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	144
PID 2508 wrote to memory of 3328	2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	145
PID 2508 wrote to memory of 3328	2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	145
PID 2508 wrote to memory of 2176	2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	146
PID 2508 wrote to memory of 2176	2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	146
PID 2508 wrote to memory of 2400	2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	147
PID 2508 wrote to memory of 2400	2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	147
PID 2508 wrote to memory of 1556	2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	148
PID 2508 wrote to memory of 1556	2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	148
PID 2508 wrote to memory of 4336	2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	149
PID 2508 wrote to memory of 4336	2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	149
PID 2508 wrote to memory of 2908	2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	150
PID 2508 wrote to memory of 2908	2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	150
PID 2508 wrote to memory of 2744	2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	151
PID 2508 wrote to memory of 2744	2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	151
PID 2508 wrote to memory of 4056	2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	163
PID 2508 wrote to memory of 4056	2508	0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe	163
PID 4056 wrote to memory of 3428	4056	cmd.exe	165
PID 4056 wrote to memory of 3428	4056	cmd.exe	165
PID 4056 wrote to memory of 1056	4056	cmd.exe	172
PID 4056 wrote to memory of 1056	4056	cmd.exe	172
PID 1056 wrote to memory of 2488	1056	csrss.exe	174
PID 1056 wrote to memory of 2488	1056	csrss.exe	174
PID 1056 wrote to memory of 4900	1056	csrss.exe	175
PID 1056 wrote to memory of 4900	1056	csrss.exe	175
PID 2488 wrote to memory of 4948	2488	WScript.exe	178
PID 2488 wrote to memory of 4948	2488	WScript.exe	178
PID 4948 wrote to memory of 2272	4948	csrss.exe	180
PID 4948 wrote to memory of 2272	4948	csrss.exe	180
PID 4948 wrote to memory of 428	4948	csrss.exe	181
PID 4948 wrote to memory of 428	4948	csrss.exe	181
PID 2272 wrote to memory of 1196	2272	WScript.exe	184
PID 2272 wrote to memory of 1196	2272	WScript.exe	184

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
"C:\Users\Admin\AppData\Local\Temp\0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4252
- C:\Users\Admin\AppData\Local\Temp\0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe
  "C:\Users\Admin\AppData\Local\Temp\0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\geIw2hseSY.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:3428
  - - C:\Program Files\Uninstall Information\csrss.exe
      "C:\Program Files\Uninstall Information\csrss.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1056
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e55bbc9-c7cf-4ca4-8b71-146385b89b1b.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2488
      - C:\Program Files\Uninstall Information\csrss.exe
        
        "C:\Program Files\Uninstall Information\csrss.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e76c92d4-a1fd-4bc8-9f2d-fef8f754254e.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Program Files\Uninstall Information\csrss.exe
        
        "C:\Program Files\Uninstall Information\csrss.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1b65eda-351f-495a-8599-2afa658e4329.vbs"
        9⤵
        
        PID:2720
        
        C:\Program Files\Uninstall Information\csrss.exe
        
        "C:\Program Files\Uninstall Information\csrss.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80a8b75e-a9e7-481a-947a-9da1a8d38959.vbs"
        11⤵
        
        PID:4336
        
        C:\Program Files\Uninstall Information\csrss.exe
        
        "C:\Program Files\Uninstall Information\csrss.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6818d2fb-302e-4cc1-aefb-fefdedae308e.vbs"
        13⤵
        
        PID:2156
        
        C:\Program Files\Uninstall Information\csrss.exe
        
        "C:\Program Files\Uninstall Information\csrss.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\746a8958-9469-4fd3-a8f0-7b7aad64b97f.vbs"
        15⤵
        
        PID:4824
        
        C:\Program Files\Uninstall Information\csrss.exe
        
        "C:\Program Files\Uninstall Information\csrss.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b0196b3-99dc-4579-8450-d7e6d0ef56de.vbs"
        17⤵
        
        PID:3912
        
        C:\Program Files\Uninstall Information\csrss.exe
        
        "C:\Program Files\Uninstall Information\csrss.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\686ee3d5-ec09-4c86-bd10-160c68c6be69.vbs"
        19⤵
        
        PID:4820
        
        C:\Program Files\Uninstall Information\csrss.exe
        
        "C:\Program Files\Uninstall Information\csrss.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\911b2e42-d0c6-45e0-b39b-558060cf55d1.vbs"
        21⤵
        
        PID:2496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\548821a2-06ed-421b-b53a-db66b4a33cf0.vbs"
        21⤵
        
        PID:5024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f5af1b9-d8d9-4c7a-a0b2-f09b5b9c0266.vbs"
        19⤵
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed4e5315-984f-4156-8512-a27f8ad02d37.vbs"
        17⤵
        
        PID:2236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2cba28f-8abd-4ddd-805e-47414fd6f1fc.vbs"
        15⤵
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8f5ba10-92a8-4d58-ac3c-dab6efc61dd0.vbs"
        13⤵
        
        PID:400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c998fff5-e89d-4374-8b37-2d6311e93de7.vbs"
        11⤵
        
        PID:1372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd354d16-c5fa-470c-9d3d-2e261cc5492c.vbs"
        9⤵
        
        PID:3624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2cb6c797-365b-4874-91cd-139d76153c35.vbs"
        7⤵
        
        PID:428
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ab665a4-4e47-4767-8784-6a42f93e6777.vbs"
        5⤵
        
        PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\System32\pt-PT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\pt-PT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\System32\pt-PT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\bcastdvr\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\bcastdvr\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\bcastdvr\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Public\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N0" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\Modules\PSReadline\0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PSReadline\0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N0" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\Modules\PSReadline\0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81N.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b3bc9ca267ea2969eb6201d77e58560c

SHA1
78f83a443aa1ca235edcab2da9e2fda6fecc1da4

SHA256
7ea18b6f900f2c30a5c34845d62d4fe9fc1f11e40714b3dbd69592cbfb5dc695

SHA512
8cc70e4f88f3d9f59beec22dafdb403144f7f390250205e08279a2f8e01e783af44ae31aa4a8a7ea05865b05303ac5e5048f7fb44488be538d9701b6195e9b28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cbc41bceec6e8cf6d23f68d952487858

SHA1
f52edbceff042ded7209e8be90ec5e09086d62eb

SHA256
b97a8a2a5dbc3c1b994affa4751e61e1ac6bddcf336a4c77ee96a3ce07c59f4d

SHA512
0f025ea2559e477c56500b9f4ecc251325793629cf1ae8d43ad783f1036b830c51757274b0aa8bb3183ac636cdfc1e0e8be1163a45695b8fb57df98c362534fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b740f7616c3c3d006afd7e1586758eeb

SHA1
c465af4c07ecb9e3de239c410d3b2ed5de93cdde

SHA256
c11b84252afa74e4f323fcbae853cb45217a65d70ac44dea182f9ec872bd9872

SHA512
d4dd7531d48a9f6d6432fe0d55cefc76139566c54514ba722d76e5bd4371bfca0e491939795883de21901eac98b1af7236ea83281a7dde8befe16719993f185e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cfecb4e0f846589c2742fd84d6bbd1db

SHA1
730c66c99e80f1c7d0fdd1ef7483c9dfb0a770ec

SHA256
12190c96e9eef24f7ee9a4e19d806f29d4aedab1f2c696478dea5684941824aa

SHA512
669241f726837dcd3b6c6664e002c4938cf1ccf9be3f3b4a953efb35a2977c6ea9536e1b61b92b1b716991f9801f4516d8e1d53c65ac605174ece553f19da475

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e82e9fb259f5ff79f4840f5a7f3c6d63

SHA1
129387f48407ff93671fd33bc0006fa5b4fcc7e9

SHA256
da7f056a10b61545f1db783b302a4728c8a76193a13bc2a5a69a1de7de5e9657

SHA512
f3f528c1f53b2f3bfaee6df208510764fe8bcf82db9be716dd612f4699990a5d4612f4f76e46252f8ca7344a198bd49c80b296a39cd36c89b0cf8f42d0c3c734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aba273eeba4876ea41ee0e64b4cbb51d

SHA1
bef5f75b81cf27268dc0d0f30f00b022f9288db9

SHA256
67fc3f5c3407858793c6fac6131b0f340667ffc567fa76b43245ecf2621322c9

SHA512
23dc2f0cfc68194dcbf407a6528cf9f9a8aa89f4821be22413bde036ae5ca44144b568aa3160372b9741f3d0f5baa48dff8a8b582bdedc3ad3fb121af340c0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ab665a4-4e47-4767-8784-6a42f93e6777.vbs

Filesize
500B

MD5
976c1be2b8bd551faced93ea7afb83cb

SHA1
a91bb04192722e503691ee4b38294d52b386be6c

SHA256
635032532b9519295ddf02f43ab9f26e2ef61c28432cafc71555765f8a9bb3ed

SHA512
07201512355f7e9ddc05bc7e417a24b5c335cd5a21f876eb7828a437b0b62d4e733921b2de2e76a2ac1fa8ed6fc34ab3e3753f3199c23d937c9d106437faec38

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e55bbc9-c7cf-4ca4-8b71-146385b89b1b.vbs

Filesize
724B

MD5
bd86ab36249c7f81abd8e8b6fd1f1e49

SHA1
e6d2113ee8ab4c987ca2fecf21af0c76287447ee

SHA256
ff9fcaa455001622d0535639f53e216bb3c410a3d2499ca9390357e3b35f2a1b

SHA512
f325a802239c7abe0e682bd9097a2069c1da60f08cb8f7443fa86a4f5a3e9b34dfb37a3d8861d997838b3517eef72237e8e2209e7ea4b59f2dee5858fc0a7ec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6818d2fb-302e-4cc1-aefb-fefdedae308e.vbs

Filesize
724B

MD5
09ace0cd81370b438316ca3dca3dc49b

SHA1
a3571ce71c8c36c3b45c21be3371886d49b9d1b5

SHA256
c19097416a02e3d9833bc4f8fa32916b7e2a7187b5bf5f2040acfe10ce792985

SHA512
7f0992700acb37afabff748f03b01e892d63c427c1afa0f977a8d1f7bbee29d356162ad0658d3212896e294f46a9b005261abb1c71791a8cb63fdb2d3b7cde0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\686ee3d5-ec09-4c86-bd10-160c68c6be69.vbs

Filesize
724B

MD5
1d0b0b3c8a0cb51fc788d1f706df8f2d

SHA1
de7f830c786f2d233b09df5968d62349e46758d7

SHA256
473a6c488fdf8b9e08a2e91938f4c93f01bb2e17b25c4486ba1e8f44f7d5a035

SHA512
15180907fe287eb01c7c1a2248fa3e546ec702b20f1819eb30537138b1e4ddabccc34a7b8166870f7d6a7854c9ade991be7cb3d0efa3b4bda9526f355332a820

Download Submit
C:\Users\Admin\AppData\Local\Temp\746a8958-9469-4fd3-a8f0-7b7aad64b97f.vbs

Filesize
723B

MD5
d1f8ae1e0cb63a1618434f4146de4dd0

SHA1
bfab94c7088a27dd28823c1b29d6fd017ce42422

SHA256
28105919ba828604b53a5abe83530acccb443d3a7a8b0a51f1b152d0345c82c3

SHA512
4224ae04cc5fad6ce8f26c7014316247b42c483aa448ba2ca41459e2508b4dac7824ba911bbf52126bed41c568fc44f8f0e6ca0c623aa132bc62139bb6429402

Download Submit
C:\Users\Admin\AppData\Local\Temp\80a8b75e-a9e7-481a-947a-9da1a8d38959.vbs

Filesize
724B

MD5
03ae0375689970ad63d34d0d2b16e40f

SHA1
c4023ac43df91b8077549258c3d783625dad9724

SHA256
6892be15850da3d726346382b2ad863f4d4c1423cf13f5593c9ee2232ee5aa76

SHA512
d82d2c5e71c2051949fc6789f6bb72f4574f452334c2cb61283f8403c412ea0593a098b5a87c89e5169cdc61a90d1e6f87b711166144ed34fd17a9630a97640f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b0196b3-99dc-4579-8450-d7e6d0ef56de.vbs

Filesize
724B

MD5
37be777720b6a500ec56286bebf67f17

SHA1
2c5818513d0e82d91cdf85d1fd4632691009eb18

SHA256
5e12a91e5e39288dc8debf0b7a9a93fd94be33c8eca0441ec1104b3e790ee943

SHA512
d3565a9b01592b6d6bc456c6c541c3fa2bd6e20cd2c4ca02a4dc7d5dbdce2e389795a56dbb9f3cfc2ada1b2dc496ed2a6fe34d5fb2c3062d463e0ede722666e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\911b2e42-d0c6-45e0-b39b-558060cf55d1.vbs

Filesize
724B

MD5
fe529cf68c9d416e5fecce43d0cb50eb

SHA1
08c4bd28c3beb1a5d951232d4bf12251a8ab42ad

SHA256
540135be367a76dae49746696b4bdff3eb18e57f4603bdaad9b95c6c1bb7ea2f

SHA512
45881ebdd9193f88249b763c683e3f0ea2893eb50cdd129939c2378a8f2c18fb4417f7e1f8bc3bbb81d02940e7ffbebc364c9f9db8a685255fb42370457313b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rjm4hbig.dg2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1b65eda-351f-495a-8599-2afa658e4329.vbs

Filesize
724B

MD5
c0a72b974a5e26a29fd0297850363417

SHA1
0e3d9102a313bdf5a65597bb04eac6260ff423d5

SHA256
6315282596e1c85289b7f56872aab80d5416ccfb2b6151b484b8bfb1e8ea1533

SHA512
2e4a183848c6463bb02c06ba5420120c6092b38d8fe2cf0610fe630af2a83bcf224ce12b64728860ab8159902b316be11f7c66c197f140f51e18e9f09111c9ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\e76c92d4-a1fd-4bc8-9f2d-fef8f754254e.vbs

Filesize
724B

MD5
cb7534dcf397a356a355a1a8bc69ffa9

SHA1
349a4a5706f0d5ee4aa3ba50019b0314dbc1c1b1

SHA256
91ec06657cb6771e6655d2093b3f7b71eb626a40062c7b3d0f493f413a7cf497

SHA512
650770ef6c7217a5dcfc1acca29ba3ea671bb2376b33f8661ec774841b6c9f1125908f7deea66f2d1dfdec0d80c01418fb5b642c399fad28ad72c69e94f88104

Download Submit
C:\Users\Admin\AppData\Local\Temp\geIw2hseSY.bat

Filesize
213B

MD5
5dc1bf24a0d7e2134ce207ee845734a0

SHA1
21a2ee6d2143044a4eb71d62d95cdc8d3a8888e6

SHA256
717f7f17ebe9bc822f3f4c4c9c44eba721bb60a58e9f17b4dd8dc3be0a0cf193

SHA512
6fc8baa178800b6a22258ef8dd7a78d8a6a7eb10213ecc35ea02ffc02088f7912a1e50e598da395012f38a05795bb7c9a3f60820df4de1417e4ffb91474f9b70

Download Submit
C:\Windows\System32\pt-PT\csrss.exe

Filesize
1.7MB

MD5
72cb277e1913e5e5b20651f1f9f1af40

SHA1
11d7a90ee561e39807428267387ea6c6c434ee24

SHA256
0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81

SHA512
0838d7441404feae5e0fdb62153a1179e8fd8381aca61e49cc70adcfa657c2aedce031f1de34142ff52e48b9f016709f4cc8ccb2d8b949fc621c0a6402bd253d

Download Submit
memory/220-340-0x000001881E9D0000-0x000001881EB3A000-memory.dmp

Filesize
1.4MB

Download
memory/1056-363-0x000000001CEC0000-0x000000001CED2000-memory.dmp

Filesize
72KB

Download
memory/1480-208-0x00000241F0BB0000-0x00000241F0D1A000-memory.dmp

Filesize
1.4MB

Download
memory/1556-359-0x000001EF365F0000-0x000001EF3675A000-memory.dmp

Filesize
1.4MB

Download
memory/1856-202-0x000001B2F22A0000-0x000001B2F240A000-memory.dmp

Filesize
1.4MB

Download
memory/1988-356-0x0000014DA06D0000-0x0000014DA083A000-memory.dmp

Filesize
1.4MB

Download
memory/2176-346-0x00000186C8D80000-0x00000186C8EEA000-memory.dmp

Filesize
1.4MB

Download
memory/2212-442-0x000000001C7F0000-0x000000001C802000-memory.dmp

Filesize
72KB

Download
memory/2272-177-0x0000026498680000-0x00000264987EA000-memory.dmp

Filesize
1.4MB

Download
memory/2336-200-0x000001C47DF50000-0x000001C47E0BA000-memory.dmp

Filesize
1.4MB

Download
memory/2400-341-0x000001E0CEAE0000-0x000001E0CEC4A000-memory.dmp

Filesize
1.4MB

Download
memory/2488-207-0x00000292D8A90000-0x00000292D8BFA000-memory.dmp

Filesize
1.4MB

Download
memory/2508-160-0x000000001B450000-0x000000001B462000-memory.dmp

Filesize
72KB

Download
memory/2668-193-0x0000029D6E120000-0x0000029D6E28A000-memory.dmp

Filesize
1.4MB

Download
memory/2744-336-0x0000022229420000-0x000002222958A000-memory.dmp

Filesize
1.4MB

Download
memory/2772-454-0x000000001D440000-0x000000001D452000-memory.dmp

Filesize
72KB

Download
memory/2908-347-0x0000026B7A0D0000-0x0000026B7A23A000-memory.dmp

Filesize
1.4MB

Download
memory/2932-337-0x000001F5FE750000-0x000001F5FE8BA000-memory.dmp

Filesize
1.4MB

Download
memory/2952-186-0x00000223210D0000-0x000002232123A000-memory.dmp

Filesize
1.4MB

Download
memory/3328-350-0x000001AD5D3F0000-0x000001AD5D55A000-memory.dmp

Filesize
1.4MB

Download
memory/3440-187-0x000002321FB00000-0x000002321FC6A000-memory.dmp

Filesize
1.4MB

Download
memory/3632-353-0x000001AA79370000-0x000001AA794DA000-memory.dmp

Filesize
1.4MB

Download
memory/3988-192-0x00000200F4750000-0x00000200F48BA000-memory.dmp

Filesize
1.4MB

Download
memory/4068-17-0x000000001B5B0000-0x000000001B5B8000-memory.dmp

Filesize
32KB

Download
memory/4068-13-0x000000001C210000-0x000000001C738000-memory.dmp

Filesize
5.2MB

Download
memory/4068-23-0x00007FF976220000-0x00007FF976CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4068-22-0x00007FF976220000-0x00007FF976CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4068-1-0x00000000007D0000-0x0000000000990000-memory.dmp

Filesize
1.8MB

Download
memory/4068-19-0x000000001BDE0000-0x000000001BDEC000-memory.dmp

Filesize
48KB

Download
memory/4068-18-0x000000001B5C0000-0x000000001B5CC000-memory.dmp

Filesize
48KB

Download
memory/4068-0-0x00007FF976223000-0x00007FF976225000-memory.dmp

Filesize
8KB

Download
memory/4068-15-0x000000001BF30000-0x000000001BF3A000-memory.dmp

Filesize
40KB

Download
memory/4068-159-0x00007FF976220000-0x00007FF976CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4068-16-0x000000001BF40000-0x000000001BF4E000-memory.dmp

Filesize
56KB

Download
memory/4068-2-0x00007FF976220000-0x00007FF976CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4068-14-0x000000001B5A0000-0x000000001B5AC000-memory.dmp

Filesize
48KB

Download
memory/4068-3-0x0000000002B50000-0x0000000002B6C000-memory.dmp

Filesize
112KB

Download
memory/4068-12-0x000000001B560000-0x000000001B572000-memory.dmp

Filesize
72KB

Download
memory/4068-10-0x000000001B500000-0x000000001B508000-memory.dmp

Filesize
32KB

Download
memory/4068-9-0x000000001B4F0000-0x000000001B4FC000-memory.dmp

Filesize
48KB

Download
memory/4068-8-0x000000001B4E0000-0x000000001B4F0000-memory.dmp

Filesize
64KB

Download
memory/4068-7-0x000000001B4C0000-0x000000001B4D6000-memory.dmp

Filesize
88KB

Download
memory/4068-5-0x0000000002B70000-0x0000000002B78000-memory.dmp

Filesize
32KB

Download
memory/4068-6-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

Filesize
64KB

Download
memory/4068-4-0x000000001B510000-0x000000001B560000-memory.dmp

Filesize
320KB

Download
memory/4252-201-0x00000292371E0000-0x000002923734A000-memory.dmp

Filesize
1.4MB

Download
memory/4336-333-0x000001DB79880000-0x000001DB799EA000-memory.dmp

Filesize
1.4MB

Download
memory/4880-61-0x0000029B28FC0000-0x0000029B28FE2000-memory.dmp

Filesize
136KB

Download
memory/4880-185-0x0000029B415C0000-0x0000029B4172A000-memory.dmp

Filesize
1.4MB

Download