dcrat | 6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c

Analysis

max time kernel
149s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
Size

1.7MB
MD5

96eb6349f62024cbe4512ce6fe98e9ca
SHA1

ca1e4b20f9a1e3ffb2ab3776370fe94e936ad29f
SHA256

6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c
SHA512

5741d00be28702ea6e64cfb3ea44fe38df4cd2296b5949d5cfe7ed785eae922d9ba82b07893882d4b19e3685e17796e4fba0087d50366fc608939b9ce0cbd0e4
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2732	schtasks.exe	30

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2012-1-0x0000000000EA0000-0x0000000001060000-memory.dmp	dcrat
behavioral1/files/0x00060000000174a6-27.dat	dcrat
behavioral1/files/0x000700000001757f-92.dat	dcrat
behavioral1/files/0x000a000000018696-184.dat	dcrat
behavioral1/memory/2248-340-0x0000000001110000-0x00000000012D0000-memory.dmp	dcrat
behavioral1/memory/1612-396-0x00000000002E0000-0x00000000004A0000-memory.dmp	dcrat
behavioral1/memory/2268-408-0x0000000001000000-0x00000000011C0000-memory.dmp	dcrat
behavioral1/memory/340-421-0x00000000002A0000-0x0000000000460000-memory.dmp	dcrat
behavioral1/memory/756-433-0x0000000000F40000-0x0000000001100000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2420	powershell.exe
3040	powershell.exe
2524	powershell.exe
1604	powershell.exe
1988	powershell.exe
2392	powershell.exe
2788	powershell.exe
2184	powershell.exe
1552	powershell.exe
2236	powershell.exe
1392	powershell.exe
2328	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe

Executes dropped EXE 10 IoCs

pid	Process
2248	explorer.exe
2664	explorer.exe
2988	explorer.exe
756	explorer.exe
2012	explorer.exe
1612	explorer.exe
2268	explorer.exe
340	explorer.exe
756	explorer.exe
1812	explorer.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\lsass.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCX3F21.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\dwm.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\RCX3D1C.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files\7-Zip\Lang\6203df4a6bafc7	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files\Windows NT\24dbde2999530e	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\RCX2534.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files\DVD Maker\de-DE\1610b97d3ab4a7	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files\Reference Assemblies\wininit.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files\DVD Maker\de-DE\OSPPSVC.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX22C2.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files\Windows NT\RCX349C.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files\Windows NT\WmiPrvSE.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files\Reference Assemblies\56085415360792	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files\Windows NT\RCX349D.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files\Windows NT\WmiPrvSE.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files (x86)\Microsoft Office\dwm.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files\Reference Assemblies\wininit.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\RCX24C6.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\OSPPSVC.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\RCX3913.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\RCX3914.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCX3F22.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\42af1c969fbb7b	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX22C1.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Program Files (x86)\Microsoft Office\6cb0b6c459d5d3	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lsass.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\RCX3D1D.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\Aero\fr-FR\RCX2E21.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\system\RCX3026.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\explorer.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\Setup\RCX4398.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\Setup\RCX4399.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Windows\Resources\Themes\Aero\fr-FR\audiodg.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Windows\system\7a0fd90576e088	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\explorer.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\Fonts\csrss.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Windows\Fonts\886983d96e3d3e	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\system\explorer.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\RCX3297.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\RCX3298.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Windows\Resources\Themes\Aero\fr-FR\42af1c969fbb7b	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Windows\Setup\OSPPSVC.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Windows\Setup\1610b97d3ab4a7	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\system\RCX3025.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\Setup\OSPPSVC.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\Fonts\RCX459D.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\7a0fd90576e088	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Windows\Fonts\csrss.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\Resources\Themes\Aero\fr-FR\RCX2E20.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File created	C:\Windows\system\explorer.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\Resources\Themes\Aero\fr-FR\audiodg.exe	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
File opened for modification	C:\Windows\Fonts\RCX459E.tmp	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2108	schtasks.exe
2788	schtasks.exe
1812	schtasks.exe
2184	schtasks.exe
2812	schtasks.exe
2428	schtasks.exe
2440	schtasks.exe
580	schtasks.exe
684	schtasks.exe
1528	schtasks.exe
1636	schtasks.exe
2588	schtasks.exe
316	schtasks.exe
2240	schtasks.exe
300	schtasks.exe
2544	schtasks.exe
1868	schtasks.exe
2460	schtasks.exe
872	schtasks.exe
1772	schtasks.exe
2356	schtasks.exe
1148	schtasks.exe
1208	schtasks.exe
1928	schtasks.exe
2468	schtasks.exe
888	schtasks.exe
864	schtasks.exe
324	schtasks.exe
2692	schtasks.exe
2900	schtasks.exe
2668	schtasks.exe
1496	schtasks.exe
2208	schtasks.exe
2436	schtasks.exe
3024	schtasks.exe
1152	schtasks.exe
3044	schtasks.exe
2456	schtasks.exe
2140	schtasks.exe
896	schtasks.exe
2616	schtasks.exe
996	schtasks.exe
396	schtasks.exe
2168	schtasks.exe
2764	schtasks.exe
380	schtasks.exe
1792	schtasks.exe
2736	schtasks.exe
2888	schtasks.exe
944	schtasks.exe
1832	schtasks.exe
2296	schtasks.exe
1744	schtasks.exe
352	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
2788	powershell.exe
1392	powershell.exe
2236	powershell.exe
2392	powershell.exe
3040	powershell.exe
1988	powershell.exe
2184	powershell.exe
2420	powershell.exe
2524	powershell.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	2248	explorer.exe
Token: SeDebugPrivilege	2664	explorer.exe
Token: SeDebugPrivilege	2988	explorer.exe
Token: SeDebugPrivilege	756	explorer.exe
Token: SeDebugPrivilege	2012	explorer.exe
Token: SeDebugPrivilege	1612	explorer.exe
Token: SeDebugPrivilege	2268	explorer.exe
Token: SeDebugPrivilege	340	explorer.exe
Token: SeDebugPrivilege	756	explorer.exe
Token: SeDebugPrivilege	1812	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2392	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	85
PID 2012 wrote to memory of 2392	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	85
PID 2012 wrote to memory of 2392	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	85
PID 2012 wrote to memory of 2788	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	86
PID 2012 wrote to memory of 2788	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	86
PID 2012 wrote to memory of 2788	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	86
PID 2012 wrote to memory of 2420	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	87
PID 2012 wrote to memory of 2420	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	87
PID 2012 wrote to memory of 2420	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	87
PID 2012 wrote to memory of 3040	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	88
PID 2012 wrote to memory of 3040	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	88
PID 2012 wrote to memory of 3040	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	88
PID 2012 wrote to memory of 2524	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	89
PID 2012 wrote to memory of 2524	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	89
PID 2012 wrote to memory of 2524	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	89
PID 2012 wrote to memory of 2184	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	90
PID 2012 wrote to memory of 2184	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	90
PID 2012 wrote to memory of 2184	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	90
PID 2012 wrote to memory of 1552	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	91
PID 2012 wrote to memory of 1552	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	91
PID 2012 wrote to memory of 1552	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	91
PID 2012 wrote to memory of 2236	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	92
PID 2012 wrote to memory of 2236	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	92
PID 2012 wrote to memory of 2236	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	92
PID 2012 wrote to memory of 1604	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	93
PID 2012 wrote to memory of 1604	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	93
PID 2012 wrote to memory of 1604	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	93
PID 2012 wrote to memory of 1988	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	94
PID 2012 wrote to memory of 1988	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	94
PID 2012 wrote to memory of 1988	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	94
PID 2012 wrote to memory of 1392	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	95
PID 2012 wrote to memory of 1392	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	95
PID 2012 wrote to memory of 1392	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	95
PID 2012 wrote to memory of 2328	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	96
PID 2012 wrote to memory of 2328	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	96
PID 2012 wrote to memory of 2328	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	96
PID 2012 wrote to memory of 2364	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	102
PID 2012 wrote to memory of 2364	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	102
PID 2012 wrote to memory of 2364	2012	6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe	102
PID 2364 wrote to memory of 2168	2364	cmd.exe	110
PID 2364 wrote to memory of 2168	2364	cmd.exe	110
PID 2364 wrote to memory of 2168	2364	cmd.exe	110
PID 2364 wrote to memory of 2248	2364	cmd.exe	112
PID 2364 wrote to memory of 2248	2364	cmd.exe	112
PID 2364 wrote to memory of 2248	2364	cmd.exe	112
PID 2248 wrote to memory of 2424	2248	explorer.exe	113
PID 2248 wrote to memory of 2424	2248	explorer.exe	113
PID 2248 wrote to memory of 2424	2248	explorer.exe	113
PID 2248 wrote to memory of 668	2248	explorer.exe	114
PID 2248 wrote to memory of 668	2248	explorer.exe	114
PID 2248 wrote to memory of 668	2248	explorer.exe	114
PID 2424 wrote to memory of 2664	2424	WScript.exe	115
PID 2424 wrote to memory of 2664	2424	WScript.exe	115
PID 2424 wrote to memory of 2664	2424	WScript.exe	115
PID 2664 wrote to memory of 2260	2664	explorer.exe	116
PID 2664 wrote to memory of 2260	2664	explorer.exe	116
PID 2664 wrote to memory of 2260	2664	explorer.exe	116
PID 2664 wrote to memory of 2856	2664	explorer.exe	117
PID 2664 wrote to memory of 2856	2664	explorer.exe	117
PID 2664 wrote to memory of 2856	2664	explorer.exe	117
PID 2260 wrote to memory of 2988	2260	WScript.exe	118
PID 2260 wrote to memory of 2988	2260	WScript.exe	118
PID 2260 wrote to memory of 2988	2260	WScript.exe	118
PID 2988 wrote to memory of 2384	2988	explorer.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe
"C:\Users\Admin\AppData\Local\Temp\6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IMWcflW5t7.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2168
- - C:\Windows\system\explorer.exe
    "C:\Windows\system\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04ba1993-6a18-4f3a-9a5a-5b17ccad2c9c.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Windows\system\explorer.exe
        
        C:\Windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d482e035-3293-4fbf-a205-c092def64318.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\system\explorer.exe
        
        C:\Windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\455d7a83-da5b-4235-aac1-fc63224a758d.vbs"
        8⤵
        
        PID:2384
        
        C:\Windows\system\explorer.exe
        
        C:\Windows\system\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06a4eb46-530e-494a-b4a9-8c015d2a0f45.vbs"
        10⤵
        
        PID:2000
        
        C:\Windows\system\explorer.exe
        
        C:\Windows\system\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db79c6a2-f94e-48f9-b450-41c4177aa258.vbs"
        12⤵
        
        PID:1952
        
        C:\Windows\system\explorer.exe
        
        C:\Windows\system\explorer.exe
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1abd6c60-5bd0-43c1-bd8b-4fee78c286a2.vbs"
        14⤵
        
        PID:3036
        
        C:\Windows\system\explorer.exe
        
        C:\Windows\system\explorer.exe
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dd9bfd6-156e-49b7-87c0-5976c079d039.vbs"
        16⤵
        
        PID:2532
        
        C:\Windows\system\explorer.exe
        
        C:\Windows\system\explorer.exe
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59223f15-e33a-4550-a92e-76a2b0d109e2.vbs"
        18⤵
        
        PID:1472
        
        C:\Windows\system\explorer.exe
        
        C:\Windows\system\explorer.exe
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08cab57b-f866-40d2-bef9-22de4da14b82.vbs"
        20⤵
        
        PID:836
        
        C:\Windows\system\explorer.exe
        
        C:\Windows\system\explorer.exe
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\972c553d-e156-4cf5-ae0b-b9f684cf9220.vbs"
        22⤵
        
        PID:2460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a02b56ff-8976-4066-8846-c5e727eff43b.vbs"
        22⤵
        
        PID:1864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b318e7c5-f350-4905-8a28-38a61e27d6ae.vbs"
        20⤵
        
        PID:1356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ded1359-7d52-42f6-8ea8-3d547eee3601.vbs"
        18⤵
        
        PID:1180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa8d218a-3997-470c-a918-df78c214b3bf.vbs"
        16⤵
        
        PID:1008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d8b7021-d201-4078-8256-ffee1126c798.vbs"
        14⤵
        
        PID:2908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01a05be7-520f-4973-9804-1d748275d189.vbs"
        12⤵
        
        PID:1516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4eb9aa95-8013-4c23-b555-10c3b2a9d4fb.vbs"
        10⤵
        
        PID:2616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50c82d7e-4c59-4624-b03c-ce585cb7eecc.vbs"
        8⤵
        
        PID:2788
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b144366-08fe-4998-a6a4-a7de7e102029.vbs"
        6⤵
        
        PID:2856
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ea3ac86-f969-417a-b881-d2a0b7428fb5.vbs"
      4⤵
      PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\de-DE\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\Resources\Themes\Aero\fr-FR\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\fr-FR\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\Themes\Aero\fr-FR\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\system\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\system\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\system\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows NT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Documents\My Videos\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Documents\My Videos\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Documents\My Videos\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Videos\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Documents\My Videos\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Setup\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\Setup\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\services.exe

Filesize
1.7MB

MD5
96eb6349f62024cbe4512ce6fe98e9ca

SHA1
ca1e4b20f9a1e3ffb2ab3776370fe94e936ad29f

SHA256
6fe1a98a1e9cf29f4da4055acd11e5537775ddb8616f4ea02f55aaa6c5d97c3c

SHA512
5741d00be28702ea6e64cfb3ea44fe38df4cd2296b5949d5cfe7ed785eae922d9ba82b07893882d4b19e3685e17796e4fba0087d50366fc608939b9ce0cbd0e4

Download Submit
C:\Program Files\DVD Maker\de-DE\OSPPSVC.exe

Filesize
1.7MB

MD5
5963d3f1908b936b06f8a1f07c5bca93

SHA1
a5c0c106cb3740040e580107fa24c3494aa2fce3

SHA256
1a27f19c28c308d7f0dab7e02314ee5531e48ade689bc6627b3f0adb96657d7b

SHA512
284de792c7488804cb9df5b3068e34fa40edc82ae7d453f9dad23d4e7e6d6f4b8dfac92149b79b3c926c75f568a449667aa80cc5ac3e00fe842a6c47b52e05de

Download Submit
C:\Users\Admin\AppData\Local\Temp\04ba1993-6a18-4f3a-9a5a-5b17ccad2c9c.vbs

Filesize
706B

MD5
9d90bd96ee1a9459b96236c0965f3956

SHA1
be386610cc86a9876226fb55bb580b7b3d6f0938

SHA256
82604a51407e0ad0dd02d2e7da28f878f21802567efd4c80f0ec7758dd7c46a7

SHA512
1324e8f4ff2217fd0c46eb503602a58a5546fff503b6f276d7ad15498c19a7057d03a6b414a7f0707d8f95b6f54d4f3b233caaf7f4a393edf9b06c03a3c74870

Download Submit
C:\Users\Admin\AppData\Local\Temp\06a4eb46-530e-494a-b4a9-8c015d2a0f45.vbs

Filesize
705B

MD5
c981c0a8165cae94c83f30a296962558

SHA1
b6548b29040b423146ea56dcc510ee554bb91702

SHA256
c42340a876e922e6b388fad9c62ca155ebb65ee20742af3f960251daf3db4f3e

SHA512
07beb53942a7cba286daf32b15f9088f8af5bc8fef4b2821a41571282efb19d456694b2976cba3878e5f1bcdac4bf7be4e7b85b8ef5b38276c1d4654aa3669dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1abd6c60-5bd0-43c1-bd8b-4fee78c286a2.vbs

Filesize
706B

MD5
9060f3199841b0e503cf8d1b7d9cbb88

SHA1
c660cf052293a45ec6532595f306a8a6128400c2

SHA256
c336f3dd23146eaf2900eafee75bf3a2d59ff614bd1848bdfcfcb81878d7512f

SHA512
4659ef0d199f956caeacb88b273dafdfe378ba3335d216d63955de1ab07133182e95243350f96e8fba02edffbf124cce1f91aaede9f223e8d26d23ea0ea7d895

Download Submit
C:\Users\Admin\AppData\Local\Temp\455d7a83-da5b-4235-aac1-fc63224a758d.vbs

Filesize
706B

MD5
f88f8180dec5ceea39eedcf0f3870725

SHA1
68cd8b8349e33c2703a3b4cac2d6ab2fcd832dea

SHA256
65672c57face614fabadc8971ecdd765e84ec7ea4e4cdfff7de208e658b5c418

SHA512
c4169552af5859c7dc5a130e668deb73ad6a109a3e7ad505ddda8d7910b359321abf8f6d3c39339bcfad81304d2cc56429f0e2627324bf5e312c1a4891b02524

Download Submit
C:\Users\Admin\AppData\Local\Temp\59223f15-e33a-4550-a92e-76a2b0d109e2.vbs

Filesize
705B

MD5
1256e1479d5feae0d9583ec7086e09e6

SHA1
1c63487f8d50a281f0b2d7a3a56871f68456ee43

SHA256
e66e7ff61dba0b90cdf1603becfbdf2bf6cf13366b3f105938abad8021ab6f5b

SHA512
43bc2fe5777092fd6fc3517d90405df6194940194466cd83818402004b0fbb190cc8b1dd12c893cd06af1caa5e21c215b6ca05c0cdebd26de626c6632e271547

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ea3ac86-f969-417a-b881-d2a0b7428fb5.vbs

Filesize
482B

MD5
24c73e36b5d9018d27de31398118591e

SHA1
ca0e200a263ba9656e4579bdadcc2e7f9e1a41e4

SHA256
7c1af57f3b797064f7d03a03f7350a6648bc70fd9f9c8b7250e17a6f29ab51a9

SHA512
ffeda789b79f0d3e3333bae52224c74b6f8c4d480f5a85f9c5e3e95d8eb0c173e34cab5e15ec81d1a6767064f369027c30a93d965669abbf00b35a82e39f60f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\972c553d-e156-4cf5-ae0b-b9f684cf9220.vbs

Filesize
706B

MD5
6799fef779f84f19fc2a0780e32957db

SHA1
df255e2faa7bc42913fe61e6e392f21e8d61ceb8

SHA256
0f77b66aa4a0184685e2e66ac692887d8116bc5118cc72c49f65856642c13868

SHA512
e10e24626079714d1ad36a444961de3ef83109a03c48f747988f39a60419ee6b5a6f93a7d45e32bf0335fc89f9322309f3582f9ad9c8a3f49439566c46f3c2dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dd9bfd6-156e-49b7-87c0-5976c079d039.vbs

Filesize
706B

MD5
0cd2b1b94ba24b3deb74f189490f0325

SHA1
c7ac6e7bd40a7446285d2c17b5f22da691984518

SHA256
4da7415c4ec61e0eaf9e079034d3a9ee5808b4ec1f7ff95a4556fa87bef88ebc

SHA512
e5e6b8c3bb6b35c10821d9a1e0044ae9182c7e0e1b416effb7f7070656f12805cf780a4690acccc18515604ea685f92160cd0ca5bd27f30016da0aece90686ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMWcflW5t7.bat

Filesize
195B

MD5
fd9625f4413efa92c698f865f916d8c6

SHA1
58b03e32ff257513ec2d4e1ce031226a7f4eac20

SHA256
91c970782439c044a07eb5eae3832b9a942586cc580efd49e890474a3d3fb219

SHA512
8b5d129434d9dcc530afbd2907a0a0f7bbde78d0eede12e293ac28a4712a615c4dc44b6da4b228dd043771f6631865faaf38ce4a273bbf777fd0d6749ffbea1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d482e035-3293-4fbf-a205-c092def64318.vbs

Filesize
706B

MD5
344c654d9158e212b098751dee78f6f2

SHA1
d713b7422bdcb323aa914f87f3aaa763410241ca

SHA256
e57fe5013f23c36fa999cef7b8eb796efd9ef4c7bb9ec3aa0bb0591563183e36

SHA512
8db8352d1884250d78698daf126bd7534e0dddb66687a0ead1243e42b08df73fedceb7c7a24bc3563ddd5c296609056ad46c4522c1275cb5b92b386734e92791

Download Submit
C:\Users\Admin\AppData\Local\Temp\db79c6a2-f94e-48f9-b450-41c4177aa258.vbs

Filesize
706B

MD5
1dc92aa252b080f97f79071059d35503

SHA1
d8966e2b6aa57243eeba145851800e8d106b62fc

SHA256
c945999f946e46cd6ebf7398517ffdb2f4fa872a4a4f41dd9cb32d7b12ec46bb

SHA512
50a834dd8c07bc3d129b017efa773695fa931ce28fc04825fef292ee04fc4e0ee229ea31c8b2287c8e4a01004b4bfad46ba8df6406e9803aa824472f89356cc1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3a4fea74978386f9c25a1bd7008a628d

SHA1
051004e5fea859f3fc688372fa8b6a8c1f0e010a

SHA256
e8a57245015dc5d82aeb368f83f2eee61adff3e8d10cbaacc4c71426934f95f2

SHA512
812afce1da8042a2941d4b04dc69fafc2f7c1b0c233ee6b02679d5babd8fdeb5abfbcfcb3b78150132b76b663ec003676acd24e17c6246134e1d75a70014b42b

Download Submit
C:\Users\Default\Videos\csrss.exe

Filesize
1.7MB

MD5
fa0b208ca29e4f728638b0f18e675101

SHA1
ac9b1052b0441e079e4e4dedf05294908ea11aa6

SHA256
bbdc0688f0d35c8b09751d49589bdae1213bb69a3a4a1565d8afd3f564698c7f

SHA512
3832cda273511811dcae6aaa682ae6c3d449a340dbf26fb78bb5e894b48d08bed8487897a9e73820a870cfa30d389fcb218b449371e039c6baaa86642ae1b9c7

Download Submit
memory/340-421-0x00000000002A0000-0x0000000000460000-memory.dmp

Filesize
1.8MB

Download
memory/756-433-0x0000000000F40000-0x0000000001100000-memory.dmp

Filesize
1.8MB

Download
memory/1392-299-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/1612-396-0x00000000002E0000-0x00000000004A0000-memory.dmp

Filesize
1.8MB

Download
memory/2012-212-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2012-12-0x0000000000E80000-0x0000000000E8C000-memory.dmp

Filesize
48KB

Download
memory/2012-187-0x000007FEF6163000-0x000007FEF6164000-memory.dmp

Filesize
4KB

Download
memory/2012-0-0x000007FEF6163000-0x000007FEF6164000-memory.dmp

Filesize
4KB

Download
memory/2012-236-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2012-278-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2012-17-0x000000001AEC0000-0x000000001AECC000-memory.dmp

Filesize
48KB

Download
memory/2012-16-0x000000001AEB0000-0x000000001AEBC000-memory.dmp

Filesize
48KB

Download
memory/2012-15-0x000000001ADA0000-0x000000001ADA8000-memory.dmp

Filesize
32KB

Download
memory/2012-1-0x0000000000EA0000-0x0000000001060000-memory.dmp

Filesize
1.8MB

Download
memory/2012-2-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2012-13-0x000000001AD90000-0x000000001AD9A000-memory.dmp

Filesize
40KB

Download
memory/2012-14-0x0000000000E90000-0x0000000000E9E000-memory.dmp

Filesize
56KB

Download
memory/2012-20-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2012-3-0x0000000000560000-0x000000000057C000-memory.dmp

Filesize
112KB

Download
memory/2012-11-0x0000000000E50000-0x0000000000E62000-memory.dmp

Filesize
72KB

Download
memory/2012-9-0x0000000000E40000-0x0000000000E48000-memory.dmp

Filesize
32KB

Download
memory/2012-8-0x0000000000C30000-0x0000000000C3C000-memory.dmp

Filesize
48KB

Download
memory/2012-6-0x0000000000830000-0x0000000000846000-memory.dmp

Filesize
88KB

Download
memory/2012-7-0x0000000000610000-0x0000000000620000-memory.dmp

Filesize
64KB

Download
memory/2012-5-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/2012-4-0x00000000002C0000-0x00000000002C8000-memory.dmp

Filesize
32KB

Download
memory/2248-340-0x0000000001110000-0x00000000012D0000-memory.dmp

Filesize
1.8MB

Download
memory/2268-409-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2268-408-0x0000000001000000-0x00000000011C0000-memory.dmp

Filesize
1.8MB

Download
memory/2392-301-0x0000000002000000-0x0000000002008000-memory.dmp

Filesize
32KB

Download
memory/2988-362-0x00000000004F0000-0x0000000000502000-memory.dmp

Filesize
72KB

Download