dcrat | 19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9b

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
Size

1.7MB
MD5

14f062343048bd7e161bcf20c6c2aa30
SHA1

818b3e07f2ff1b0b1b06ff835669c8db109618b4
SHA256

19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9b
SHA512

9aaedd4368e48ebd58229ca2f04a4261fd903bc3ff8cd7cb031d7e43572ade0d88d3cb13c20409b74b30eb01989843283ce727cf3925d03fdbd2cd525a1726d4
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:OTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	628	schtasks.exe	30

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1684-1-0x0000000001300000-0x00000000014C0000-memory.dmp	dcrat
behavioral1/files/0x0005000000019429-27.dat	dcrat
behavioral1/files/0x0008000000016c53-89.dat	dcrat
behavioral1/files/0x0007000000019490-123.dat	dcrat
behavioral1/files/0x00080000000194da-146.dat	dcrat
behavioral1/memory/1420-274-0x0000000001020000-0x00000000011E0000-memory.dmp	dcrat
behavioral1/memory/1772-341-0x0000000000010000-0x00000000001D0000-memory.dmp	dcrat
behavioral1/memory/2224-354-0x0000000000F50000-0x0000000001110000-memory.dmp	dcrat
behavioral1/memory/1316-389-0x0000000000130000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/files/0x000500000001a489-400.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2096	powershell.exe
2776	powershell.exe
2576	powershell.exe
2340	powershell.exe
2732	powershell.exe
2444	powershell.exe
3020	powershell.exe
1584	powershell.exe
2156	powershell.exe
2324	powershell.exe
484	powershell.exe
3008	powershell.exe
2840	powershell.exe
2700	powershell.exe
2548	powershell.exe
2768	powershell.exe
2216	powershell.exe
2244	powershell.exe
352	powershell.exe
1176	powershell.exe
2792	powershell.exe
2256	powershell.exe
2240	powershell.exe
2868	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe

Executes dropped EXE 8 IoCs

pid	Process
3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1420	conhost.exe
2264	conhost.exe
1772	conhost.exe
2224	conhost.exe
1744	conhost.exe
1304	conhost.exe
1316	conhost.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\24dbde2999530e	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
File created	C:\Program Files\Windows Sidebar\ja-JP\5940a34987c991	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXBE63.tmp	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\6cb0b6c459d5d3	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\dllhost.exe	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\5940a34987c991	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\RCXC348.tmp	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\smss.exe	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\RCXC54C.tmp	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
File opened for modification	C:\Program Files\Windows Sidebar\ja-JP\RCXCE3A.tmp	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
File opened for modification	C:\Program Files\Windows Sidebar\ja-JP\dllhost.exe	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXBE64.tmp	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\RCXC2DA.tmp	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\RCXC54D.tmp	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\RCXD0AD.tmp	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\dllhost.exe	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
File created	C:\Program Files\Windows Sidebar\ja-JP\dllhost.exe	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\69ddcba757bf72	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WmiPrvSE.exe	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WmiPrvSE.exe	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
File opened for modification	C:\Program Files\Windows Sidebar\ja-JP\RCXCEA8.tmp	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\RCXD0AC.tmp	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\smss.exe	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\CSC\19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
File created	C:\Windows\CSC\23dd9a6ac3bd1d	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
File opened for modification	C:\Windows\CSC\RCXC068.tmp	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
File opened for modification	C:\Windows\CSC\RCXC069.tmp	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
File opened for modification	C:\Windows\CSC\19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2016	schtasks.exe
1976	schtasks.exe
1760	schtasks.exe
2972	schtasks.exe
2968	schtasks.exe
1972	schtasks.exe
2900	schtasks.exe
1800	schtasks.exe
976	schtasks.exe
2944	schtasks.exe
2724	schtasks.exe
2740	schtasks.exe
1848	schtasks.exe
2344	schtasks.exe
2556	schtasks.exe
2908	schtasks.exe
980	schtasks.exe
1660	schtasks.exe
2496	schtasks.exe
2996	schtasks.exe
708	schtasks.exe
1936	schtasks.exe
2176	schtasks.exe
2128	schtasks.exe
2676	schtasks.exe
2544	schtasks.exe
856	schtasks.exe
2200	schtasks.exe
1328	schtasks.exe
1816	schtasks.exe
3028	schtasks.exe
2172	schtasks.exe
2872	schtasks.exe
1944	schtasks.exe
2436	schtasks.exe
2964	schtasks.exe
1604	schtasks.exe
2856	schtasks.exe
1704	schtasks.exe
1420	schtasks.exe
2792	schtasks.exe
2712	schtasks.exe
3012	schtasks.exe
1464	schtasks.exe
1180	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
3008	powershell.exe
2768	powershell.exe
2700	powershell.exe
2868	powershell.exe
2096	powershell.exe
2444	powershell.exe
484	powershell.exe
2840	powershell.exe
2244	powershell.exe
2548	powershell.exe
2324	powershell.exe
3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
3020	powershell.exe
3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
Token: SeDebugPrivilege	3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	484	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	352	powershell.exe
Token: SeDebugPrivilege	1420	conhost.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2264	conhost.exe
Token: SeDebugPrivilege	1772	conhost.exe
Token: SeDebugPrivilege	2224	conhost.exe
Token: SeDebugPrivilege	1744	conhost.exe
Token: SeDebugPrivilege	1304	conhost.exe
Token: SeDebugPrivilege	1316	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2444	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	65
PID 1684 wrote to memory of 2444	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	65
PID 1684 wrote to memory of 2444	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	65
PID 1684 wrote to memory of 2244	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	66
PID 1684 wrote to memory of 2244	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	66
PID 1684 wrote to memory of 2244	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	66
PID 1684 wrote to memory of 484	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	67
PID 1684 wrote to memory of 484	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	67
PID 1684 wrote to memory of 484	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	67
PID 1684 wrote to memory of 2868	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	68
PID 1684 wrote to memory of 2868	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	68
PID 1684 wrote to memory of 2868	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	68
PID 1684 wrote to memory of 3020	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	69
PID 1684 wrote to memory of 3020	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	69
PID 1684 wrote to memory of 3020	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	69
PID 1684 wrote to memory of 2768	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	70
PID 1684 wrote to memory of 2768	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	70
PID 1684 wrote to memory of 2768	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	70
PID 1684 wrote to memory of 2324	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	73
PID 1684 wrote to memory of 2324	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	73
PID 1684 wrote to memory of 2324	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	73
PID 1684 wrote to memory of 2096	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	75
PID 1684 wrote to memory of 2096	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	75
PID 1684 wrote to memory of 2096	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	75
PID 1684 wrote to memory of 2548	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	77
PID 1684 wrote to memory of 2548	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	77
PID 1684 wrote to memory of 2548	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	77
PID 1684 wrote to memory of 2700	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	78
PID 1684 wrote to memory of 2700	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	78
PID 1684 wrote to memory of 2700	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	78
PID 1684 wrote to memory of 2840	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	79
PID 1684 wrote to memory of 2840	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	79
PID 1684 wrote to memory of 2840	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	79
PID 1684 wrote to memory of 3008	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	80
PID 1684 wrote to memory of 3008	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	80
PID 1684 wrote to memory of 3008	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	80
PID 1684 wrote to memory of 3012	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	89
PID 1684 wrote to memory of 3012	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	89
PID 1684 wrote to memory of 3012	1684	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	89
PID 3012 wrote to memory of 1176	3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	102
PID 3012 wrote to memory of 1176	3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	102
PID 3012 wrote to memory of 1176	3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	102
PID 3012 wrote to memory of 2792	3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	103
PID 3012 wrote to memory of 2792	3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	103
PID 3012 wrote to memory of 2792	3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	103
PID 3012 wrote to memory of 352	3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	104
PID 3012 wrote to memory of 352	3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	104
PID 3012 wrote to memory of 352	3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	104
PID 3012 wrote to memory of 1584	3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	106
PID 3012 wrote to memory of 1584	3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	106
PID 3012 wrote to memory of 1584	3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	106
PID 3012 wrote to memory of 2240	3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	108
PID 3012 wrote to memory of 2240	3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	108
PID 3012 wrote to memory of 2240	3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	108
PID 3012 wrote to memory of 2732	3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	109
PID 3012 wrote to memory of 2732	3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	109
PID 3012 wrote to memory of 2732	3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	109
PID 3012 wrote to memory of 2340	3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	110
PID 3012 wrote to memory of 2340	3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	110
PID 3012 wrote to memory of 2340	3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	110
PID 3012 wrote to memory of 2576	3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	111
PID 3012 wrote to memory of 2576	3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	111
PID 3012 wrote to memory of 2576	3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	111
PID 3012 wrote to memory of 2256	3012	19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
"C:\Users\Admin\AppData\Local\Temp\19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3008
- C:\Users\Admin\AppData\Local\Temp\19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe
  "C:\Users\Admin\AppData\Local\Temp\19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2340
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- - C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe
    "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1420
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02decd72-44c8-49e3-9503-5255b651644b.vbs"
      4⤵
      PID:1700
    - - C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\986cb5bb-6d74-4077-bf5b-20918b26ce0e.vbs"
        6⤵
        
        PID:1260
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7895b1a3-960d-4dce-9646-9957f7bd2dc6.vbs"
        8⤵
        
        PID:2500
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92c5137f-2a3b-4d34-b7a5-cc43ea91bc1f.vbs"
        10⤵
        
        PID:980
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e5ff07a-f1cb-4d2d-92a0-de4ee1027a65.vbs"
        12⤵
        
        PID:1964
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0827f18b-ac75-4edf-b4f9-6581ffee1984.vbs"
        14⤵
        
        PID:1236
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ef44c4d-97d7-44ad-a85c-4ced2b3dda62.vbs"
        16⤵
        
        PID:1660
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe"
        17⤵
        
        PID:2656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e69e71e4-45fa-415f-9328-ecc9833c0eac.vbs"
        16⤵
        
        PID:2920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c515951a-83c6-4b6f-9d9b-93835e36772d.vbs"
        14⤵
        
        PID:1856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aba1b823-5e61-4291-b466-71082e52920c.vbs"
        12⤵
        
        PID:2324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c2d611f-5bb6-4535-9cec-4fd22be43687.vbs"
        10⤵
        
        PID:2528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\407a3207-288b-4d4b-ada8-7737fb7b14df.vbs"
        8⤵
        
        PID:2560
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c2cad4d-91f3-4e68-af3a-7bee7ad0f310.vbs"
        6⤵
        
        PID:1804
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9307f619-2750-4742-b68c-dadea007ab12.vbs"
      4⤵
      PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN1" /sc MINUTE /mo 5 /tr "'C:\Windows\CSC\19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN" /sc ONLOGON /tr "'C:\Windows\CSC\19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN1" /sc MINUTE /mo 14 /tr "'C:\Windows\CSC\19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9bN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\ja-JP\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\bin\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\db\bin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\bin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Local Settings\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Local Settings\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe

Filesize
505KB

MD5
6d42f9dc6140c82c2e391b623f642d08

SHA1
f8c73ec85812616047766c1e5b31e82f4d09c747

SHA256
20d53793b2faf012a11936afdc1787e9d984a8e3cd1abe47d2d7c85c0fc4e64a

SHA512
e68f7f7a78167e8a43e17d937871d130849da34195eb28405ec5dc5784d47b502cb5ceef272ff15ade32f0409b71c386176da6f0752b43f91b7c427fccc66bac

Download Submit
C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WmiPrvSE.exe

Filesize
1.7MB

MD5
14f062343048bd7e161bcf20c6c2aa30

SHA1
818b3e07f2ff1b0b1b06ff835669c8db109618b4

SHA256
19529dcddcd4e5f28d2922af9feb891de07490ae79709e5071023e96944f2d9b

SHA512
9aaedd4368e48ebd58229ca2f04a4261fd903bc3ff8cd7cb031d7e43572ade0d88d3cb13c20409b74b30eb01989843283ce727cf3925d03fdbd2cd525a1726d4

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\smss.exe

Filesize
1.7MB

MD5
5921c54b346f5e47b9ad27282f357b2e

SHA1
d58ee3b653df81a55a8ef0443aa32283786f5f19

SHA256
1593282b5c151ad41dbe17c6ef430b4c76f7f49e34c43bf2e555159e76a62451

SHA512
b89471b987398731821267ce0c83f84b722fe9edce2477e58c7f161bf049ba5bf4e70d1214e450ba0838409e3f36692d9ece25c2771fb1fdd13566715fca575e

Download Submit
C:\Program Files\Windows Sidebar\ja-JP\dllhost.exe

Filesize
1.7MB

MD5
2fb0acf8e9c4fa991a0919556847247e

SHA1
f920c0574a9bf68961aa138fb3ecd4a9b962cba6

SHA256
0aa55a0b5f2c1c85607b0fc1e8a78f206f367eda847774f76ee5855aa206b47e

SHA512
efbd6d624003c12b22a827edffc4294fec49613ab30c94888c09eaa9b7aff57db36225a7ced8da2619520a3951b28e7a507b0ced5a4ee5a9e9ae5aed2c055d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\02decd72-44c8-49e3-9503-5255b651644b.vbs

Filesize
750B

MD5
2332169692634599f726867b709c2b94

SHA1
c7a497ea80e3e904b0f452c5e254e3012bf1418d

SHA256
d158fb675067342a705d3c874f1569c361ff10116ff4f02fb441c7889276fc3a

SHA512
79011f6d09ecbed4d439428ac3dbac71d537b77b0195b27441b23141c8ffef0ac5b40905aea881c87248b0925022c075af22045fe36111461dd3d0773ea09b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\0827f18b-ac75-4edf-b4f9-6581ffee1984.vbs

Filesize
750B

MD5
2aa9ae3c0687070c6452a1aea51a9d87

SHA1
608a93e29caafd6b54273008052d862bcb8b8ae3

SHA256
52c0c43544f194bd02c2d0ec13ce113d044f8094185309c9944151abc386ea33

SHA512
f0c4bdf5d0decda43972171099a343ba6ccb6fe70cfa10610e02f98905a0ae29e2106f4c47fa61f5bca4132286582770657560ee1f5ce4a326a22e3d9a7b75bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e5ff07a-f1cb-4d2d-92a0-de4ee1027a65.vbs

Filesize
750B

MD5
3ccde5b4991f9643cae0d8ec9345c502

SHA1
4071e8bab634c535e77f8f2b1e2ee6398d4fc52a

SHA256
265f77746d2ebb64edaaf37c90cc69e600e93ef584741cedb59d548128d15546

SHA512
ff298f10374659a09d88ed649eb25b19377b325a32253fb43a44654257dc9a191a4cf3e8b876de7307f1d9cccc8806361cdd6cd5b89464e571f063f7128c0b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\7895b1a3-960d-4dce-9646-9957f7bd2dc6.vbs

Filesize
750B

MD5
0bafe078cb5f786f13b95d50415101f3

SHA1
0ad4d7e991bfe8418676ae34deee889913c11dbd

SHA256
6961801367194c05ec4a393487f59ac9f51aca5804ca3ae721eb92c0660cafaa

SHA512
a60430927a2a7b1e6da200a9753d3cdf030985a4e00d713017e41b96dd7b9ef979149ca56a72b6dd35e5b7328958dbdd89018c1bf5e8fee88825cd2d7550b75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ef44c4d-97d7-44ad-a85c-4ced2b3dda62.vbs

Filesize
750B

MD5
60f203379ebe3ccc4f5d9bf3f6c3333c

SHA1
d238ade787b7a44f494858b5810d04933aa96821

SHA256
02966901a1e9de6c819d004805de36a51eb8627a39a7de48241587f7565612cc

SHA512
f71818e9e4ffc1d12afad249b64fddd05e5cfaee1ec00f8894ec1ab70bca3dcf2d5938eaeca10c6078bdbf0e7dc581b6235ce629c9d8e21bd3ef6689b1224d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\92c5137f-2a3b-4d34-b7a5-cc43ea91bc1f.vbs

Filesize
750B

MD5
eaa6f9023ebea08dfb5c72d5157f938a

SHA1
2e4a8d9253d2402536a93c476289833002b89f6f

SHA256
ebc53534ba8b925534cf4451066d7823615005a5ad41b181865b092d8acc93d5

SHA512
2a091f43c3b2d51a902ea4f58da36e03df4fce638f57dc2eec140737b809dc4c60fbaac22ddcfd376313ee303710c06129a02f2826c48548e1d9300ad68e5409

Download Submit
C:\Users\Admin\AppData\Local\Temp\9307f619-2750-4742-b68c-dadea007ab12.vbs

Filesize
526B

MD5
9914876d9818ccc6c8c2009b8fc6092c

SHA1
b40fba296d295d6c9e8c98ef45c72a5c08bc4b85

SHA256
017ac2e9654986180c832ceeaa8df347c0e4bd20b882294e33a1c066d70e1f30

SHA512
3e9b258e808cbeeb81f57174b5930c41758d854fad1cc3bddccca9b9a21d38f51dee0f0446b5ef0c1d5815adce2524ffe89375647e800b6a6a96efa4766a8185

Download Submit
C:\Users\Admin\AppData\Local\Temp\986cb5bb-6d74-4077-bf5b-20918b26ce0e.vbs

Filesize
750B

MD5
ce25a5a439cc951e5bbe375e78b5b73a

SHA1
a1dd9ab25ad82efe8b46db13a508a6f8fce26f6a

SHA256
33337872eb099b9fee6917c486341f8558a930b4b9ce17757cc4a4af71d52fef

SHA512
b5e841b92e1f8351b83a05f40ef89d83fb7b89e7f3caa26724c00da5735ae64dbc74f053b70f94e2eb34c09bf8b9f6900949f27f7c888216ba862a208ea0cd81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4b2eb32835752a20d3e5ae71d040519f

SHA1
ffafb1f0e6a03191f8151058970c4841cbf67501

SHA256
6ca027884f58bbf3bcf5c1b7f529e916a9c938a55afeef5a010d091ecec5c6a3

SHA512
2ffb933122191ccb9512196f112957642a265b3511358eaa7831b4613fe290c7e9ee950eea40fd212d84c8b08cc54ff78b8b293c36d702e97e5466f10737c325

Download Submit
C:\Users\Default\smss.exe

Filesize
1.7MB

MD5
88dc071e610948adbe8b7fe68aade11c

SHA1
2069da88107f9dd882fde7d54768d8a8bba42536

SHA256
2ac1918052292fa54890679a6224a0f3d8c08c45b4506ce863ab4317083e8110

SHA512
33d784f6410596dca0cbc300c01610cccccfda1f339c5d18b2ccfe36b3e42896dd61431a82f96d8236ef2a9184705f32263962b44ff8543fe36029cd974540a8

Download Submit
memory/1304-377-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/1316-389-0x0000000000130000-0x00000000002F0000-memory.dmp

Filesize
1.8MB

Download
memory/1420-274-0x0000000001020000-0x00000000011E0000-memory.dmp

Filesize
1.8MB

Download
memory/1684-175-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/1684-6-0x0000000000380000-0x0000000000396000-memory.dmp

Filesize
88KB

Download
memory/1684-17-0x0000000000C20000-0x0000000000C2C000-memory.dmp

Filesize
48KB

Download
memory/1684-16-0x0000000000C10000-0x0000000000C1C000-memory.dmp

Filesize
48KB

Download
memory/1684-0-0x000007FEF5AB3000-0x000007FEF5AB4000-memory.dmp

Filesize
4KB

Download
memory/1684-15-0x0000000000C00000-0x0000000000C08000-memory.dmp

Filesize
32KB

Download
memory/1684-1-0x0000000001300000-0x00000000014C0000-memory.dmp

Filesize
1.8MB

Download
memory/1684-2-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/1684-13-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/1684-14-0x0000000000BE0000-0x0000000000BEE000-memory.dmp

Filesize
56KB

Download
memory/1684-3-0x00000000002C0000-0x00000000002DC000-memory.dmp

Filesize
112KB

Download
memory/1684-5-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/1684-12-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/1684-11-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/1684-9-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/1684-4-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/1684-7-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/1684-8-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/1684-20-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/1772-342-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/1772-341-0x0000000000010000-0x00000000001D0000-memory.dmp

Filesize
1.8MB

Download
memory/2224-354-0x0000000000F50000-0x0000000001110000-memory.dmp

Filesize
1.8MB

Download
memory/2792-272-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2792-273-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/3008-183-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/3008-184-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download