dcrat | 6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8

Resubmissions

13-01-2025 04:16

250113-ev3jsaxrdj 10

12-01-2025 13:52

250112-q6sz9sxmfp 10

Analysis

max time kernel
897s
max time network
899s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
Size

1.7MB
MD5

0624cb81236f6a0e8d0487a766458088
SHA1

36ea7baa5b367c60269eb1a277bd5ad4bc41b54b
SHA256

6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8
SHA512

742d2c2d154133ba9b38c67b59fb4ddbcd16b8b420c8e7fbd14a4c4283c8a875ae62d17924a53b000caf04f5b627d15f031b12e7f98821f03079451008b86553
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvD:OTHUxUoh1IF9gl2M

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2668	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2668	schtasks.exe	31

DCRat payload 51 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2956-1-0x0000000000BA0000-0x0000000000D60000-memory.dmp	dcrat
behavioral1/files/0x0006000000017488-27.dat	dcrat
behavioral1/files/0x000500000001a463-66.dat	dcrat
behavioral1/files/0x0005000000004ed7-101.dat	dcrat
behavioral1/files/0x00130000000162b2-112.dat	dcrat
behavioral1/files/0x000a000000017079-123.dat	dcrat
behavioral1/files/0x000f0000000173a9-170.dat	dcrat
behavioral1/files/0x0008000000017488-179.dat	dcrat
behavioral1/memory/2740-328-0x0000000000F70000-0x0000000001130000-memory.dmp	dcrat
behavioral1/memory/1544-339-0x0000000001300000-0x00000000014C0000-memory.dmp	dcrat
behavioral1/memory/1964-472-0x00000000003F0000-0x00000000005B0000-memory.dmp	dcrat
behavioral1/memory/548-480-0x0000000000800000-0x00000000009C0000-memory.dmp	dcrat
behavioral1/memory/2032-489-0x00000000009E0000-0x0000000000BA0000-memory.dmp	dcrat
behavioral1/memory/2588-490-0x00000000000F0000-0x00000000002B0000-memory.dmp	dcrat
behavioral1/memory/2552-505-0x00000000000F0000-0x00000000002B0000-memory.dmp	dcrat
behavioral1/memory/1652-513-0x00000000012D0000-0x0000000001490000-memory.dmp	dcrat
behavioral1/memory/1336-528-0x0000000000200000-0x00000000003C0000-memory.dmp	dcrat
behavioral1/memory/2240-536-0x0000000000CA0000-0x0000000000E60000-memory.dmp	dcrat
behavioral1/memory/1992-558-0x00000000009B0000-0x0000000000B70000-memory.dmp	dcrat
behavioral1/memory/2344-559-0x00000000002B0000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/2580-567-0x0000000001140000-0x0000000001300000-memory.dmp	dcrat
behavioral1/memory/1728-575-0x00000000013E0000-0x00000000015A0000-memory.dmp	dcrat
behavioral1/memory/2592-590-0x0000000000B80000-0x0000000000D40000-memory.dmp	dcrat
behavioral1/memory/2992-591-0x00000000003E0000-0x00000000005A0000-memory.dmp	dcrat
behavioral1/memory/2144-592-0x0000000000250000-0x0000000000410000-memory.dmp	dcrat
behavioral1/memory/2968-600-0x0000000000F20000-0x00000000010E0000-memory.dmp	dcrat
behavioral1/memory/1568-623-0x0000000000240000-0x0000000000400000-memory.dmp	dcrat
behavioral1/memory/1432-631-0x00000000001D0000-0x0000000000390000-memory.dmp	dcrat
behavioral1/memory/1640-632-0x0000000001180000-0x0000000001340000-memory.dmp	dcrat
behavioral1/memory/1632-633-0x0000000000B20000-0x0000000000CE0000-memory.dmp	dcrat
behavioral1/memory/1968-634-0x00000000002D0000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/568-643-0x0000000000840000-0x0000000000A00000-memory.dmp	dcrat
behavioral1/memory/2216-651-0x0000000000080000-0x0000000000240000-memory.dmp	dcrat
behavioral1/memory/2000-659-0x0000000000ED0000-0x0000000001090000-memory.dmp	dcrat
behavioral1/memory/2012-674-0x00000000003B0000-0x0000000000570000-memory.dmp	dcrat
behavioral1/memory/2404-683-0x0000000001050000-0x0000000001210000-memory.dmp	dcrat
behavioral1/memory/1744-699-0x0000000000190000-0x0000000000350000-memory.dmp	dcrat
behavioral1/memory/772-707-0x00000000008C0000-0x0000000000A80000-memory.dmp	dcrat
behavioral1/memory/2812-708-0x0000000000C60000-0x0000000000E20000-memory.dmp	dcrat
behavioral1/memory/2000-709-0x0000000000F50000-0x0000000001110000-memory.dmp	dcrat
behavioral1/memory/1812-710-0x0000000001360000-0x0000000001520000-memory.dmp	dcrat
behavioral1/memory/1508-711-0x0000000001180000-0x0000000001340000-memory.dmp	dcrat
behavioral1/memory/1816-712-0x0000000000B60000-0x0000000000D20000-memory.dmp	dcrat
behavioral1/memory/2304-713-0x00000000012C0000-0x0000000001480000-memory.dmp	dcrat
behavioral1/memory/1608-735-0x00000000001B0000-0x0000000000370000-memory.dmp	dcrat
behavioral1/memory/2764-743-0x0000000000170000-0x0000000000330000-memory.dmp	dcrat
behavioral1/memory/2564-744-0x00000000012D0000-0x0000000001490000-memory.dmp	dcrat
behavioral1/memory/1816-745-0x0000000000160000-0x0000000000320000-memory.dmp	dcrat
behavioral1/memory/1644-753-0x00000000000D0000-0x0000000000290000-memory.dmp	dcrat
behavioral1/memory/1280-761-0x00000000002B0000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/2012-770-0x0000000000FE0000-0x00000000011A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2136	powershell.exe
2368	powershell.exe
376	powershell.exe
1696	powershell.exe
1740	powershell.exe
2528	powershell.exe
1940	powershell.exe
2504	powershell.exe
2176	powershell.exe
1484	powershell.exe
1736	powershell.exe
588	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe

Executes dropped EXE 64 IoCs

pid	Process
2740	WmiPrvSE.exe
1544	WmiPrvSE.exe
2788	WmiPrvSE.exe
2640	WmiPrvSE.exe
2420	WmiPrvSE.exe
2744	WmiPrvSE.exe
588	WmiPrvSE.exe
2124	WmiPrvSE.exe
2112	WmiPrvSE.exe
1724	WmiPrvSE.exe
1300	WmiPrvSE.exe
1960	WmiPrvSE.exe
1564	WmiPrvSE.exe
1964	WmiPrvSE.exe
548	WmiPrvSE.exe
2032	WmiPrvSE.exe
2588	lsm.exe
1688	WmiPrvSE.exe
2552	WmiPrvSE.exe
1652	WmiPrvSE.exe
1692	WmiPrvSE.exe
1336	OSPPSVC.exe
3008	WmiPrvSE.exe
2240	OSPPSVC.exe
1816	OSPPSVC.exe
1680	OSPPSVC.exe
1088	WmiPrvSE.exe
1992	winlogon.exe
2344	OSPPSVC.exe
2580	OSPPSVC.exe
1728	OSPPSVC.exe
1748	OSPPSVC.exe
2592	smss.exe
2992	OSPPSVC.exe
2144	dwm.exe
2968	dwm.exe
2308	dwm.exe
2368	dwm.exe
1568	dwm.exe
1432	dllhost.exe
1640	services.exe
1632	lsm.exe
1968	dwm.exe
568	dwm.exe
2216	dwm.exe
2000	dwm.exe
1780	dwm.exe
2012	dwm.exe
2404	dwm.exe
3044	dwm.exe
1744	dwm.exe
772	OSPPSVC.exe
1508	explorer.exe
1812	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2000	System.exe
2812	spoolsv.exe
1816	dwm.exe
2304	WMIADAP.exe
2832	WMIADAP.exe
2804	WMIADAP.exe
1608	WMIADAP.exe
2764	WmiPrvSE.exe
1676	winlogon.exe
2564	WMIADAP.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\Visualizations\RCXFFE9.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Program Files\DVD Maker\fr-FR\WMIADAP.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\spoolsv.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Program Files (x86)\Google\Update\WmiPrvSE.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files\Windows Media Player\Visualizations\services.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Program Files\DVD Maker\fr-FR\75a57c1bdf437c	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files\Windows Sidebar\fr-FR\RCXB48.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX1AFF.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\WMIADAP.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files\Windows Sidebar\fr-FR\RCXB47.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files\Windows Sidebar\fr-FR\spoolsv.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXD4D.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX14F1.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX1AFE.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Program Files\Windows Media Player\Visualizations\services.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files\Windows Media Player\Visualizations\RCXFFE8.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\RCX25B.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files (x86)\Google\Update\WmiPrvSE.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\f3b6ecef712a24	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\74a027ee54e414	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\69ddcba757bf72	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX14F0.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Program Files\Windows Media Player\Visualizations\c5b4cb5e9653cc	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Program Files (x86)\Google\Update\24dbde2999530e	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\RCX1EC.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXD4C.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\es-ES\RCX1250.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Windows\es-ES\explorer.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Windows\addins\winlogon.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Windows\addins\RCXFDE4.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Windows\addins\winlogon.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Windows\addins\RCXFDE3.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File opened for modification	C:\Windows\es-ES\RCX11E2.tmp	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Windows\addins\cc11b995f2a76d	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Windows\es-ES\explorer.exe	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
File created	C:\Windows\es-ES\7a0fd90576e088	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
332	schtasks.exe
964	schtasks.exe
2484	schtasks.exe
1784	schtasks.exe
3048	schtasks.exe
2592	schtasks.exe
1324	schtasks.exe
2356	schtasks.exe
1976	schtasks.exe
2924	schtasks.exe
1964	schtasks.exe
2508	schtasks.exe
2572	schtasks.exe
700	schtasks.exe
2836	schtasks.exe
1032	schtasks.exe
2952	schtasks.exe
2440	schtasks.exe
2328	schtasks.exe
2404	schtasks.exe
1368	schtasks.exe
2160	schtasks.exe
2540	schtasks.exe
2344	schtasks.exe
376	schtasks.exe
2280	schtasks.exe
2408	schtasks.exe
2004	schtasks.exe
2804	schtasks.exe
2588	schtasks.exe
1788	schtasks.exe
408	schtasks.exe
2364	schtasks.exe
1616	schtasks.exe
860	schtasks.exe
2300	schtasks.exe
768	schtasks.exe
284	schtasks.exe
1992	schtasks.exe
1028	schtasks.exe
1600	schtasks.exe
2428	schtasks.exe
2516	schtasks.exe
1684	schtasks.exe
2784	schtasks.exe
612	schtasks.exe
2136	schtasks.exe
2252	schtasks.exe
1780	schtasks.exe
1356	schtasks.exe
2936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
2176	powershell.exe
1696	powershell.exe
588	powershell.exe
1940	powershell.exe
2504	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	376	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	2740	WmiPrvSE.exe
Token: SeDebugPrivilege	1544	WmiPrvSE.exe
Token: SeDebugPrivilege	2788	WmiPrvSE.exe
Token: SeDebugPrivilege	2640	WmiPrvSE.exe
Token: SeDebugPrivilege	2420	WmiPrvSE.exe
Token: SeDebugPrivilege	2744	WmiPrvSE.exe
Token: SeDebugPrivilege	588	WmiPrvSE.exe
Token: SeDebugPrivilege	2124	WmiPrvSE.exe
Token: SeDebugPrivilege	2112	WmiPrvSE.exe
Token: SeDebugPrivilege	1724	WmiPrvSE.exe
Token: SeDebugPrivilege	1300	WmiPrvSE.exe
Token: SeDebugPrivilege	1960	WmiPrvSE.exe
Token: SeDebugPrivilege	1564	WmiPrvSE.exe
Token: SeDebugPrivilege	1964	WmiPrvSE.exe
Token: SeDebugPrivilege	548	WmiPrvSE.exe
Token: SeDebugPrivilege	2032	WmiPrvSE.exe
Token: SeDebugPrivilege	2588	lsm.exe
Token: SeDebugPrivilege	1688	WmiPrvSE.exe
Token: SeDebugPrivilege	2552	WmiPrvSE.exe
Token: SeDebugPrivilege	1652	WmiPrvSE.exe
Token: SeDebugPrivilege	1692	WmiPrvSE.exe
Token: SeDebugPrivilege	1336	OSPPSVC.exe
Token: SeDebugPrivilege	3008	WmiPrvSE.exe
Token: SeDebugPrivilege	2240	OSPPSVC.exe
Token: SeDebugPrivilege	1816	OSPPSVC.exe
Token: SeDebugPrivilege	1680	OSPPSVC.exe
Token: SeDebugPrivilege	1992	winlogon.exe
Token: SeDebugPrivilege	1088	WmiPrvSE.exe
Token: SeDebugPrivilege	2344	OSPPSVC.exe
Token: SeDebugPrivilege	2580	OSPPSVC.exe
Token: SeDebugPrivilege	1728	OSPPSVC.exe
Token: SeDebugPrivilege	1748	OSPPSVC.exe
Token: SeDebugPrivilege	2592	smss.exe
Token: SeDebugPrivilege	2992	OSPPSVC.exe
Token: SeDebugPrivilege	2144	dwm.exe
Token: SeDebugPrivilege	2968	dwm.exe
Token: SeDebugPrivilege	2308	dwm.exe
Token: SeDebugPrivilege	2368	dwm.exe
Token: SeDebugPrivilege	1568	dwm.exe
Token: SeDebugPrivilege	1640	services.exe
Token: SeDebugPrivilege	1432	dllhost.exe
Token: SeDebugPrivilege	1632	lsm.exe
Token: SeDebugPrivilege	1968	dwm.exe
Token: SeDebugPrivilege	568	dwm.exe
Token: SeDebugPrivilege	2216	dwm.exe
Token: SeDebugPrivilege	2000	dwm.exe
Token: SeDebugPrivilege	1780	dwm.exe
Token: SeDebugPrivilege	2012	dwm.exe
Token: SeDebugPrivilege	2404	dwm.exe
Token: SeDebugPrivilege	3044	dwm.exe
Token: SeDebugPrivilege	1744	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 376	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	83
PID 2956 wrote to memory of 376	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	83
PID 2956 wrote to memory of 376	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	83
PID 2956 wrote to memory of 1696	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	84
PID 2956 wrote to memory of 1696	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	84
PID 2956 wrote to memory of 1696	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	84
PID 2956 wrote to memory of 2176	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	86
PID 2956 wrote to memory of 2176	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	86
PID 2956 wrote to memory of 2176	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	86
PID 2956 wrote to memory of 588	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	87
PID 2956 wrote to memory of 588	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	87
PID 2956 wrote to memory of 588	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	87
PID 2956 wrote to memory of 2368	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	88
PID 2956 wrote to memory of 2368	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	88
PID 2956 wrote to memory of 2368	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	88
PID 2956 wrote to memory of 2136	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	89
PID 2956 wrote to memory of 2136	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	89
PID 2956 wrote to memory of 2136	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	89
PID 2956 wrote to memory of 2504	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	90
PID 2956 wrote to memory of 2504	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	90
PID 2956 wrote to memory of 2504	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	90
PID 2956 wrote to memory of 1940	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	91
PID 2956 wrote to memory of 1940	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	91
PID 2956 wrote to memory of 1940	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	91
PID 2956 wrote to memory of 1736	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	92
PID 2956 wrote to memory of 1736	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	92
PID 2956 wrote to memory of 1736	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	92
PID 2956 wrote to memory of 1484	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	93
PID 2956 wrote to memory of 1484	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	93
PID 2956 wrote to memory of 1484	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	93
PID 2956 wrote to memory of 2528	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	94
PID 2956 wrote to memory of 2528	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	94
PID 2956 wrote to memory of 2528	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	94
PID 2956 wrote to memory of 1740	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	95
PID 2956 wrote to memory of 1740	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	95
PID 2956 wrote to memory of 1740	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	95
PID 2956 wrote to memory of 1032	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	107
PID 2956 wrote to memory of 1032	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	107
PID 2956 wrote to memory of 1032	2956	6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe	107
PID 1032 wrote to memory of 2976	1032	cmd.exe	109
PID 1032 wrote to memory of 2976	1032	cmd.exe	109
PID 1032 wrote to memory of 2976	1032	cmd.exe	109
PID 1032 wrote to memory of 2740	1032	cmd.exe	110
PID 1032 wrote to memory of 2740	1032	cmd.exe	110
PID 1032 wrote to memory of 2740	1032	cmd.exe	110
PID 2740 wrote to memory of 2356	2740	WmiPrvSE.exe	111
PID 2740 wrote to memory of 2356	2740	WmiPrvSE.exe	111
PID 2740 wrote to memory of 2356	2740	WmiPrvSE.exe	111
PID 2740 wrote to memory of 1208	2740	WmiPrvSE.exe	112
PID 2740 wrote to memory of 1208	2740	WmiPrvSE.exe	112
PID 2740 wrote to memory of 1208	2740	WmiPrvSE.exe	112
PID 2356 wrote to memory of 1544	2356	WScript.exe	113
PID 2356 wrote to memory of 1544	2356	WScript.exe	113
PID 2356 wrote to memory of 1544	2356	WScript.exe	113
PID 1544 wrote to memory of 2580	1544	WmiPrvSE.exe	114
PID 1544 wrote to memory of 2580	1544	WmiPrvSE.exe	114
PID 1544 wrote to memory of 2580	1544	WmiPrvSE.exe	114
PID 1544 wrote to memory of 2536	1544	WmiPrvSE.exe	115
PID 1544 wrote to memory of 2536	1544	WmiPrvSE.exe	115
PID 1544 wrote to memory of 2536	1544	WmiPrvSE.exe	115
PID 2580 wrote to memory of 2788	2580	WScript.exe	116
PID 2580 wrote to memory of 2788	2580	WScript.exe	116
PID 2580 wrote to memory of 2788	2580	WScript.exe	116
PID 2788 wrote to memory of 2836	2788	WmiPrvSE.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
C:\Users\Admin\AppData\Local\Temp\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qsvBC5QbGA.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2976
- - C:\Program Files (x86)\Google\Update\WmiPrvSE.exe
    "C:\Program Files (x86)\Google\Update\WmiPrvSE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf44f5b9-b267-4f44-bc04-cb396593f984.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2356
    - - C:\Program Files (x86)\Google\Update\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Update\WmiPrvSE.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1544
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5b330f6-b91d-4bb4-8294-88bfddded6a5.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Program Files (x86)\Google\Update\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Update\WmiPrvSE.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0196ac1-2c8d-4d60-af14-080e919db615.vbs"
        8⤵
        
        PID:2836
        
        C:\Program Files (x86)\Google\Update\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Update\WmiPrvSE.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fe616ab-a9d0-4a46-a71b-09efd2d002df.vbs"
        10⤵
        
        PID:2688
        
        C:\Program Files (x86)\Google\Update\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Update\WmiPrvSE.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22193feb-1af5-4011-9bb9-6cda5e82bf24.vbs"
        12⤵
        
        PID:2860
        
        C:\Program Files (x86)\Google\Update\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Update\WmiPrvSE.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb713d6a-14c7-40ab-95de-5d8380fb29c3.vbs"
        14⤵
        
        PID:1196
        
        C:\Program Files (x86)\Google\Update\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Update\WmiPrvSE.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28ee21f3-4286-4596-89be-83edc0aeed0b.vbs"
        16⤵
        
        PID:2716
        
        C:\Program Files (x86)\Google\Update\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Update\WmiPrvSE.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa66470c-4c58-4abd-b99f-96f5e96a553c.vbs"
        18⤵
        
        PID:1996
        
        C:\Program Files (x86)\Google\Update\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Update\WmiPrvSE.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\454efb83-1ef2-4014-9644-73c8e686395f.vbs"
        20⤵
        
        PID:1704
        
        C:\Program Files (x86)\Google\Update\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Update\WmiPrvSE.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bc06ea3-05d3-43fb-8c6e-a23edd5c25d0.vbs"
        22⤵
        
        PID:2804
        
        C:\Program Files (x86)\Google\Update\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Update\WmiPrvSE.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bedc7f08-f184-4a6e-b4ab-fe06010e3f86.vbs"
        24⤵
        
        PID:1280
        
        C:\Program Files (x86)\Google\Update\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Update\WmiPrvSE.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30aa2907-26a2-4e08-a9c3-218cfd2f97c3.vbs"
        26⤵
        
        PID:2716
        
        C:\Program Files (x86)\Google\Update\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Update\WmiPrvSE.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\504b020d-4d17-4819-b2ce-ab6a428a3dda.vbs"
        28⤵
        
        PID:2304
        
        C:\Program Files (x86)\Google\Update\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Update\WmiPrvSE.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da66154d-9ecd-4e28-bd12-c9955eb43e28.vbs"
        30⤵
        
        PID:2248
        
        C:\Program Files (x86)\Google\Update\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Update\WmiPrvSE.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f329314-b3fd-43a3-bebb-a2f0e3b8a558.vbs"
        32⤵
        
        PID:2092
        
        C:\Program Files (x86)\Google\Update\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Update\WmiPrvSE.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0d28340-8621-4aca-85aa-b5a443785dbf.vbs"
        34⤵
        
        PID:2232
        
        C:\Program Files (x86)\Google\Update\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Update\WmiPrvSE.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08c1adef-d68b-4455-b13e-35117ff4079f.vbs"
        36⤵
        
        PID:1480
        
        C:\Program Files (x86)\Google\Update\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Update\WmiPrvSE.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9067595-3dc9-49cc-9f46-ff598e70dd63.vbs"
        38⤵
        
        PID:1180
        
        C:\Program Files (x86)\Google\Update\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Update\WmiPrvSE.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f470a09-293c-4cd1-9ba1-469110818742.vbs"
        40⤵
        
        PID:2892
        
        C:\Program Files (x86)\Google\Update\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Update\WmiPrvSE.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e36160be-12c4-40a9-a8e6-52ea8dc7f8b9.vbs"
        42⤵
        
        PID:2908
        
        C:\Program Files (x86)\Google\Update\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Update\WmiPrvSE.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f6b0c0d-80bc-4b5f-8d24-842f419b2fb6.vbs"
        42⤵
        
        PID:1600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e8786d2-bcf8-4b7f-b1f5-d6e0be9e860e.vbs"
        40⤵
        
        PID:2628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca5925d5-847d-4cef-8f4b-fd7ef12f5e61.vbs"
        38⤵
        
        PID:588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b047d324-6455-4a74-86df-6decef0ac4fb.vbs"
        36⤵
        
        PID:1044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53185ec1-50ae-4924-9cb0-9c824dbb1eef.vbs"
        34⤵
        
        PID:2620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2535e9aa-e393-4d10-bd25-fea690c54c69.vbs"
        32⤵
        
        PID:2236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad14ba86-b66b-409b-95f0-edcd6f3a37d9.vbs"
        30⤵
        
        PID:2356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b2d9b22-796a-443b-88e0-b41c093d8ab1.vbs"
        28⤵
        
        PID:3004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a551f155-a724-42b5-bd78-48897bc3baf1.vbs"
        26⤵
        
        PID:1932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb8d531e-77a0-4ba4-ad4e-55f3645c647c.vbs"
        24⤵
        
        PID:1196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41716a13-1f3a-491c-972f-52e75f0f3c5d.vbs"
        22⤵
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3d5673d-4cf0-415a-904c-5d84729b9185.vbs"
        20⤵
        
        PID:2756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35bc5f24-014d-4b55-9e2c-d697b2702041.vbs"
        18⤵
        
        PID:408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c903dfbb-d975-4a52-9464-ba37ba4a9aaa.vbs"
        16⤵
        
        PID:2256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d990f911-7691-4c14-aebf-1f373463805e.vbs"
        14⤵
        
        PID:2700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f721b11-b380-4b9a-bf86-09fa51769c3a.vbs"
        12⤵
        
        PID:1572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47bb4fe9-7c59-4fa9-b7cf-5a7cdb339a2f.vbs"
        10⤵
        
        PID:2516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5205f6c5-ca34-4a1c-b936-df9a4ba7b739.vbs"
        8⤵
        
        PID:884
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09b48586-8e38-4cb4-a0fa-9caf5e1b7b54.vbs"
        6⤵
        
        PID:2536
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0496c832-fd4a-4319-9eff-e6c7351c3189.vbs"
      4⤵
      PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\addins\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\Visualizations\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\Visualizations\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\fr-FR\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\fr-FR\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\fr-FR\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\fr-FR\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\fr-FR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\fr-FR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa86" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa86" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Update\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Default\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Default\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\taskeng.exe
taskeng.exe {EB2204E1-F4BD-48D0-ADB4-92BF951FA096} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
1⤵
PID:2660
- C:\Users\Default User\lsm.exe
  "C:\Users\Default User\lsm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Users\Default\OSPPSVC.exe
  C:\Users\Default\OSPPSVC.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9fcec3c-17cd-4024-9a9b-926cf88de579.vbs"
    3⤵
    PID:2676
  - - C:\Users\Default\OSPPSVC.exe
      C:\Users\Default\OSPPSVC.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2240
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f568fecd-13da-424a-a571-2142f4490656.vbs"
        5⤵
        
        PID:1868
      - C:\Users\Default\OSPPSVC.exe
        
        C:\Users\Default\OSPPSVC.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e263912-6e79-4d36-94c5-6f4632374c86.vbs"
        7⤵
        
        PID:1692
        
        C:\Users\Default\OSPPSVC.exe
        
        C:\Users\Default\OSPPSVC.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57641ea2-34a0-4cc2-ad59-1b19f6d59412.vbs"
        9⤵
        
        PID:1584
        
        C:\Users\Default\OSPPSVC.exe
        
        C:\Users\Default\OSPPSVC.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb09f859-c14f-4933-b2a5-ed09a22f8855.vbs"
        11⤵
        
        PID:2716
        
        C:\Users\Default\OSPPSVC.exe
        
        C:\Users\Default\OSPPSVC.exe
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1af84b90-a002-4ae5-8793-e5ac1f5f345a.vbs"
        13⤵
        
        PID:2112
        
        C:\Users\Default\OSPPSVC.exe
        
        C:\Users\Default\OSPPSVC.exe
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\016b7885-04b2-4c4d-9540-41d68e18d1f8.vbs"
        15⤵
        
        PID:996
        
        C:\Users\Default\OSPPSVC.exe
        
        C:\Users\Default\OSPPSVC.exe
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bd763bd-4b44-4346-9001-029da5c153f2.vbs"
        17⤵
        
        PID:1280
        
        C:\Users\Default\OSPPSVC.exe
        
        C:\Users\Default\OSPPSVC.exe
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fecf89ae-f28f-4ac4-a161-1ae910f80375.vbs"
        17⤵
        
        PID:796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb5b0773-0edc-4f15-a14e-ffac75965f1e.vbs"
        15⤵
        
        PID:1620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02e295ab-6349-4f05-8083-a6ffe2270ef1.vbs"
        13⤵
        
        PID:1684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f7b107b-706b-4bb8-94dc-687e81708d34.vbs"
        11⤵
        
        PID:2988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52590497-4037-436f-88d5-850474a60eaa.vbs"
        9⤵
        
        PID:1580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55261a15-0cd2-4526-b06a-7e8b01df921c.vbs"
        7⤵
        
        PID:1740
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42c58c03-207f-44d8-bc63-437c62c433ae.vbs"
        5⤵
        
        PID:1076
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c6190ab-4241-4d8b-b64d-7b6c2cfd4f7a.vbs"
    3⤵
    PID:2336
- C:\Program Files (x86)\Google\Update\WmiPrvSE.exe
  "C:\Program Files (x86)\Google\Update\WmiPrvSE.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1088
- C:\Windows\addins\winlogon.exe
  C:\Windows\addins\winlogon.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe
  "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe
  "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2144
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02389f27-b735-4a2c-aec6-fa3bf10cb196.vbs"
    3⤵
    PID:2652
  - - C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe
      "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2968
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10800ae1-4dc2-4bc3-8009-4ca346de5a5a.vbs"
        5⤵
        
        PID:1968
      - C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8ac0a20-d24e-415a-802c-744939ee3c78.vbs"
        7⤵
        
        PID:784
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ab70d1c-2f1b-4f28-b148-03cbbbd64e15.vbs"
        9⤵
        
        PID:1308
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7c923e1-895a-4d07-8e5a-71c97ba49471.vbs"
        11⤵
        
        PID:2776
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a36e2a5-a72c-4665-a3c0-7307736107e0.vbs"
        13⤵
        
        PID:1964
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4745de4c-81d8-49ff-9223-253fedf0838e.vbs"
        15⤵
        
        PID:2108
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36ce2492-ea28-40b3-bb8b-cc6978eddc57.vbs"
        17⤵
        
        PID:1644
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4d1e24d-5e7f-408d-a4b3-453bd1ae49a3.vbs"
        19⤵
        
        PID:1472
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbb81704-c99e-4041-b4bf-58fecef8fe48.vbs"
        21⤵
        
        PID:2116
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82a4c748-8edf-4089-a1b8-c71075e9eea1.vbs"
        23⤵
        
        PID:2732
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0260f215-a861-4000-850e-2748c7a83511.vbs"
        25⤵
        
        PID:1088
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0967226a-8358-4340-8178-1a2cb544fe04.vbs"
        27⤵
        
        PID:2164
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9b4e5fe-febe-40c3-b319-38e840967ba2.vbs"
        29⤵
        
        PID:1664
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe"
        30⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a79107f-77fa-448d-b537-811c1be58c29.vbs"
        29⤵
        
        PID:2132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b310b32-18a2-44a7-908a-fa0878a30bc0.vbs"
        27⤵
        
        PID:1772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9cb26cd-69d8-4845-bce7-6cae166fdbe0.vbs"
        25⤵
        
        PID:860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14178138-e10c-419d-a72b-622ad96d1c94.vbs"
        23⤵
        
        PID:2472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\337e9be0-f17d-4e3b-9f2e-2f5c1bd1eec2.vbs"
        21⤵
        
        PID:1084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\859755bf-becc-41f6-b665-8a3981eb951f.vbs"
        19⤵
        
        PID:1916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd5a724c-b5d4-4dce-a598-2067d862ecb4.vbs"
        17⤵
        
        PID:2168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d901f739-fece-4586-88e6-84e440bb20bb.vbs"
        15⤵
        
        PID:344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b127e38-ba89-4875-bc1b-1e7b99aa1be7.vbs"
        13⤵
        
        PID:1304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdd88800-ccd8-44fe-b8a2-37bca5958e99.vbs"
        11⤵
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d15f6800-0899-41c9-83ff-02794b7f8c79.vbs"
        9⤵
        
        PID:2092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87b963ef-be5f-4e80-8a81-19d713fe3e32.vbs"
        7⤵
        
        PID:988
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b9701d7-936d-4c7e-af4d-d51ec086dc30.vbs"
        5⤵
        
        PID:2580
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93af0075-d08d-4b01-a958-331462ba13b4.vbs"
    3⤵
    PID:2320
- C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe
  C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Users\Default User\lsm.exe
  "C:\Users\Default User\lsm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\Program Files\Windows Media Player\Visualizations\services.exe
  "C:\Program Files\Windows Media Player\Visualizations\services.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Users\Default\OSPPSVC.exe
  C:\Users\Default\OSPPSVC.exe
  2⤵
  - Executes dropped EXE
  PID:772
- C:\Windows\es-ES\explorer.exe
  C:\Windows\es-ES\explorer.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Users\Default User\System.exe
  "C:\Users\Default User\System.exe"
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe
  "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8.exe"
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Program Files\Windows Sidebar\fr-FR\spoolsv.exe
  "C:\Program Files\Windows Sidebar\fr-FR\spoolsv.exe"
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Program Files\DVD Maker\fr-FR\WMIADAP.exe
  "C:\Program Files\DVD Maker\fr-FR\WMIADAP.exe"
  2⤵
  - Executes dropped EXE
  PID:2304
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8143c8c3-e4d5-4a09-af08-18ed789fdbef.vbs"
    3⤵
    PID:2404
  - - C:\Program Files\DVD Maker\fr-FR\WMIADAP.exe
      "C:\Program Files\DVD Maker\fr-FR\WMIADAP.exe"
      4⤵
      Executes dropped EXE
      PID:2832
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c7d08ae-0ea6-417e-97d4-ba2b10415787.vbs"
        5⤵
        
        PID:2152
      - C:\Program Files\DVD Maker\fr-FR\WMIADAP.exe
        
        "C:\Program Files\DVD Maker\fr-FR\WMIADAP.exe"
        6⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e52b5ce-9f56-4d0b-b658-82e6c39bfbac.vbs"
        7⤵
        
        PID:2708
        
        C:\Program Files\DVD Maker\fr-FR\WMIADAP.exe
        
        "C:\Program Files\DVD Maker\fr-FR\WMIADAP.exe"
        8⤵
        Executes dropped EXE
        
        PID:1608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01ae3540-76bd-44cb-990d-14a8981c0a88.vbs"
        9⤵
        
        PID:1748
        
        C:\Program Files\DVD Maker\fr-FR\WMIADAP.exe
        
        "C:\Program Files\DVD Maker\fr-FR\WMIADAP.exe"
        10⤵
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\422d37ce-04a8-466f-a8fa-be24557ea3de.vbs"
        9⤵
        
        PID:3052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30ef0a3f-b2dc-48b3-a1e5-aa02584fae30.vbs"
        7⤵
        
        PID:2352
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b07b9b9d-9c48-475e-bb43-cda970645f2f.vbs"
        5⤵
        
        PID:356
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\470c164e-fbe7-454b-b582-94a118f5b24e.vbs"
    3⤵
    PID:2792
- C:\Program Files (x86)\Google\Update\WmiPrvSE.exe
  "C:\Program Files (x86)\Google\Update\WmiPrvSE.exe"
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\addins\winlogon.exe
  C:\Windows\addins\winlogon.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Users\Default User\lsm.exe
  "C:\Users\Default User\lsm.exe"
  2⤵
  PID:1816
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86783eb9-1d60-4e50-a71a-982957835ac8.vbs"
    3⤵
    PID:2344
  - - C:\Users\Default User\lsm.exe
      "C:\Users\Default User\lsm.exe"
      4⤵
      PID:1644
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e789eefa-8fc3-472e-a178-0ef814f3c0a1.vbs"
        5⤵
        
        PID:2744
      - C:\Users\Default User\lsm.exe
        
        "C:\Users\Default User\lsm.exe"
        6⤵
        
        PID:1280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbec6bb2-3465-4929-84d4-498c6d7749bc.vbs"
        7⤵
        
        PID:1608
        
        C:\Users\Default User\lsm.exe
        
        "C:\Users\Default User\lsm.exe"
        8⤵
        
        PID:2012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17a59572-1b02-46da-bab0-76d92d91fd9f.vbs"
        9⤵
        
        PID:1640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a3ed8fb-9df3-46d7-a9c9-c490093162c2.vbs"
        9⤵
        
        PID:1496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59822fd6-7f54-49d3-9401-ab0a6adb661a.vbs"
        7⤵
        
        PID:2064
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57fbe7c8-b1e8-4c93-add7-103cb2613b63.vbs"
        5⤵
        
        PID:2860
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf1b1225-9b20-412b-81ee-28e4175c87fc.vbs"
    3⤵
    PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe

Filesize
1.7MB

MD5
c046d1899f2dee605985f676fb3ca849

SHA1
501d64e0dc1fc30a878b03c3c3599bc2008154c3

SHA256
98d3a19dcf4bbc6b636f703ea24cbd0a95083accd74d69118b5c37c9d3d7c6e7

SHA512
15b83175cbf066cf91e84acef51b08d1d4fb6d939e6aadff033ff83f067c255beff92689a3a167538830897d0b13fb6aeb394a53b4921906282868297ed70542

Download Submit
C:\Program Files\DVD Maker\fr-FR\WMIADAP.exe

Filesize
1.7MB

MD5
eac76ca4ec459ea72eac12d19d39c737

SHA1
12443802b9fc8703e5e9cc28d4f5889758c687c6

SHA256
1ad697ecda4ee3bfd7eac4158e1a3ee1f80b3db5167e3ca6dce7523c0a565a7f

SHA512
9a0f29e1395a109e4c90046e7d1468377734bcbfb0ddebbd6b38c6d4d76e45758d1669959fa72f7c11f0719631f29f1b3ed88fa11f2b63b594f90b20e6973cc5

Download Submit
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dllhost.exe

Filesize
1.7MB

MD5
8be63e36672d54cd0222ee2de0066e96

SHA1
f03863ef609630ea562a7a898942a89dbf3f9103

SHA256
5064359d0fb24871e0e682c1e146e34680839efd2c2a24098c4950b290c7df3b

SHA512
1d778add726d3153bd20b4b3ce344da569c4f0d821c549ea3063f1ec87f7292fcc811433466ef38fe9546557aaf643af9c1a85a484c7ce3d832efb281a313146

Download Submit
C:\Users\Admin\AppData\Local\Temp\0496c832-fd4a-4319-9eff-e6c7351c3189.vbs

Filesize
501B

MD5
3f5ccc86d303eeee4d9b986913edd3fd

SHA1
15ecb7898853cb84af405be22245b3eb84518fc4

SHA256
4a84d9bfbfecf5ad9774d9aac3c603e2a060f793a685432d86957dd1fd68bdc0

SHA512
a85e060ec443f41eb1c160d8f04b398715a7e3c73ce472e7fefd26ea55422bf6ed4bac05f85a1146e965df4fd1dd7071941842d090ac2e3e7abd837741bdecac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1fe616ab-a9d0-4a46-a71b-09efd2d002df.vbs

Filesize
725B

MD5
4c39c6879bff3264608587b7853b8ea1

SHA1
4748b840bfc1d35045d22265658cee6cc25aabe0

SHA256
8dfc06925e7ca2e4a301acfb7238435db0c2a326a3e1ef02d97d25e8140fc0af

SHA512
e2352ab8ffa4618b56f62d233971b323b79e62bb1f2ed556e3a6bce55d8247f5a91c8c47efc822ad3a0d7649810c3fa0e19b99bfacd867b6085190097fd84425

Download Submit
C:\Users\Admin\AppData\Local\Temp\22193feb-1af5-4011-9bb9-6cda5e82bf24.vbs

Filesize
725B

MD5
dc39dc0013b3c6a96bdaa7cd4fd54c64

SHA1
227c5afe00294730a4c796b060396e2e88bb6e2c

SHA256
7b7c3d16a1580c503f42ce6aa1855c97cd896249fe1bf568fd517968941cdc94

SHA512
8f4f9a31f6f9d740b20a9235158696fe6cd0316280a14f6a773b45abeb6ff0e83de75922d6ee0f6dff9d0a4f26388b17e8dcfc3a05882e00e13ad088142383f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\28ee21f3-4286-4596-89be-83edc0aeed0b.vbs

Filesize
724B

MD5
031f7dd99ebd25b30c43faf553e259fb

SHA1
10bf5801ab309337b84b7026791f4dc10a7f5bd4

SHA256
758cadc8e45c39aca6fee958ada5c9fa2f7a6ab1dd8daa20bb6f813e352b1fec

SHA512
7751e4f405e11ae5da6df49bc3bb674617b3e5ab6a759b20cd7f7f3e4d3925dcdd9b2842cad9ebcec8780c6a0029e1eb6a5347df642679b084e85e23f60d4dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a07a0865cc3fb8316e4b07741ca137ceb2a33d6.exe

Filesize
1.7MB

MD5
ee7726bc8b89c7c090c0783e86fae081

SHA1
7b4aab916099ee9645e693486caba40bc7682741

SHA256
d18edea367dc0f02e1b542da606718f4b44adb0e4f8e08690d0fe6f94861dc1f

SHA512
739db7634028b79cb62cf67a5f13737eb387372aad95bd6fdffb9bd4f7605520c0ac86d5fd3c7291bc05679de7f37cc5a8fec1966c268d99978be40bf544e713

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bc06ea3-05d3-43fb-8c6e-a23edd5c25d0.vbs

Filesize
725B

MD5
f012d87d52b3d587718051692c39ff36

SHA1
144515c8bc68f62228c7bc2762c404032e91599e

SHA256
b055832a8e940be7dcdfe9b20afe8c57b9ee7d1b59eaa13d7cf4f8d1d7a8a150

SHA512
42da00047e0543fbb2bae98145c36975e444509175abec0d54824f8ebe0b7d1438adbf827be71dc48f5578fa831fe9bb359186e53523e048759faa7a1b31cb16

Download Submit
C:\Users\Admin\AppData\Local\Temp\30aa2907-26a2-4e08-a9c3-218cfd2f97c3.vbs

Filesize
725B

MD5
7cd25b8a9d29b6b9c2a82aefc8ad054d

SHA1
243e6b435fd3764e4fa3a22b0d22443e44e6f59f

SHA256
f54c17e787c8f73d4e55aed7e9af5ff19298f28984aa1edc23bfad2d94a01d52

SHA512
37e956c979041030806a34593f4df99682af8bea5b06255a71e7452f1f71152660d3919ce3f8334d9cca04b2bc1e397149d284e58a92dc2e230fdd629f88f67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\42c58c03-207f-44d8-bc63-437c62c433ae.vbs

Filesize
480B

MD5
25502aa1fa011fa0aa58bdfbac4e0f88

SHA1
cca94d00e3a25962737d419270f3e0d448bd6577

SHA256
8370ed7a055072a1e9587339d50dc2e06f945c15a7fe9bf60aae9deb876a1337

SHA512
af53dffb30bc48b5e48d51af8636a6ecdfa2b7b945cbe23d3fd3324ddc6c3e16e5d49c7c8f88b8c2dd2e0f8408c6c3f1040f07734580dc1c790939c1f59a2883

Download Submit
C:\Users\Admin\AppData\Local\Temp\454efb83-1ef2-4014-9644-73c8e686395f.vbs

Filesize
725B

MD5
21cf57345ea79a60a0effc8fcfd2b74c

SHA1
527b2aa35f5d3fbca0fc3b064ac691315ba93dd5

SHA256
ee70cd3683a347743aef95acc10a7c0a620803f7ba3fbc4e3670af8cd9656876

SHA512
2cbfbff6cf99ef416c2c247135d82cee3c314b3d6318ace3d54a6bbb6e10564d0e71002265caa0b3f567aceeea9332476ff7a39aae245776263104aecddc8ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\504b020d-4d17-4819-b2ce-ab6a428a3dda.vbs

Filesize
725B

MD5
5103ff84abf440a25b4b8df937e61f3e

SHA1
00739546a54e0f6cd4d272a42f2b75b56f6b126e

SHA256
27521984fbf29c74f2d38c68c793c6f85e7bffee2b11020d37b618ff2779d08b

SHA512
7c487d4f56f8d55ac40e658cee1618dc37097c6196401b53df9e148b196860a8c8a9918053ce1a19207ad1c8253fe26a3a4e5016f3f3394abd623abcc48d46e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\57fbe7c8-b1e8-4c93-add7-103cb2613b63.vbs

Filesize
481B

MD5
3cff72b822bf8420a5982593c0ba442f

SHA1
b7d3053361fefb80c76146687d4d9d6d825b98fe

SHA256
389be7efb9cd0d72694e5e7297327e29ab8bc3e22a4542819fdd142e2c00d54d

SHA512
fdff1bd1c0e6f7ccc3b70c13092f3b39c169b04dc19031965999191ae1b228f9ab7fa43606af7d16badafba99384e0a8bbedfb519e7fdb69b7369eb1d2110b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b9701d7-936d-4c7e-af4d-d51ec086dc30.vbs

Filesize
522B

MD5
deccff85939e5afd8361043763f9bffe

SHA1
b13a74082de1b8fb8c725566e41d6e22d681f605

SHA256
1515489ffead66c4c18ed9f094cd9d1dc18b043dbf83e931bbd853895df68943

SHA512
a70ab5bb73a7b733d41a0737474bee4a6190d92e43d3cd5b7b6f66b4357a434572336d7fea39c76b3e6eb9a1bc74a639444d6b79de310b33dcf49c168d714a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b07b9b9d-9c48-475e-bb43-cda970645f2f.vbs

Filesize
496B

MD5
42868f7c5efad43950901e7364d58313

SHA1
c0b567b7c21331b8c6c3cc66afa7ec842dca98b9

SHA256
482f6d07c2ae2b073891ad130d59d4f8f59ce08418010282af35f1efdf38df1c

SHA512
f39b44f56f8d76c63d3a46fea1f36dbc2718ef440a4cd6f5cd5e061c702477e7f126e86054853670df0301be47da5e7a35fdf430c7545d78a46079f92e0662c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5b330f6-b91d-4bb4-8294-88bfddded6a5.vbs

Filesize
725B

MD5
3829d37fe6dbb83f44befe7568a35dac

SHA1
06e2df81920de08eff63bcb15faa1d18a0816893

SHA256
a1bee38d2998ac91b692e01f112cf18cf5c3c382c4dd4c13d4e7cffa72e422ee

SHA512
516b00b0d97b1d752a9c63bc01da72d40d4ac91204f30f5e07cfbb942cce0a6795bf001f7a96c215c7c1c85d45eee10f9fb4630238a8baf5caa89c285777bd50

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedc7f08-f184-4a6e-b4ab-fe06010e3f86.vbs

Filesize
725B

MD5
5b2ea8c9904b04cbafda83b0910d7491

SHA1
f32563d13fe7f589a8aff7537c1aa2a67d156759

SHA256
f06f205626a0daa251d7bec02b39afba35090de970ed4c22b3b1bf36438838d5

SHA512
f74bb921f0b860f44a593696be5871d9a68e025499f6bfcd3dba63fed41819e419b89bd85c25745b081f81d9835c4e8b65db0414620f91aa96931075ee1d00e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf44f5b9-b267-4f44-bc04-cb396593f984.vbs

Filesize
725B

MD5
3150072547d85f0389d24a2f3a1a3d34

SHA1
dc44aaca7bd51529a44f050468240f5a642ab9c7

SHA256
74ef60c6fa233b81fce99f4f6150a6939b8878079a3a880eef5b10aa626961d2

SHA512
efcff8f6f9b6125057a38a69eef3446a81ca9bfa00225d637a3741b4319aa0b69c9059e6158558a6b0c42f9d18aa0655f3f32d1e953d2254f0246b026cc2d447

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0196ac1-2c8d-4d60-af14-080e919db615.vbs

Filesize
725B

MD5
044b860ab1937e8220f2a0df4717ac34

SHA1
e000fd4894c9a455568be809b0e1fc91f533b088

SHA256
fd429e1a6f55e8210565fe8d420f1b4616ecbf6296037be3a7dd1087d73e0376

SHA512
8a11c74645b2df3fe62fb4fa71c0811a0e1b4966fe4b4a9aafa3348658ab8c9e90dd5cb154db00127b0440ad52230bd9d56467a199133768dae6e7fb9505f69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa66470c-4c58-4abd-b99f-96f5e96a553c.vbs

Filesize
725B

MD5
780e8c48f015b66e13602de6e3129243

SHA1
6da120101632542ebbe1034fb4d0d600b0d6fa57

SHA256
1d6c995d48c9a6677118ac4eb0b3b941b1384a6ec5d9b3f94ba4e40a9c295294

SHA512
e5791f10caba3564017c4c0d6b1434a758b63a842018e7f511af49be2179fe344f03da727a3665b115ddd3de7a8e1e228189754edaeaf3685381af8e1c696353

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb713d6a-14c7-40ab-95de-5d8380fb29c3.vbs

Filesize
725B

MD5
13bb585812f3037b964e4cab09355bee

SHA1
2d5c0750592de27117d5dc85e93e3705f37c78e9

SHA256
b677551ad66af823d09b5bc64093e61e65cdf38203e589599199f61304b51a14

SHA512
c130edf55c91a7f60d08d6ead020912b6133c448b51be65149df1948075cb91b1c4aeb467c07f7ce67516ef3a2d8108844f0a786b2cf31c51c012f082b7dff94

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsvBC5QbGA.bat

Filesize
214B

MD5
8f337947cd2131ba76659fa054c929c2

SHA1
527657ad0f4647fd6894e33d861a63fe352c3c6d

SHA256
0a24ebaeee285262bf0de6486caf018031e3d916d52e77f344687a742b5c9985

SHA512
cf3a64919e108b8fd79cae57c9863843fb22697e9745a617a9629aedcf4948a8c1029bb0cb4f3f27e0e454d01e2af203951bae096ccb6859eadfab16406f0f3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4a95dff491aaaeeb733bdb34b1b30b93

SHA1
c88feb24ed6f155ac3ecd00bad61463a9b838929

SHA256
cbe7ea35a655d2581c65b573c3c4d771ebf0cf9ff15ec8b244a02557b671e45e

SHA512
c2d3d604d2709ea334bbe0867678ebe3680104c07d05bec1e901c6f95d5ac1895d2bf32c604922674373b31a617b769455535525fb9c83dac06ff493f5cf1ea0

Download Submit
C:\Users\Default\lsm.exe

Filesize
1.7MB

MD5
4f837cebd3faf07e441a58bd826913fe

SHA1
c01b049ac9363eb1209c58052c7f9931f2ba75ea

SHA256
2a739c7e262a7b964c2cb84c1aa295a5aed95affc6194fff3091047dbd9a68ac

SHA512
da0f3d3d5f6383aaff04a77f3a2ce59187fae36b162999017d39d730207d12af4c018ac08110647c00bb94909b5868be96e2666c064727b61470a3afc6dd1f3c

Download Submit
C:\Users\Default\smss.exe

Filesize
1.7MB

MD5
0624cb81236f6a0e8d0487a766458088

SHA1
36ea7baa5b367c60269eb1a277bd5ad4bc41b54b

SHA256
6854ad7112a5d97e6dc3ffccbd8008d881a3960ed8e5296acc9238c8293b3fa8

SHA512
742d2c2d154133ba9b38c67b59fb4ddbcd16b8b420c8e7fbd14a4c4283c8a875ae62d17924a53b000caf04f5b627d15f031b12e7f98821f03079451008b86553

Download Submit
C:\Users\Default\smss.exe

Filesize
1.7MB

MD5
30d29d1039bb3dfaf49bf71dda5b9c8b

SHA1
50fc4a129af10ea31f68b36219d1f1aad09c4ee1

SHA256
92e08e765f8f6ff96dbdd0660274e4dc67154d63b9a373910eb42c418676e4d3

SHA512
10420e81df9146f1a4eb1558808415ec5deafc1b7fea18e3a8a8735d48251d92c71bdc993cfe984cac5d25456bb7ae1a6bf74f993704c93928c76a86335a09de

Download Submit
C:\Windows\es-ES\explorer.exe

Filesize
1.7MB

MD5
5b363df65193627e56fb4eda089b595f

SHA1
a8cf9fdd93d40be92931b1b942c235bb335e59a5

SHA256
cc28a28a6ebc45861f014b3ee2a755fefba4a9ed199b5993d0e44d6ad5a94e80

SHA512
675f499b21eef6610966ec8e84f42051fb7dd5682330aa5fa016720cfea6aad02b15d1134711f81ecf2ccd962efe4682509186cfc896a230d128d13ae07c8383

Download Submit
memory/548-481-0x00000000020C0000-0x00000000020D2000-memory.dmp

Filesize
72KB

Download
memory/548-480-0x0000000000800000-0x00000000009C0000-memory.dmp

Filesize
1.8MB

Download
memory/568-643-0x0000000000840000-0x0000000000A00000-memory.dmp

Filesize
1.8MB

Download
memory/772-707-0x00000000008C0000-0x0000000000A80000-memory.dmp

Filesize
1.8MB

Download
memory/1280-762-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/1280-761-0x00000000002B0000-0x0000000000470000-memory.dmp

Filesize
1.8MB

Download
memory/1336-528-0x0000000000200000-0x00000000003C0000-memory.dmp

Filesize
1.8MB

Download
memory/1432-631-0x00000000001D0000-0x0000000000390000-memory.dmp

Filesize
1.8MB

Download
memory/1508-711-0x0000000001180000-0x0000000001340000-memory.dmp

Filesize
1.8MB

Download
memory/1544-339-0x0000000001300000-0x00000000014C0000-memory.dmp

Filesize
1.8MB

Download
memory/1568-623-0x0000000000240000-0x0000000000400000-memory.dmp

Filesize
1.8MB

Download
memory/1608-735-0x00000000001B0000-0x0000000000370000-memory.dmp

Filesize
1.8MB

Download
memory/1632-633-0x0000000000B20000-0x0000000000CE0000-memory.dmp

Filesize
1.8MB

Download
memory/1640-632-0x0000000001180000-0x0000000001340000-memory.dmp

Filesize
1.8MB

Download
memory/1644-753-0x00000000000D0000-0x0000000000290000-memory.dmp

Filesize
1.8MB

Download
memory/1652-513-0x00000000012D0000-0x0000000001490000-memory.dmp

Filesize
1.8MB

Download
memory/1728-575-0x00000000013E0000-0x00000000015A0000-memory.dmp

Filesize
1.8MB

Download
memory/1744-699-0x0000000000190000-0x0000000000350000-memory.dmp

Filesize
1.8MB

Download
memory/1812-710-0x0000000001360000-0x0000000001520000-memory.dmp

Filesize
1.8MB

Download
memory/1816-712-0x0000000000B60000-0x0000000000D20000-memory.dmp

Filesize
1.8MB

Download
memory/1816-745-0x0000000000160000-0x0000000000320000-memory.dmp

Filesize
1.8MB

Download
memory/1964-472-0x00000000003F0000-0x00000000005B0000-memory.dmp

Filesize
1.8MB

Download
memory/1968-634-0x00000000002D0000-0x0000000000490000-memory.dmp

Filesize
1.8MB

Download
memory/1968-635-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/1992-558-0x00000000009B0000-0x0000000000B70000-memory.dmp

Filesize
1.8MB

Download
memory/2000-659-0x0000000000ED0000-0x0000000001090000-memory.dmp

Filesize
1.8MB

Download
memory/2000-709-0x0000000000F50000-0x0000000001110000-memory.dmp

Filesize
1.8MB

Download
memory/2012-674-0x00000000003B0000-0x0000000000570000-memory.dmp

Filesize
1.8MB

Download
memory/2012-675-0x00000000003A0000-0x00000000003B2000-memory.dmp

Filesize
72KB

Download
memory/2012-770-0x0000000000FE0000-0x00000000011A0000-memory.dmp

Filesize
1.8MB

Download
memory/2032-489-0x00000000009E0000-0x0000000000BA0000-memory.dmp

Filesize
1.8MB

Download
memory/2144-592-0x0000000000250000-0x0000000000410000-memory.dmp

Filesize
1.8MB

Download
memory/2176-288-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2176-309-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2216-651-0x0000000000080000-0x0000000000240000-memory.dmp

Filesize
1.8MB

Download
memory/2240-536-0x0000000000CA0000-0x0000000000E60000-memory.dmp

Filesize
1.8MB

Download
memory/2304-713-0x00000000012C0000-0x0000000001480000-memory.dmp

Filesize
1.8MB

Download
memory/2308-608-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/2344-559-0x00000000002B0000-0x0000000000470000-memory.dmp

Filesize
1.8MB

Download
memory/2404-684-0x0000000000C00000-0x0000000000C12000-memory.dmp

Filesize
72KB

Download
memory/2404-683-0x0000000001050000-0x0000000001210000-memory.dmp

Filesize
1.8MB

Download
memory/2552-505-0x00000000000F0000-0x00000000002B0000-memory.dmp

Filesize
1.8MB

Download
memory/2564-744-0x00000000012D0000-0x0000000001490000-memory.dmp

Filesize
1.8MB

Download
memory/2580-567-0x0000000001140000-0x0000000001300000-memory.dmp

Filesize
1.8MB

Download
memory/2588-490-0x00000000000F0000-0x00000000002B0000-memory.dmp

Filesize
1.8MB

Download
memory/2592-590-0x0000000000B80000-0x0000000000D40000-memory.dmp

Filesize
1.8MB

Download
memory/2640-362-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/2740-328-0x0000000000F70000-0x0000000001130000-memory.dmp

Filesize
1.8MB

Download
memory/2764-743-0x0000000000170000-0x0000000000330000-memory.dmp

Filesize
1.8MB

Download
memory/2812-708-0x0000000000C60000-0x0000000000E20000-memory.dmp

Filesize
1.8MB

Download
memory/2956-8-0x00000000002B0000-0x00000000002BC000-memory.dmp

Filesize
48KB

Download
memory/2956-2-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

Filesize
9.9MB

Download
memory/2956-15-0x0000000000B40000-0x0000000000B48000-memory.dmp

Filesize
32KB

Download
memory/2956-16-0x0000000000B50000-0x0000000000B5C000-memory.dmp

Filesize
48KB

Download
memory/2956-17-0x0000000000B60000-0x0000000000B6C000-memory.dmp

Filesize
48KB

Download
memory/2956-19-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

Filesize
9.9MB

Download
memory/2956-13-0x00000000007F0000-0x00000000007FA000-memory.dmp

Filesize
40KB

Download
memory/2956-12-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/2956-183-0x000007FEF5633000-0x000007FEF5634000-memory.dmp

Filesize
4KB

Download
memory/2956-11-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2956-267-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

Filesize
9.9MB

Download
memory/2956-0-0x000007FEF5633000-0x000007FEF5634000-memory.dmp

Filesize
4KB

Download
memory/2956-7-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/2956-1-0x0000000000BA0000-0x0000000000D60000-memory.dmp

Filesize
1.8MB

Download
memory/2956-14-0x0000000000800000-0x000000000080E000-memory.dmp

Filesize
56KB

Download
memory/2956-6-0x0000000000280000-0x0000000000296000-memory.dmp

Filesize
88KB

Download
memory/2956-208-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

Filesize
9.9MB

Download
memory/2956-233-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

Filesize
9.9MB

Download
memory/2956-5-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2956-4-0x0000000000160000-0x0000000000168000-memory.dmp

Filesize
32KB

Download
memory/2956-3-0x0000000000140000-0x000000000015C000-memory.dmp

Filesize
112KB

Download
memory/2956-9-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download
memory/2968-600-0x0000000000F20000-0x00000000010E0000-memory.dmp

Filesize
1.8MB

Download
memory/2992-591-0x00000000003E0000-0x00000000005A0000-memory.dmp

Filesize
1.8MB

Download