dcrat | abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-01-2025 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
Size

1.7MB
MD5

92f20cf5b97297600b5272178b6534c7
SHA1

3d7b513aea13d6a7c7e66d0a74d0af11b8d7f625
SHA256

abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b
SHA512

81f0c12d78f958d1a1d74bd13ed015c878bef5a51040ab9346713a47626a58e163f6568b9f97803b18b49a583b5622c61fd065d9fe957af8763ce80edd3135c4
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2736	schtasks.exe	30

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2504-1-0x00000000013D0000-0x0000000001590000-memory.dmp	dcrat
behavioral1/files/0x000600000001707f-27.dat	dcrat
behavioral1/files/0x000c000000019354-196.dat	dcrat
behavioral1/memory/2412-329-0x0000000000CF0000-0x0000000000EB0000-memory.dmp	dcrat
behavioral1/memory/692-373-0x0000000000E40000-0x0000000001000000-memory.dmp	dcrat
behavioral1/memory/2312-385-0x0000000001320000-0x00000000014E0000-memory.dmp	dcrat
behavioral1/memory/2692-397-0x0000000000110000-0x00000000002D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
820	powershell.exe
3068	powershell.exe
448	powershell.exe
2940	powershell.exe
1624	powershell.exe
1672	powershell.exe
1536	powershell.exe
1020	powershell.exe
2436	powershell.exe
692	powershell.exe
3064	powershell.exe
1704	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe

Executes dropped EXE 7 IoCs

pid	Process
2412	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2908	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2232	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
692	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2312	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2692	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\42af1c969fbb7b	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files\Windows Media Player\f3b6ecef712a24	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\audiodg.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\RCXD022.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files\Windows Media Player\RCXD499.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files\7-Zip\Lang\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files\Microsoft Games\RCXD910.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files\7-Zip\Lang\1ed22f03789fd4	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files\Windows Mail\es-ES\System.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXC194.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\audiodg.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files\Microsoft Games\OSPPSVC.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\RCXC59C.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files\Windows Media Player\RCXD498.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\audiodg.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\audiodg.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files\Windows Media Player\spoolsv.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\RCXC59D.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\RCXC80E.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\RCXC80F.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\System.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files\Microsoft Games\OSPPSVC.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\42af1c969fbb7b	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXC193.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\RCXD021.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files\Windows Media Player\spoolsv.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files\Windows Mail\es-ES\27d1bcfc3c54e0	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files\Microsoft Games\1610b97d3ab4a7	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files\Microsoft Games\RCXD90F.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\debug\WIA\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Windows\debug\WIA\1ed22f03789fd4	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Windows\Tasks\dllhost.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Windows\debug\WIA\RCXCC19.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Windows\Tasks\dllhost.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Windows\Tasks\RCXCA13.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Windows\Tasks\RCXCA14.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Windows\debug\WIA\RCXCC18.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Windows\debug\WIA\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Windows\Tasks\5940a34987c991	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2804	schtasks.exe
1236	schtasks.exe
1208	schtasks.exe
1088	schtasks.exe
676	schtasks.exe
3052	schtasks.exe
2764	schtasks.exe
1508	schtasks.exe
1060	schtasks.exe
2204	schtasks.exe
2388	schtasks.exe
1396	schtasks.exe
2464	schtasks.exe
1628	schtasks.exe
2776	schtasks.exe
1512	schtasks.exe
2936	schtasks.exe
1984	schtasks.exe
1288	schtasks.exe
2992	schtasks.exe
2656	schtasks.exe
1104	schtasks.exe
1936	schtasks.exe
1940	schtasks.exe
2852	schtasks.exe
2824	schtasks.exe
1736	schtasks.exe
1720	schtasks.exe
1712	schtasks.exe
2960	schtasks.exe
2168	schtasks.exe
2884	schtasks.exe
2952	schtasks.exe
2616	schtasks.exe
2932	schtasks.exe
2216	schtasks.exe
1244	schtasks.exe
792	schtasks.exe
2940	schtasks.exe
2792	schtasks.exe
2600	schtasks.exe
2112	schtasks.exe
1456	schtasks.exe
1808	schtasks.exe
1708	schtasks.exe
1764	schtasks.exe
1876	schtasks.exe
1804	schtasks.exe
1664	schtasks.exe
1000	schtasks.exe
3048	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
3064	powershell.exe
2436	powershell.exe
1704	powershell.exe
2940	powershell.exe
1536	powershell.exe
448	powershell.exe
3068	powershell.exe
692	powershell.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
1672	powershell.exe
820	powershell.exe
1020	powershell.exe
1624	powershell.exe
2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2412	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2412	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2412	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2412	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
Token: SeDebugPrivilege	2908	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
Token: SeDebugPrivilege	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
Token: SeDebugPrivilege	2232	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
Token: SeDebugPrivilege	692	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
Token: SeDebugPrivilege	2312	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
Token: SeDebugPrivilege	2692	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 1536	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	83
PID 2504 wrote to memory of 1536	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	83
PID 2504 wrote to memory of 1536	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	83
PID 2504 wrote to memory of 1020	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	84
PID 2504 wrote to memory of 1020	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	84
PID 2504 wrote to memory of 1020	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	84
PID 2504 wrote to memory of 2436	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	85
PID 2504 wrote to memory of 2436	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	85
PID 2504 wrote to memory of 2436	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	85
PID 2504 wrote to memory of 692	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	86
PID 2504 wrote to memory of 692	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	86
PID 2504 wrote to memory of 692	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	86
PID 2504 wrote to memory of 820	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	87
PID 2504 wrote to memory of 820	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	87
PID 2504 wrote to memory of 820	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	87
PID 2504 wrote to memory of 3064	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	88
PID 2504 wrote to memory of 3064	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	88
PID 2504 wrote to memory of 3064	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	88
PID 2504 wrote to memory of 1704	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	89
PID 2504 wrote to memory of 1704	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	89
PID 2504 wrote to memory of 1704	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	89
PID 2504 wrote to memory of 3068	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	90
PID 2504 wrote to memory of 3068	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	90
PID 2504 wrote to memory of 3068	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	90
PID 2504 wrote to memory of 1672	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	91
PID 2504 wrote to memory of 1672	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	91
PID 2504 wrote to memory of 1672	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	91
PID 2504 wrote to memory of 448	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	92
PID 2504 wrote to memory of 448	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	92
PID 2504 wrote to memory of 448	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	92
PID 2504 wrote to memory of 2940	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	93
PID 2504 wrote to memory of 2940	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	93
PID 2504 wrote to memory of 2940	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	93
PID 2504 wrote to memory of 1624	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	94
PID 2504 wrote to memory of 1624	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	94
PID 2504 wrote to memory of 1624	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	94
PID 2504 wrote to memory of 2412	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	107
PID 2504 wrote to memory of 2412	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	107
PID 2504 wrote to memory of 2412	2504	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	107
PID 2412 wrote to memory of 1532	2412	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	108
PID 2412 wrote to memory of 1532	2412	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	108
PID 2412 wrote to memory of 1532	2412	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	108
PID 2412 wrote to memory of 1648	2412	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	109
PID 2412 wrote to memory of 1648	2412	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	109
PID 2412 wrote to memory of 1648	2412	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	109
PID 1532 wrote to memory of 2908	1532	WScript.exe	110
PID 1532 wrote to memory of 2908	1532	WScript.exe	110
PID 1532 wrote to memory of 2908	1532	WScript.exe	110
PID 2908 wrote to memory of 2096	2908	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	111
PID 2908 wrote to memory of 2096	2908	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	111
PID 2908 wrote to memory of 2096	2908	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	111
PID 2908 wrote to memory of 1860	2908	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	112
PID 2908 wrote to memory of 1860	2908	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	112
PID 2908 wrote to memory of 1860	2908	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	112
PID 2096 wrote to memory of 2236	2096	WScript.exe	113
PID 2096 wrote to memory of 2236	2096	WScript.exe	113
PID 2096 wrote to memory of 2236	2096	WScript.exe	113
PID 2236 wrote to memory of 1008	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	114
PID 2236 wrote to memory of 1008	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	114
PID 2236 wrote to memory of 1008	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	114
PID 2236 wrote to memory of 880	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	115
PID 2236 wrote to memory of 880	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	115
PID 2236 wrote to memory of 880	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	115
PID 1008 wrote to memory of 2232	1008	WScript.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
"C:\Users\Admin\AppData\Local\Temp\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\debug\WIA\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
  "C:\Windows\debug\WIA\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5dad9e0-f883-43eb-a7cc-99fe87444690.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\debug\WIA\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
      C:\Windows\debug\WIA\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa1f2b15-e9fa-40d4-9de2-ea62dff1ad8b.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2096
      - C:\Windows\debug\WIA\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
        
        C:\Windows\debug\WIA\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e790938a-3216-482b-905f-468aa55e3db6.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\debug\WIA\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
        
        C:\Windows\debug\WIA\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c28e1eda-e5fb-4034-aea7-247258a72416.vbs"
        9⤵
        
        PID:2696
        
        C:\Windows\debug\WIA\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
        
        C:\Windows\debug\WIA\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dae3c5f3-fb5f-4eeb-a09e-f123cf3b0cc8.vbs"
        11⤵
        
        PID:2144
        
        C:\Windows\debug\WIA\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
        
        C:\Windows\debug\WIA\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb33a319-d0ac-44db-8cee-4aa229f93f9d.vbs"
        13⤵
        
        PID:1804
        
        C:\Windows\debug\WIA\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
        
        C:\Windows\debug\WIA\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25a3d7c2-bf34-43aa-b657-f2fcbe410826.vbs"
        15⤵
        
        PID:2236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95c9b6ac-b590-4976-8f01-039e2703b344.vbs"
        15⤵
        
        PID:2080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d423703-1975-4ad0-83b5-073ce856f064.vbs"
        13⤵
        
        PID:3028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3b6a66e-83d8-4e6e-830f-f2a93215f90d.vbs"
        11⤵
        
        PID:1140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\206a3f78-3058-46cc-9cb4-99c55cd27906.vbs"
        9⤵
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1d22d47-1834-45cb-8d78-8bdb93f36efb.vbs"
        7⤵
        
        PID:880
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd2fdf79-0ab9-442b-b886-ce19abc8e1e2.vbs"
        5⤵
        
        PID:1860
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8c46f42-9a6f-4565-8e8f-1f0d1eb345a0.vbs"
    3⤵
    PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Recorded TV\Sample Media\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Recorded TV\Sample Media\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983ba" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983ba" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\es-ES\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Tasks\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983ba" /sc MINUTE /mo 13 /tr "'C:\Windows\debug\WIA\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b" /sc ONLOGON /tr "'C:\Windows\debug\WIA\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983ba" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\WIA\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Favorites\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Favorites\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\lsm.exe

Filesize
1.7MB

MD5
92f20cf5b97297600b5272178b6534c7

SHA1
3d7b513aea13d6a7c7e66d0a74d0af11b8d7f625

SHA256
abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b

SHA512
81f0c12d78f958d1a1d74bd13ed015c878bef5a51040ab9346713a47626a58e163f6568b9f97803b18b49a583b5622c61fd065d9fe957af8763ce80edd3135c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\25a3d7c2-bf34-43aa-b657-f2fcbe410826.vbs

Filesize
765B

MD5
ad3f354cd7421f24ef13f9087a531913

SHA1
ea0ccbd73ba8586d20c0b992de9781597f41501f

SHA256
1628637345f2d6cd2705d5d00cadf7bc68e9c837e408fb20d36b4435d7354071

SHA512
165c354c9501f9a3c75daab747c5eecba9ac26e01377d11186c15b69e1280ad35f0e596caab5506f791e5c5ec8a08dbfa920dd2e3d834f75878dc391d5aed5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb33a319-d0ac-44db-8cee-4aa229f93f9d.vbs

Filesize
765B

MD5
72a80891b2a0d6b72964fd3bd1aa69c6

SHA1
96b47ccd4106475b910e0da8e8b92622f28cc378

SHA256
af4214c21b6685222dd9f94398dea377fa280c818faac8029afacd58153894c1

SHA512
87955192a77e1543406c6506161326404a35a8c1a36538b95f16407c8cc29a4d75dba49a8775295fd3c3eb8e74f28ba27aef1281231da746bea6c43d86071f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\c28e1eda-e5fb-4034-aea7-247258a72416.vbs

Filesize
765B

MD5
bf62d032739c3459b9ebb4b14cc3d2f7

SHA1
a3ffda33fb9df3776cb8961f7886b0716dcfbce8

SHA256
7c65237a1fd8ee0e1330a2c6c630d3bada9c35f099ed08492c93f42db7263c0f

SHA512
1c4f90fc134c0664ff7cc96d7c3c1ba69f174ef2ee46d56904091aa3b5f3a8df2e0e0670c64ec0d8a0cec27ea7c66225b9405f168a9942c9f54111e22cebcbb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5dad9e0-f883-43eb-a7cc-99fe87444690.vbs

Filesize
765B

MD5
06da445ed896fc9251c7b5971e66a561

SHA1
88d88912ccbb864a3578fe2178f255af25116afd

SHA256
6e874b32d732e6bc48d70eaca1bf0f5e8fa15b46b74c0b85abae711d8aba7703

SHA512
a312a6993cf1b1f54ef4de11146138b3b375c50529ee569f8ef341e8fb3956dd1aa3ca246b404abe2c85a2d5ec4d1b4fdb3e25002158c69669435d085f30d57f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dae3c5f3-fb5f-4eeb-a09e-f123cf3b0cc8.vbs

Filesize
764B

MD5
d571845ad0d41b211fc44b937c1fc241

SHA1
7ad2a376e33a417f6636c9fe0cc4d8ee761eccd3

SHA256
6f222d0d2336ac68dc68fcebe4879a4e99b09245d66ae43c097087d63eef358a

SHA512
780ec5af29c1d5192659699d62229702a4bd91d7a6604c5829adcb6306bb8666df176e6f29987258be7077fafed0a247d54c55438bf13d7d57222480f53cf7e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\e790938a-3216-482b-905f-468aa55e3db6.vbs

Filesize
765B

MD5
11dee80004b6841210e066e92b73fb7b

SHA1
771f9d0ad485a7237a24a35accf31ecd1df7d7ae

SHA256
97e99020b35105592ebf33f582e509a8a7b0043aaadfe782ec0c6b0f1620e92d

SHA512
a31462d83575c2daf4e7d5cb4bc39a473584dfbc0af903303d2699a5f3fb2edbbd88c91b6960136f70bf202ed77c443f7c9eb8ab36b47f1586eb42148df922c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8c46f42-9a6f-4565-8e8f-1f0d1eb345a0.vbs

Filesize
541B

MD5
a4415a8bd5c464daedfdbf1e93d81866

SHA1
a389614f1b13f78827f20d09ef39d1526efb2976

SHA256
81c5acd0c06d9b4ee89d5f6bbf44807313abb95d329c9972fe20685993b11d48

SHA512
1257f0e8017ea8bca318301d74057c376a9a9645e37a4684d0e2b433071654ce5952e9d2b1fd962b9f4e1ff927e831ecb70b38d253beb12036f346b7540b12cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa1f2b15-e9fa-40d4-9de2-ea62dff1ad8b.vbs

Filesize
765B

MD5
a92c768596a332f2471a34f1fee56889

SHA1
46a66bd5f6367b5160ec32591a615b6d485f4e9c

SHA256
021e0cbf6cd8454221eff33e73d282b5e0292858b4547e39d58bb922a6622ade

SHA512
7d590a4f2cb09db208facac76a77121b302e8c2a5f699891f1891cdaa0621f99125278097c205291e26591317f7209f622df3bb4c472b01cace68c827b123725

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
48ada50636c413f00c80c9727f806bad

SHA1
c467f9ad5b2927da324629de265de2593140c478

SHA256
3b4738be4a03105ca36517fb7fa140399bb19f117e6a36deda7758553ae7ec29

SHA512
5a61028ed17a1d1543dacc1d9b15c61a686aa36d53986843558cf20b46bf843bb1f11ff3f92f955a8311c5cde2a05c4187668313d2c9f5af27f34d38688daf4e

Download Submit
C:\Users\Public\Favorites\explorer.exe

Filesize
1.7MB

MD5
69ed1e435fd53e857a5de704d83b4730

SHA1
38473ec694e97f2a7a4079d0e002a9041ee47615

SHA256
c2eea49c1c2f51d60cbf292dc3fd917bb08c7f7b6e52b774ca8451eae4fd55f4

SHA512
57e9e1a0ff28b75fca832c9757492eb9d2969fcb2c373ab3458d604acc6fcb7d09e84c965e6a96a55da590b214118aac20090ab803d8f9a132c0ebdd51deb395

Download Submit
memory/692-373-0x0000000000E40000-0x0000000001000000-memory.dmp

Filesize
1.8MB

Download
memory/2312-385-0x0000000001320000-0x00000000014E0000-memory.dmp

Filesize
1.8MB

Download
memory/2412-329-0x0000000000CF0000-0x0000000000EB0000-memory.dmp

Filesize
1.8MB

Download
memory/2436-285-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

Filesize
2.9MB

Download
memory/2436-297-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2504-9-0x0000000000650000-0x0000000000658000-memory.dmp

Filesize
32KB

Download
memory/2504-330-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

Filesize
9.9MB

Download
memory/2504-17-0x0000000000B80000-0x0000000000B8C000-memory.dmp

Filesize
48KB

Download
memory/2504-16-0x0000000000B70000-0x0000000000B7C000-memory.dmp

Filesize
48KB

Download
memory/2504-199-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp

Filesize
4KB

Download
memory/2504-223-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

Filesize
9.9MB

Download
memory/2504-248-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

Filesize
9.9MB

Download
memory/2504-15-0x0000000000B60000-0x0000000000B68000-memory.dmp

Filesize
32KB

Download
memory/2504-13-0x0000000000B50000-0x0000000000B5A000-memory.dmp

Filesize
40KB

Download
memory/2504-14-0x0000000000B40000-0x0000000000B4E000-memory.dmp

Filesize
56KB

Download
memory/2504-12-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/2504-18-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

Filesize
9.9MB

Download
memory/2504-11-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/2504-0-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp

Filesize
4KB

Download
memory/2504-8-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/2504-7-0x0000000000420000-0x0000000000430000-memory.dmp

Filesize
64KB

Download
memory/2504-6-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2504-4-0x00000000001E0000-0x00000000001E8000-memory.dmp

Filesize
32KB

Download
memory/2504-5-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2504-3-0x00000000001C0000-0x00000000001DC000-memory.dmp

Filesize
112KB

Download
memory/2504-2-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

Filesize
9.9MB

Download
memory/2504-1-0x00000000013D0000-0x0000000001590000-memory.dmp

Filesize
1.8MB

Download
memory/2692-397-0x0000000000110000-0x00000000002D0000-memory.dmp

Filesize
1.8MB

Download