dcrat | c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252

Analysis

max time kernel
120s
max time network
117s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
Size

1.7MB
MD5

8abf836c2a16ee571afc67fde90325b1
SHA1

c224cbb2b5b5f09cb1c60e20b3d4d9ca726d1d08
SHA256

c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252
SHA512

c17401b6614b0a242f93fd39cc526180a0642e0458e3c98705aec842ec4d7e29221abce5a89c0463fcab9755c419ddb2a6456481be06e306cbc6dc168da66ad1
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvd:+THUxUoh1IF9gl22

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 60 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	2520	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2520	schtasks.exe	30

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2580-1-0x0000000000280000-0x0000000000440000-memory.dmp	dcrat
behavioral1/files/0x000600000001755b-27.dat	dcrat
behavioral1/files/0x00060000000186f4-126.dat	dcrat
behavioral1/memory/488-204-0x0000000000BC0000-0x0000000000D80000-memory.dmp	dcrat
behavioral1/memory/1564-325-0x0000000000C60000-0x0000000000E20000-memory.dmp	dcrat
behavioral1/memory/1740-336-0x0000000000F40000-0x0000000001100000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2224	powershell.exe
2316	powershell.exe
592	powershell.exe
2180	powershell.exe
2964	powershell.exe
1540	powershell.exe
1528	powershell.exe
1076	powershell.exe
928	powershell.exe
2944	powershell.exe
1664	powershell.exe
2648	powershell.exe
2472	powershell.exe
2268	powershell.exe
2528	powershell.exe
2812	powershell.exe
688	powershell.exe
1316	powershell.exe
1432	powershell.exe
1324	powershell.exe
2648	powershell.exe
2160	powershell.exe
900	powershell.exe
372	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe

Executes dropped EXE 3 IoCs

pid	Process
488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
1564	csrss.exe
1740	csrss.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd\services.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files\VideoLAN\VLC\lua\sd\services.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXBD5F.tmp	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd\RCXBF63.tmp	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd\RCXBF64.tmp	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCXC169.tmp	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\winlogon.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXB955.tmp	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXBD5E.tmp	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXB956.tmp	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\WMIADAP.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files\Internet Explorer\es-ES\wininit.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\WMIADAP.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\6203df4a6bafc7	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files\VideoLAN\VLC\lua\sd\c5b4cb5e9653cc	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCXC168.tmp	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\75a57c1bdf437c	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files\Internet Explorer\es-ES\56085415360792	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\wininit.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\1610b97d3ab4a7	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\winlogon.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\cc11b995f2a76d	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Speech\Engines\SR\en-US\dllhost.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Windows\rescache\rc0006\WmiPrvSE.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Windows\ShellNew\audiodg.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Windows\ShellNew\42af1c969fbb7b	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Windows\Microsoft.NET\authman\Idle.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File created	C:\Windows\Microsoft.NET\authman\6ccacd8608530f	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Windows\ShellNew\audiodg.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
File opened for modification	C:\Windows\Microsoft.NET\authman\Idle.exe	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 60 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1572	schtasks.exe
692	schtasks.exe
2784	schtasks.exe
1564	schtasks.exe
2788	schtasks.exe
2852	schtasks.exe
348	schtasks.exe
3020	schtasks.exe
2728	schtasks.exe
1496	schtasks.exe
3056	schtasks.exe
2108	schtasks.exe
1960	schtasks.exe
2516	schtasks.exe
1740	schtasks.exe
1772	schtasks.exe
1948	schtasks.exe
1732	schtasks.exe
1612	schtasks.exe
2444	schtasks.exe
2364	schtasks.exe
2212	schtasks.exe
2828	schtasks.exe
2140	schtasks.exe
680	schtasks.exe
1532	schtasks.exe
1260	schtasks.exe
1148	schtasks.exe
296	schtasks.exe
2992	schtasks.exe
2756	schtasks.exe
856	schtasks.exe
268	schtasks.exe
976	schtasks.exe
684	schtasks.exe
1992	schtasks.exe
2764	schtasks.exe
2008	schtasks.exe
2688	schtasks.exe
1960	schtasks.exe
2160	schtasks.exe
816	schtasks.exe
2656	schtasks.exe
2352	schtasks.exe
1276	schtasks.exe
2708	schtasks.exe
2696	schtasks.exe
1968	schtasks.exe
2448	schtasks.exe
2660	schtasks.exe
2700	schtasks.exe
664	schtasks.exe
860	schtasks.exe
2940	schtasks.exe
1760	schtasks.exe
2184	schtasks.exe
848	schtasks.exe
2888	schtasks.exe
1736	schtasks.exe
2732	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
688	powershell.exe
372	powershell.exe
1316	powershell.exe
1664	powershell.exe
900	powershell.exe
1076	powershell.exe
928	powershell.exe
2224	powershell.exe
2316	powershell.exe
1540	powershell.exe
2648	powershell.exe
1528	powershell.exe
488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	1564	csrss.exe
Token: SeDebugPrivilege	1740	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 900	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	55
PID 2580 wrote to memory of 900	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	55
PID 2580 wrote to memory of 900	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	55
PID 2580 wrote to memory of 688	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	56
PID 2580 wrote to memory of 688	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	56
PID 2580 wrote to memory of 688	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	56
PID 2580 wrote to memory of 1540	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	57
PID 2580 wrote to memory of 1540	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	57
PID 2580 wrote to memory of 1540	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	57
PID 2580 wrote to memory of 1664	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	58
PID 2580 wrote to memory of 1664	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	58
PID 2580 wrote to memory of 1664	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	58
PID 2580 wrote to memory of 1528	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	59
PID 2580 wrote to memory of 1528	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	59
PID 2580 wrote to memory of 1528	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	59
PID 2580 wrote to memory of 928	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	60
PID 2580 wrote to memory of 928	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	60
PID 2580 wrote to memory of 928	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	60
PID 2580 wrote to memory of 1076	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	61
PID 2580 wrote to memory of 1076	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	61
PID 2580 wrote to memory of 1076	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	61
PID 2580 wrote to memory of 2648	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	62
PID 2580 wrote to memory of 2648	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	62
PID 2580 wrote to memory of 2648	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	62
PID 2580 wrote to memory of 2224	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	64
PID 2580 wrote to memory of 2224	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	64
PID 2580 wrote to memory of 2224	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	64
PID 2580 wrote to memory of 1316	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	66
PID 2580 wrote to memory of 1316	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	66
PID 2580 wrote to memory of 1316	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	66
PID 2580 wrote to memory of 372	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	67
PID 2580 wrote to memory of 372	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	67
PID 2580 wrote to memory of 372	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	67
PID 2580 wrote to memory of 2316	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	68
PID 2580 wrote to memory of 2316	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	68
PID 2580 wrote to memory of 2316	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	68
PID 2580 wrote to memory of 1548	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	78
PID 2580 wrote to memory of 1548	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	78
PID 2580 wrote to memory of 1548	2580	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	78
PID 1548 wrote to memory of 1936	1548	cmd.exe	82
PID 1548 wrote to memory of 1936	1548	cmd.exe	82
PID 1548 wrote to memory of 1936	1548	cmd.exe	82
PID 1548 wrote to memory of 488	1548	cmd.exe	83
PID 1548 wrote to memory of 488	1548	cmd.exe	83
PID 1548 wrote to memory of 488	1548	cmd.exe	83
PID 488 wrote to memory of 2472	488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	120
PID 488 wrote to memory of 2472	488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	120
PID 488 wrote to memory of 2472	488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	120
PID 488 wrote to memory of 1432	488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	121
PID 488 wrote to memory of 1432	488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	121
PID 488 wrote to memory of 1432	488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	121
PID 488 wrote to memory of 2944	488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	122
PID 488 wrote to memory of 2944	488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	122
PID 488 wrote to memory of 2944	488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	122
PID 488 wrote to memory of 2268	488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	123
PID 488 wrote to memory of 2268	488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	123
PID 488 wrote to memory of 2268	488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	123
PID 488 wrote to memory of 1324	488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	124
PID 488 wrote to memory of 1324	488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	124
PID 488 wrote to memory of 1324	488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	124
PID 488 wrote to memory of 592	488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	125
PID 488 wrote to memory of 592	488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	125
PID 488 wrote to memory of 592	488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	125
PID 488 wrote to memory of 2964	488	c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
"C:\Users\Admin\AppData\Local\Temp\c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pE5MzThSc3.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1936
- - C:\Users\Admin\AppData\Local\Temp\c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe
    "C:\Users\Admin\AppData\Local\Temp\c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:488
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2268
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1324
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2160
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2180
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2812
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ffKrc0Izp.bat"
      4⤵
      PID:2384
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1748
    - - C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe
        
        "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6246af7a-49f3-49ec-aaae-cfc3a9380fe9.vbs"
        6⤵
        
        PID:2912
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6711d2e1-4627-4457-adda-226d5dd3a9d5.vbs"
        8⤵
        
        PID:2572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d92d549-fb22-4641-8c16-336f76ca075a.vbs"
        8⤵
        
        PID:2852
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf2ac08c-b548-4be8-9cba-b258d2b844e8.vbs"
        6⤵
        
        PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Cookies\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Cookies\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Cookies\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\lua\sd\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\sd\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\lua\sd\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\Temp\Crashpad\reports\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\Crashpad\reports\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft Help\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft Help\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252c" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252c" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\plugins\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\plugins\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellNew\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\ShellNew\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellNew\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\es-ES\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\Microsoft.NET\authman\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\authman\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\Microsoft.NET\authman\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\VideoLAN\VLC\lua\sd\services.exe

Filesize
1.7MB

MD5
8abf836c2a16ee571afc67fde90325b1

SHA1
c224cbb2b5b5f09cb1c60e20b3d4d9ca726d1d08

SHA256
c27696ee5ee4521f82f3a4d7b463eb10a95635d3d7516109060f9b4a0838f252

SHA512
c17401b6614b0a242f93fd39cc526180a0642e0458e3c98705aec842ec4d7e29221abce5a89c0463fcab9755c419ddb2a6456481be06e306cbc6dc168da66ad1

Download Submit
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\RCXC5DF.tmp

Filesize
1.7MB

MD5
7eca54d1a9331392457b4158eb1328d2

SHA1
f8d385873af312f4b2b669e5f6f5b3b471d77f75

SHA256
923f19d16e6488654beb9a00d9d5d44f724be37bb3d0284994fc518d23c3de09

SHA512
d5fe3475767eb4c2f96020f59414de533ef71259d9bc57b406bf3316fc2b2048373c204cda379d59fe6bb7a9da574f0b34db45106cf81be4557c9b6d641b8040

Download Submit
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\f3b6ecef712a24

Filesize
555B

MD5
dc6b4366d2f7368c8cae6462acb51cef

SHA1
be64f911602969fe403c7371d533b188d2eba6ef

SHA256
99a203556168586708fce08204a42acb8c6b43d5e82dc73c0211e8cdb9b2454f

SHA512
b14b9b842d40f53bec235aac3f4b95bff178db11bb55a0698d437ce3ac7991fc17585270bc98bac3604ed8a1f132009a56c012eac366b68c893c3f7be8b200b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6246af7a-49f3-49ec-aaae-cfc3a9380fe9.vbs

Filesize
734B

MD5
02858261f1c69e94cb679ad57dc93685

SHA1
3dba1764bc25fcf41efb2f32b3aba6076ffdb4e8

SHA256
88ef1035e148e01208c8a9ac99f0431f0f55c78c4cc32da41da2a8f297a168c2

SHA512
0d60fddc05d3ac7f56eaa353f6eb496f675e7ec93f4280806d6a307135ea6a0bfbae7dd03b993c60e313d655cdc5767a2001d24f815658efcb20fedaf6c3acd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6711d2e1-4627-4457-adda-226d5dd3a9d5.vbs

Filesize
734B

MD5
16fdb2b19cfe263aadf18b9fb915aa2d

SHA1
09611661cd6278f22a6cc708fbd2a1881f246918

SHA256
0a2fafe32ceb85874fae411eaad0b3537acb051efb9b7a670b03bd84021cd7f3

SHA512
9f44fb8977dcce13f5c6ae08ea2907516c044be08765012b333bf17ee3884b9aa50e1c80a21f050906bda76e0fe571ac899af42957d4f52e0181a3537c7c8ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ffKrc0Izp.bat

Filesize
223B

MD5
e7923b2d58b8d65390d923968f7fdab8

SHA1
4c9266b9424068b1d2c899e9623e8ae63d87daae

SHA256
febc505426f5533cfb86d6a5a8455e0dc132bde1b585adcad0b0da91847fccd3

SHA512
0d9f7bb80850f068ea8eb829a3504a49e374a4e89e2a7bd220db8ac7334a65a099fa46c6ac4617660ed01a7b4fcd14ed7c6c6319d9dd2b83a0c8f681734a2c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf2ac08c-b548-4be8-9cba-b258d2b844e8.vbs

Filesize
510B

MD5
9ba1b15acad02cc6405c0a46707dff9f

SHA1
ba4cb9ae4709d1a9b7c97b93f179e2054be9b0ec

SHA256
71bfc7379dac312d3102056957ee73029f96027a604f85cd342818901007a190

SHA512
c6253b6780e5638fcefafc12134dc17b533a02bb988fb5b5b78c3a2090c2a6abe9b1beaf2ad9a2a372463b866b01ace1838fb88e7c350d5d23dd90b878f61402

Download Submit
C:\Users\Admin\AppData\Local\Temp\pE5MzThSc3.bat

Filesize
267B

MD5
d947295d4e681be3e957b4d333d33fde

SHA1
b76fd05d1b8555a959c508a5d4561ce9a8b9c017

SHA256
4d779867a4277fe5af078a9999f6d1b0e8e34d3571b78081f3ccc52b7c844758

SHA512
aab830c36eecaa2f954b07a67281176d558b568353fca6290bcec9c6a2255649ef3a3cfa670da430b728166ffbd3a601bf63068f62967edbc531fc078c5133dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
536c7a9d3482a7ac425a295720527d75

SHA1
fffcfaaeaf298e65481dc70c53eabc92106787c1

SHA256
5096c0aa3cfd59f6d24cccf092e540428a0c45c4532e411c49041ab57a58ea2a

SHA512
ffb094de53c1b5239c33510ef73f8350ba4e68c0afacd2f9c2eb6af6e0a42b74f9a0188d7830db69e3b44d7a2cd673b957c57a99148764c766a93a79a027f120

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d9714b1198d47b340441b35f2c238862

SHA1
9948a0b8dd5a27385a971dd92c9969952fa63558

SHA256
99dcaa0fef52a5949ec7e379a9db5f432fb35e5f879c83c7d3568a2400b9aeb2

SHA512
12084570cff5d1cfa67b1bb557f41860d368194c21bebe2875a9cd3b7d4d5593b55614d9a04a32cd3aee746ce7a9ad8456f3830f556d6a39148ee1fff2a9e0e5

Download Submit
memory/488-205-0x0000000000390000-0x00000000003A2000-memory.dmp

Filesize
72KB

Download
memory/488-204-0x0000000000BC0000-0x0000000000D80000-memory.dmp

Filesize
1.8MB

Download
memory/688-146-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/688-147-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/1564-325-0x0000000000C60000-0x0000000000E20000-memory.dmp

Filesize
1.8MB

Download
memory/1740-336-0x0000000000F40000-0x0000000001100000-memory.dmp

Filesize
1.8MB

Download
memory/2160-276-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2160-292-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2580-4-0x00000000021C0000-0x00000000021C8000-memory.dmp

Filesize
32KB

Download
memory/2580-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/2580-7-0x00000000021E0000-0x00000000021F0000-memory.dmp

Filesize
64KB

Download
memory/2580-18-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2580-17-0x000000001A830000-0x000000001A83C000-memory.dmp

Filesize
48KB

Download
memory/2580-16-0x000000001A820000-0x000000001A82C000-memory.dmp

Filesize
48KB

Download
memory/2580-15-0x000000001A810000-0x000000001A818000-memory.dmp

Filesize
32KB

Download
memory/2580-13-0x00000000023F0000-0x00000000023FA000-memory.dmp

Filesize
40KB

Download
memory/2580-14-0x0000000002400000-0x000000000240E000-memory.dmp

Filesize
56KB

Download
memory/2580-3-0x00000000021A0000-0x00000000021BC000-memory.dmp

Filesize
112KB

Download
memory/2580-12-0x00000000023E0000-0x00000000023EC000-memory.dmp

Filesize
48KB

Download
memory/2580-9-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/2580-11-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2580-8-0x0000000002270000-0x000000000227C000-memory.dmp

Filesize
48KB

Download
memory/2580-140-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2580-6-0x0000000002380000-0x0000000002396000-memory.dmp

Filesize
88KB

Download
memory/2580-1-0x0000000000280000-0x0000000000440000-memory.dmp

Filesize
1.8MB

Download
memory/2580-2-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2580-5-0x00000000021D0000-0x00000000021E0000-memory.dmp

Filesize
64KB

Download