dcrat | a5e738fd413ce1211c133c3563559318758d22357276470d2904b262572097a5

Analysis

max time kernel
898s
max time network
899s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
01-02-2025 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

w.exe
Size

1.1MB
MD5

916e7e11eec1f7550312e6dad79a3027
SHA1

bef635ab11898cdd33a7cac9cb48a687cc58eb3e
SHA256

a5e738fd413ce1211c133c3563559318758d22357276470d2904b262572097a5
SHA512

a1f48f697c204e0e5a87955d8d8c90c874ce7cb5e5fee218c471f89b87e2e6c6049136bf64e0cc4a44f16b98a0ab5f38351fa36e6977b92a3677a898659ef1aa
SSDEEP

24576:U2G/nvxW3Ww0tcWnxxx2mUO9OmCOBYQigDKWML:UbA30c2xvKCRS

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1680	schtasks.exe
		4796	schtasks.exe
		3596	schtasks.exe
		4004	schtasks.exe
		3256	schtasks.exe
		2960	schtasks.exe
		3236	schtasks.exe
		1656	schtasks.exe
		2616	schtasks.exe
		3500	schtasks.exe
		2400	schtasks.exe
		4312	schtasks.exe
		5020	schtasks.exe
		3228	schtasks.exe
		2956	schtasks.exe
		3512	schtasks.exe
		2396	schtasks.exe
		3748	schtasks.exe
		2560	schtasks.exe
		4968	schtasks.exe
		3912	schtasks.exe
		3468	schtasks.exe
		2576	schtasks.exe
		4292	schtasks.exe
		3016	schtasks.exe
		1572	schtasks.exe
		1996	schtasks.exe
		4008	schtasks.exe
		2584	schtasks.exe
		2864	schtasks.exe
		1540	schtasks.exe
		1440	schtasks.exe
		4712	schtasks.exe
		2216	schtasks.exe
		2300	schtasks.exe
		1464	schtasks.exe
		4832	schtasks.exe
		4708	schtasks.exe
		1472	schtasks.exe
		3796	schtasks.exe
		1048	schtasks.exe
		3504	schtasks.exe
		3668	schtasks.exe
		1060	schtasks.exe
		4104	schtasks.exe
		2792	schtasks.exe
		3188	schtasks.exe
		240	schtasks.exe
		4756	schtasks.exe
		4272	schtasks.exe
		3776	schtasks.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\ee2ad38f3d4382		Webcrt.exe
		1136	schtasks.exe
		1828	schtasks.exe
		1448	schtasks.exe
		3692	schtasks.exe
		3604	schtasks.exe
		3636	schtasks.exe
		2080	schtasks.exe
		4516	schtasks.exe
		796	schtasks.exe
		2752	schtasks.exe
		3980	schtasks.exe
		3764	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3236	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3512	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4272	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	3664	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	3664	schtasks.exe	81

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x001a00000002ab31-10.dat	dcrat
behavioral1/memory/5100-13-0x00000000001B0000-0x0000000000286000-memory.dmp	dcrat

Executes dropped EXE 64 IoCs

pid	Process
5100	Webcrt.exe
1052	Webcrt.exe
1144	dwm.exe
2968	dwm.exe
3600	dwm.exe
1064	dwm.exe
2460	dwm.exe
4012	dwm.exe
3636	dwm.exe
5096	dwm.exe
4280	dwm.exe
1204	dwm.exe
1400	dwm.exe
3580	dwm.exe
1432	dwm.exe
2272	dwm.exe
2924	dwm.exe
1464	dwm.exe
1212	dwm.exe
1164	dwm.exe
4796	dwm.exe
836	dwm.exe
2676	dwm.exe
3720	dwm.exe
2992	dwm.exe
3296	dwm.exe
3600	dwm.exe
2088	dwm.exe
1832	dwm.exe
2136	dwm.exe
3084	dwm.exe
4128	dwm.exe
2348	dwm.exe
3400	dwm.exe
1844	dwm.exe
4960	dwm.exe
1884	dwm.exe
4008	sppsvc.exe
400	dwm.exe
1244	dwm.exe
2772	dwm.exe
1012	dwm.exe
1796	dwm.exe
4492	RuntimeBroker.exe
3304	Registry.exe
3000	sihost.exe
1356	dwm.exe
1456	dwm.exe
3640	dwm.exe
728	dwm.exe
4244	dwm.exe
1304	dwm.exe
2624	dwm.exe
3956	dwm.exe
2788	dwm.exe
484	dwm.exe
4508	StartMenuExperienceHost.exe
3256	System.exe
3812	csrss.exe
4364	dwm.exe
1592	dwm.exe
3588	fontdrvhost.exe
3424	fontdrvhost.exe
900	fontdrvhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
62	pastebin.com
79	pastebin.com
80	pastebin.com
9	pastebin.com
13	pastebin.com
30	pastebin.com
22	pastebin.com
23	pastebin.com
25	pastebin.com
16	pastebin.com
26	pastebin.com
72	pastebin.com
52	pastebin.com
27	pastebin.com
41	pastebin.com
47	pastebin.com
59	pastebin.com
66	pastebin.com
75	pastebin.com
19	pastebin.com
32	pastebin.com
40	pastebin.com
76	pastebin.com
4	pastebin.com
46	pastebin.com
55	pastebin.com
37	pastebin.com
43	pastebin.com
64	pastebin.com
70	pastebin.com
77	pastebin.com
81	pastebin.com
5	pastebin.com
17	pastebin.com
38	pastebin.com
60	pastebin.com
74	pastebin.com
6	pastebin.com
44	pastebin.com
51	pastebin.com
21	pastebin.com
28	pastebin.com
54	pastebin.com
68	pastebin.com
69	pastebin.com
7	pastebin.com
8	pastebin.com
12	pastebin.com
71	pastebin.com
18	pastebin.com
56	pastebin.com
58	pastebin.com
65	pastebin.com
78	pastebin.com
20	pastebin.com
24	pastebin.com
29	pastebin.com
45	pastebin.com
48	pastebin.com
10	pastebin.com
14	pastebin.com
15	pastebin.com
63	pastebin.com
73	pastebin.com

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe	Webcrt.exe
File created	C:\Program Files\MSBuild\Microsoft\dwm.exe	Webcrt.exe
File created	C:\Program Files\Java\5940a34987c991	Webcrt.exe
File created	C:\Program Files\Windows Mail\5940a34987c991	Webcrt.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\9e8d7a4ca61bd9	Webcrt.exe
File created	C:\Program Files\Java\jdk-1.8\5b884080fd4f94	Webcrt.exe
File created	C:\Program Files\Windows Mail\dllhost.exe	Webcrt.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe	Webcrt.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe	Webcrt.exe
File created	C:\Program Files\Uninstall Information\csrss.exe	Webcrt.exe
File created	C:\Program Files\Java\dllhost.exe	Webcrt.exe
File created	C:\Program Files\Java\jdk-1.8\fontdrvhost.exe	Webcrt.exe
File created	C:\Program Files\MSBuild\Microsoft\6cb0b6c459d5d3	Webcrt.exe
File created	C:\Program Files\Uninstall Information\886983d96e3d3e	Webcrt.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Webcrt.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Webcrt.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\ee2ad38f3d4382	Webcrt.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\886983d96e3d3e	Webcrt.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\6cb0b6c459d5d3	Webcrt.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\InputMethod\csrss.exe	Webcrt.exe
File created	C:\Windows\InputMethod\886983d96e3d3e	Webcrt.exe
File created	C:\Windows\twain_32\sppsvc.exe	Webcrt.exe
File created	C:\Windows\twain_32\0a1fd5f707cd16	Webcrt.exe
File created	C:\Windows\UUS\wininit.exe	Webcrt.exe
File created	C:\Windows\Sun\Java\StartMenuExperienceHost.exe	Webcrt.exe
File created	C:\Windows\Sun\Java\55b276f4edf653	Webcrt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	Webcrt.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	w.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	dwm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2616	schtasks.exe
2400	schtasks.exe
4312	schtasks.exe
1136	schtasks.exe
3980	schtasks.exe
1656	schtasks.exe
3776	schtasks.exe
4292	schtasks.exe
3488	schtasks.exe
1464	schtasks.exe
2216	schtasks.exe
4004	schtasks.exe
4968	schtasks.exe
4796	schtasks.exe
2080	schtasks.exe
1440	schtasks.exe
1680	schtasks.exe
3188	schtasks.exe
2864	schtasks.exe
4204	schtasks.exe
3636	schtasks.exe
4708	schtasks.exe
3468	schtasks.exe
3228	schtasks.exe
4712	schtasks.exe
3692	schtasks.exe
2752	schtasks.exe
1448	schtasks.exe
1572	schtasks.exe
3604	schtasks.exe
3236	schtasks.exe
1996	schtasks.exe
3016	schtasks.exe
1472	schtasks.exe
240	schtasks.exe
4104	schtasks.exe
2960	schtasks.exe
1540	schtasks.exe
2584	schtasks.exe
3912	schtasks.exe
2300	schtasks.exe
3668	schtasks.exe
2956	schtasks.exe
2396	schtasks.exe
3500	schtasks.exe
4836	schtasks.exe
4516	schtasks.exe
3796	schtasks.exe
3512	schtasks.exe
2792	schtasks.exe
5020	schtasks.exe
3256	schtasks.exe
2560	schtasks.exe
1048	schtasks.exe
2576	schtasks.exe
1828	schtasks.exe
3504	schtasks.exe
4756	schtasks.exe
3764	schtasks.exe
3748	schtasks.exe
3596	schtasks.exe
4272	schtasks.exe
4008	schtasks.exe
1060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5100	Webcrt.exe
5100	Webcrt.exe
5100	Webcrt.exe
1052	Webcrt.exe
1052	Webcrt.exe
1052	Webcrt.exe
1052	Webcrt.exe
1052	Webcrt.exe
1052	Webcrt.exe
1052	Webcrt.exe
1052	Webcrt.exe
1052	Webcrt.exe
1052	Webcrt.exe
1052	Webcrt.exe
1052	Webcrt.exe
1052	Webcrt.exe
1052	Webcrt.exe
1052	Webcrt.exe
1052	Webcrt.exe
1052	Webcrt.exe
1052	Webcrt.exe
1052	Webcrt.exe
1144	dwm.exe
2968	dwm.exe
3600	dwm.exe
1064	dwm.exe
2460	dwm.exe
4012	dwm.exe
3636	dwm.exe
5096	dwm.exe
4280	dwm.exe
1204	dwm.exe
1400	dwm.exe
3580	dwm.exe
1432	dwm.exe
2272	dwm.exe
2924	dwm.exe
1464	dwm.exe
1212	dwm.exe
1164	dwm.exe
4796	dwm.exe
836	dwm.exe
2676	dwm.exe
3720	dwm.exe
2992	dwm.exe
3296	dwm.exe
3600	dwm.exe
2088	dwm.exe
1832	dwm.exe
2136	dwm.exe
3084	dwm.exe
4128	dwm.exe
2348	dwm.exe
3400	dwm.exe
1844	dwm.exe
4960	dwm.exe
1884	dwm.exe
400	dwm.exe
1244	dwm.exe
2772	dwm.exe
1012	dwm.exe
1796	dwm.exe
1356	dwm.exe
1456	dwm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5100	Webcrt.exe
Token: SeDebugPrivilege	1052	Webcrt.exe
Token: SeDebugPrivilege	1144	dwm.exe
Token: SeDebugPrivilege	2968	dwm.exe
Token: SeDebugPrivilege	3600	dwm.exe
Token: SeDebugPrivilege	1064	dwm.exe
Token: SeDebugPrivilege	2460	dwm.exe
Token: SeDebugPrivilege	4012	dwm.exe
Token: SeDebugPrivilege	3636	dwm.exe
Token: SeDebugPrivilege	5096	dwm.exe
Token: SeDebugPrivilege	4280	dwm.exe
Token: SeDebugPrivilege	1204	dwm.exe
Token: SeDebugPrivilege	1400	dwm.exe
Token: SeDebugPrivilege	3580	dwm.exe
Token: SeDebugPrivilege	1432	dwm.exe
Token: SeDebugPrivilege	2272	dwm.exe
Token: SeDebugPrivilege	2924	dwm.exe
Token: SeDebugPrivilege	1464	dwm.exe
Token: SeDebugPrivilege	1212	dwm.exe
Token: SeDebugPrivilege	1164	dwm.exe
Token: SeDebugPrivilege	4796	dwm.exe
Token: SeDebugPrivilege	836	dwm.exe
Token: SeDebugPrivilege	2676	dwm.exe
Token: SeDebugPrivilege	3720	dwm.exe
Token: SeDebugPrivilege	2992	dwm.exe
Token: SeDebugPrivilege	3296	dwm.exe
Token: SeDebugPrivilege	3600	dwm.exe
Token: SeDebugPrivilege	2088	dwm.exe
Token: SeDebugPrivilege	1832	dwm.exe
Token: SeDebugPrivilege	2136	dwm.exe
Token: SeDebugPrivilege	3084	dwm.exe
Token: SeDebugPrivilege	4128	dwm.exe
Token: SeDebugPrivilege	2348	dwm.exe
Token: SeDebugPrivilege	3400	dwm.exe
Token: SeDebugPrivilege	1844	dwm.exe
Token: SeDebugPrivilege	4960	dwm.exe
Token: SeDebugPrivilege	1884	dwm.exe
Token: SeDebugPrivilege	4008	sppsvc.exe
Token: SeDebugPrivilege	400	dwm.exe
Token: SeDebugPrivilege	1244	dwm.exe
Token: SeDebugPrivilege	2772	dwm.exe
Token: SeDebugPrivilege	1012	dwm.exe
Token: SeDebugPrivilege	1796	dwm.exe
Token: SeDebugPrivilege	4492	RuntimeBroker.exe
Token: SeDebugPrivilege	3304	Registry.exe
Token: SeDebugPrivilege	3000	sihost.exe
Token: SeDebugPrivilege	1356	dwm.exe
Token: SeDebugPrivilege	1456	dwm.exe
Token: SeDebugPrivilege	3640	dwm.exe
Token: SeDebugPrivilege	728	dwm.exe
Token: SeDebugPrivilege	4244	dwm.exe
Token: SeDebugPrivilege	1304	dwm.exe
Token: SeDebugPrivilege	2624	dwm.exe
Token: SeDebugPrivilege	3956	dwm.exe
Token: SeDebugPrivilege	2788	dwm.exe
Token: SeDebugPrivilege	484	dwm.exe
Token: SeDebugPrivilege	4508	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3256	System.exe
Token: SeDebugPrivilege	3812	csrss.exe
Token: SeDebugPrivilege	4364	dwm.exe
Token: SeDebugPrivilege	1592	dwm.exe
Token: SeDebugPrivilege	3588	fontdrvhost.exe
Token: SeDebugPrivilege	3424	fontdrvhost.exe
Token: SeDebugPrivilege	900	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 2992	1604	w.exe	77
PID 1604 wrote to memory of 2992	1604	w.exe	77
PID 1604 wrote to memory of 2992	1604	w.exe	77
PID 2992 wrote to memory of 2056	2992	WScript.exe	78
PID 2992 wrote to memory of 2056	2992	WScript.exe	78
PID 2992 wrote to memory of 2056	2992	WScript.exe	78
PID 2056 wrote to memory of 5100	2056	cmd.exe	80
PID 2056 wrote to memory of 5100	2056	cmd.exe	80
PID 5100 wrote to memory of 1052	5100	Webcrt.exe	91
PID 5100 wrote to memory of 1052	5100	Webcrt.exe	91
PID 1052 wrote to memory of 3492	1052	Webcrt.exe	149
PID 1052 wrote to memory of 3492	1052	Webcrt.exe	149
PID 3492 wrote to memory of 4560	3492	cmd.exe	151
PID 3492 wrote to memory of 4560	3492	cmd.exe	151
PID 3492 wrote to memory of 1144	3492	cmd.exe	152
PID 3492 wrote to memory of 1144	3492	cmd.exe	152
PID 1144 wrote to memory of 1820	1144	dwm.exe	153
PID 1144 wrote to memory of 1820	1144	dwm.exe	153
PID 1820 wrote to memory of 1884	1820	cmd.exe	155
PID 1820 wrote to memory of 1884	1820	cmd.exe	155
PID 1820 wrote to memory of 2968	1820	cmd.exe	156
PID 1820 wrote to memory of 2968	1820	cmd.exe	156
PID 2968 wrote to memory of 1236	2968	dwm.exe	157
PID 2968 wrote to memory of 1236	2968	dwm.exe	157
PID 1236 wrote to memory of 2624	1236	cmd.exe	159
PID 1236 wrote to memory of 2624	1236	cmd.exe	159
PID 1236 wrote to memory of 3600	1236	cmd.exe	160
PID 1236 wrote to memory of 3600	1236	cmd.exe	160
PID 3600 wrote to memory of 2584	3600	dwm.exe	161
PID 3600 wrote to memory of 2584	3600	dwm.exe	161
PID 2584 wrote to memory of 1448	2584	cmd.exe	163
PID 2584 wrote to memory of 1448	2584	cmd.exe	163
PID 2584 wrote to memory of 1064	2584	cmd.exe	164
PID 2584 wrote to memory of 1064	2584	cmd.exe	164
PID 1064 wrote to memory of 5076	1064	dwm.exe	165
PID 1064 wrote to memory of 5076	1064	dwm.exe	165
PID 5076 wrote to memory of 3592	5076	cmd.exe	167
PID 5076 wrote to memory of 3592	5076	cmd.exe	167
PID 5076 wrote to memory of 2460	5076	cmd.exe	168
PID 5076 wrote to memory of 2460	5076	cmd.exe	168
PID 2460 wrote to memory of 1568	2460	dwm.exe	169
PID 2460 wrote to memory of 1568	2460	dwm.exe	169
PID 1568 wrote to memory of 4444	1568	cmd.exe	171
PID 1568 wrote to memory of 4444	1568	cmd.exe	171
PID 1568 wrote to memory of 4012	1568	cmd.exe	172
PID 1568 wrote to memory of 4012	1568	cmd.exe	172
PID 4012 wrote to memory of 1764	4012	dwm.exe	173
PID 4012 wrote to memory of 1764	4012	dwm.exe	173
PID 1764 wrote to memory of 3844	1764	cmd.exe	175
PID 1764 wrote to memory of 3844	1764	cmd.exe	175
PID 1764 wrote to memory of 3636	1764	cmd.exe	176
PID 1764 wrote to memory of 3636	1764	cmd.exe	176
PID 3636 wrote to memory of 1572	3636	dwm.exe	177
PID 3636 wrote to memory of 1572	3636	dwm.exe	177
PID 1572 wrote to memory of 952	1572	cmd.exe	179
PID 1572 wrote to memory of 952	1572	cmd.exe	179
PID 1572 wrote to memory of 5096	1572	cmd.exe	180
PID 1572 wrote to memory of 5096	1572	cmd.exe	180
PID 5096 wrote to memory of 4032	5096	dwm.exe	181
PID 5096 wrote to memory of 4032	5096	dwm.exe	181
PID 4032 wrote to memory of 2748	4032	cmd.exe	183
PID 4032 wrote to memory of 2748	4032	cmd.exe	183
PID 4032 wrote to memory of 4280	4032	cmd.exe	184
PID 4032 wrote to memory of 4280	4032	cmd.exe	184

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\w.exe
"C:\Users\Admin\AppData\Local\Temp\w.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ChainfontreviewWinInto\M2SWq.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ChainfontreviewWinInto\fU9Z2UL8hBe.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\ChainfontreviewWinInto\Webcrt.exe
      "C:\ChainfontreviewWinInto\Webcrt.exe"
      4⤵
      DcRat
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5100
    - - C:\ChainfontreviewWinInto\Webcrt.exe
        
        "C:\ChainfontreviewWinInto\Webcrt.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1052
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8SsdorGsPC.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4560
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1884
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2624
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1448
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gy1gqmGK9f.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3592
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DiMaLaQqUm.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4444
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3844
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:952
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjauxUKpXQ.bat"
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2748
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat"
        24⤵
        
        PID:860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4876
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E3sOpJujjE.bat"
        26⤵
        
        PID:1200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2780
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\80JI9OTYea.bat"
        28⤵
        
        PID:5012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4072
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        29⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat"
        30⤵
        
        PID:3440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:4180
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        31⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kOAwrWovpT.bat"
        32⤵
        
        PID:1244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:2020
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        33⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat"
        34⤵
        
        PID:348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:3684
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        35⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat"
        36⤵
        
        PID:2472
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        37⤵
        
        PID:4116
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        37⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat"
        38⤵
        
        PID:3164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        39⤵
        
        PID:2228
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        39⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat"
        40⤵
        
        PID:952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        41⤵
        
        PID:2580
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        41⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat"
        42⤵
        
        PID:2440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        43⤵
        
        PID:3300
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        43⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat"
        44⤵
        
        PID:2888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        45⤵
        
        PID:2348
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        45⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TiDn8Em9ri.bat"
        46⤵
        
        PID:2896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        47⤵
        
        PID:4964
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        47⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat"
        48⤵
        
        PID:1204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        49⤵
        
        PID:4452
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        49⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p9sA7N8NGm.bat"
        50⤵
        
        PID:764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        51⤵
        
        PID:4984
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        51⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat"
        52⤵
        
        PID:3580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        53⤵
        
        PID:4180
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        53⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat"
        54⤵
        
        PID:3956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        55⤵
        
        PID:2020
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        55⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat"
        56⤵
        
        PID:796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        57⤵
        
        PID:3616
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        57⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat"
        58⤵
        
        PID:2084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        59⤵
        
        PID:2324
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        59⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qKN9Q7Smhq.bat"
        60⤵
        
        PID:1592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        61⤵
        
        PID:1796
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        61⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat"
        62⤵
        
        PID:3528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        63⤵
        
        PID:2900
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        63⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cu9aubHCzw.bat"
        64⤵
        
        PID:3516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        65⤵
        
        PID:2704
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        65⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat"
        66⤵
        
        PID:560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        67⤵
        
        PID:2392
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        67⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bp0TjAk7l7.bat"
        68⤵
        
        PID:1124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        69⤵
        
        PID:1684
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        69⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\18eSMsDQCm.bat"
        70⤵
        
        PID:836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        71⤵
        
        PID:780
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        71⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zXOrWkEHk.bat"
        72⤵
        
        PID:2484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        73⤵
        
        PID:4672
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        73⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat"
        74⤵
        
        PID:3520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        75⤵
        
        PID:1144
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        75⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat"
        76⤵
        
        PID:1636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        77⤵
        
        PID:4900
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        77⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat"
        78⤵
        
        PID:4172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        79⤵
        
        PID:3728
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        79⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat"
        80⤵
        
        PID:2216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        81⤵
        
        PID:2332
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        81⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat"
        82⤵
        
        PID:652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        83⤵
        
        PID:3564
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        83⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat"
        84⤵
        
        PID:1620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        85⤵
        
        PID:696
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        85⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat"
        86⤵
        
        PID:4060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        87⤵
        
        PID:536
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        87⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\18eSMsDQCm.bat"
        88⤵
        
        PID:2336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        89⤵
        
        PID:3300
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        89⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat"
        90⤵
        
        PID:2888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        91⤵
        
        PID:4808
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        91⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat"
        92⤵
        
        PID:1120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        93⤵
        
        PID:1148
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        93⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat"
        94⤵
        
        PID:2620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        95⤵
        
        PID:788
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        95⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat"
        96⤵
        
        PID:5036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        97⤵
        
        PID:4388
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        97⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat"
        98⤵
        
        PID:3312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        99⤵
        
        PID:768
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        99⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\18eSMsDQCm.bat"
        100⤵
        
        PID:1344
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        101⤵
        
        PID:3068
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        101⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat"
        102⤵
        
        PID:400
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        103⤵
        
        PID:3992
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        103⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat"
        104⤵
        
        PID:2144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        105⤵
        
        PID:4916
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe"
        105⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\ChainfontreviewWinInto\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\ChainfontreviewWinInto\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\ChainfontreviewWinInto\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Saved Games\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Saved Games\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\ChainfontreviewWinInto\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ChainfontreviewWinInto\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\ChainfontreviewWinInto\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\ChainfontreviewWinInto\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\ChainfontreviewWinInto\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\ChainfontreviewWinInto\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\SearchHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHost" /sc ONLOGON /tr "'C:\Users\Default User\SearchHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\SearchHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\Sun\Java\StartMenuExperienceHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Sun\Java\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Windows\Sun\Java\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Java\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\InputMethod\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\InputMethod\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\InputMethod\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\ChainfontreviewWinInto\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\ChainfontreviewWinInto\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\ChainfontreviewWinInto\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\twain_32\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\twain_32\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jdk-1.8\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk-1.8\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\ChainfontreviewWinInto\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\ChainfontreviewWinInto\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\ChainfontreviewWinInto\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\twain_32\sppsvc.exe
C:\Windows\twain_32\sppsvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe
"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\ChainfontreviewWinInto\sihost.exe
C:\ChainfontreviewWinInto\sihost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Program Files\MSBuild\Microsoft\dwm.exe
"C:\Program Files\MSBuild\Microsoft\dwm.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat"
  2⤵
  PID:3988
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2204
- - C:\Program Files\MSBuild\Microsoft\dwm.exe
    "C:\Program Files\MSBuild\Microsoft\dwm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1592

C:\Windows\Sun\Java\StartMenuExperienceHost.exe
C:\Windows\Sun\Java\StartMenuExperienceHost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\ChainfontreviewWinInto\System.exe
C:\ChainfontreviewWinInto\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Windows\InputMethod\csrss.exe
C:\Windows\InputMethod\csrss.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Program Files\Java\jdk-1.8\fontdrvhost.exe
"C:\Program Files\Java\jdk-1.8\fontdrvhost.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat"
  2⤵
  PID:2900
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4288
- - C:\Program Files\Java\jdk-1.8\fontdrvhost.exe
    "C:\Program Files\Java\jdk-1.8\fontdrvhost.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:3424
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tGPC7CVf0d.bat"
      4⤵
      PID:2704
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1440
    - - C:\Program Files\Java\jdk-1.8\fontdrvhost.exe
        
        "C:\Program Files\Java\jdk-1.8\fontdrvhost.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat"
        6⤵
        
        PID:1064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4708
        
        C:\Program Files\Java\jdk-1.8\fontdrvhost.exe
        
        "C:\Program Files\Java\jdk-1.8\fontdrvhost.exe"
        7⤵
        Modifies registry class
        
        PID:3088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat"
        8⤵
        
        PID:3568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5092
        
        C:\Program Files\Java\jdk-1.8\fontdrvhost.exe
        
        "C:\Program Files\Java\jdk-1.8\fontdrvhost.exe"
        9⤵
        Modifies registry class
        
        PID:1628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zXOrWkEHk.bat"
        10⤵
        
        PID:3184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:728
        
        C:\Program Files\Java\jdk-1.8\fontdrvhost.exe
        
        "C:\Program Files\Java\jdk-1.8\fontdrvhost.exe"
        11⤵
        Modifies registry class
        
        PID:788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat"
        12⤵
        
        PID:860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:132
        
        C:\Program Files\Java\jdk-1.8\fontdrvhost.exe
        
        "C:\Program Files\Java\jdk-1.8\fontdrvhost.exe"
        13⤵
        
        PID:1204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bp0TjAk7l7.bat"
        14⤵
        
        PID:1304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3712
        
        C:\Program Files\Java\jdk-1.8\fontdrvhost.exe
        
        "C:\Program Files\Java\jdk-1.8\fontdrvhost.exe"
        15⤵
        
        PID:3388

C:\ChainfontreviewWinInto\lsass.exe
C:\ChainfontreviewWinInto\lsass.exe
1⤵
PID:244

C:\Windows\twain_32\sppsvc.exe
C:\Windows\twain_32\sppsvc.exe
1⤵
- Modifies registry class
PID:2624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat"
  2⤵
  PID:1448
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1324
- - C:\Windows\twain_32\sppsvc.exe
    "C:\Windows\twain_32\sppsvc.exe"
    3⤵
    - Modifies registry class
    PID:1536
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat"
      4⤵
      PID:4972
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2872
    - - C:\Windows\twain_32\sppsvc.exe
        
        "C:\Windows\twain_32\sppsvc.exe"
        5⤵
        Modifies registry class
        
        PID:1948
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat"
        6⤵
        
        PID:3328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4444
        
        C:\Windows\twain_32\sppsvc.exe
        
        "C:\Windows\twain_32\sppsvc.exe"
        7⤵
        Modifies registry class
        
        PID:892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\18eSMsDQCm.bat"
        8⤵
        
        PID:3452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3208
        
        C:\Windows\twain_32\sppsvc.exe
        
        "C:\Windows\twain_32\sppsvc.exe"
        9⤵
        Modifies registry class
        
        PID:1832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat"
        10⤵
        
        PID:5080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:4964
        
        C:\Windows\twain_32\sppsvc.exe
        
        "C:\Windows\twain_32\sppsvc.exe"
        11⤵
        
        PID:912

C:\Recovery\WindowsRE\services.exe
C:\Recovery\WindowsRE\services.exe
1⤵
- Modifies registry class
PID:2608
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat"
  2⤵
  PID:2132
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2948
- - C:\Recovery\WindowsRE\services.exe
    "C:\Recovery\WindowsRE\services.exe"
    3⤵
    - Modifies registry class
    PID:3596
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat"
      4⤵
      PID:2816
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4628
    - - C:\Recovery\WindowsRE\services.exe
        
        "C:\Recovery\WindowsRE\services.exe"
        5⤵
        
        PID:4568
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat"
        6⤵
        
        PID:4032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:640
        
        C:\Recovery\WindowsRE\services.exe
        
        "C:\Recovery\WindowsRE\services.exe"
        7⤵
        Modifies registry class
        
        PID:2812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat"
        8⤵
        
        PID:1148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4924
        
        C:\Recovery\WindowsRE\services.exe
        
        "C:\Recovery\WindowsRE\services.exe"
        9⤵
        Modifies registry class
        
        PID:980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iMm147yiIR.bat"
        10⤵
        
        PID:4888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:4488
        
        C:\Recovery\WindowsRE\services.exe
        
        "C:\Recovery\WindowsRE\services.exe"
        11⤵
        Modifies registry class
        
        PID:1844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat"
        12⤵
        
        PID:2592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1796
        
        C:\Recovery\WindowsRE\services.exe
        
        "C:\Recovery\WindowsRE\services.exe"
        13⤵
        Modifies registry class
        
        PID:1636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZfR0hqQ1j6.bat"
        14⤵
        
        PID:2164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3836
        
        C:\Recovery\WindowsRE\services.exe
        
        "C:\Recovery\WindowsRE\services.exe"
        15⤵
        
        PID:3936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat"
        16⤵
        
        PID:3940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4976
        
        C:\Recovery\WindowsRE\services.exe
        
        "C:\Recovery\WindowsRE\services.exe"
        17⤵
        Modifies registry class
        
        PID:4972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat"
        18⤵
        
        PID:3888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:772
        
        C:\Recovery\WindowsRE\services.exe
        
        "C:\Recovery\WindowsRE\services.exe"
        19⤵
        Modifies registry class
        
        PID:2720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat"
        20⤵
        
        PID:3256
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2204
        
        C:\Recovery\WindowsRE\services.exe
        
        "C:\Recovery\WindowsRE\services.exe"
        21⤵
        
        PID:3812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat"
        22⤵
        
        PID:4204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4492

C:\ChainfontreviewWinInto\Idle.exe
C:\ChainfontreviewWinInto\Idle.exe
1⤵
PID:4164

C:\Users\Default User\SearchHost.exe
"C:\Users\Default User\SearchHost.exe"
1⤵
PID:4452

C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe"
1⤵
PID:2740

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe
"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe"
1⤵
PID:1996

C:\ChainfontreviewWinInto\sihost.exe
C:\ChainfontreviewWinInto\sihost.exe
1⤵
PID:3312

C:\Program Files\Windows Mail\dllhost.exe
"C:\Program Files\Windows Mail\dllhost.exe"
1⤵
PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ChainfontreviewWinInto\M2SWq.vbe

Filesize
210B

MD5
085863fcab825a7ad478a40bb5a74462

SHA1
a1798bde6a635164bb01fa05fcdda67504c2e2d1

SHA256
1ad504fd6628290a941ebfe6169cbce6cc7d915cd4be59361b31270ab1afd15f

SHA512
3c7405532de6bc2d7dad7fdea29cc77ab942a9b8426fa2ba5b27da9e41955347a3ae4b4018bb4551bb54fd46f182a3094b753b7cca6662450d74991478695417

Download Submit
C:\ChainfontreviewWinInto\Webcrt.exe

Filesize
828KB

MD5
972e61314b1a5bd46edbedad02fdc91a

SHA1
99bc4128b4f97bdefbab7b4d3384c5e6b0861f40

SHA256
44b2a65a8458633aefbc21d070d6d6ae2a067d46c52c07b4ccb0344354587e82

SHA512
e3d9851a9b372f5acc31f65aefaddbc03b2bb0190ae7426168dc86f5d1ccb7e553bd9935daac83482752a3d0391119f29a0a3333229c345ff0bcc4dd730e14d1

Download Submit
C:\ChainfontreviewWinInto\fU9Z2UL8hBe.bat

Filesize
38B

MD5
2659100841e703e55203a6f3307e861f

SHA1
e4e9d07cfb41e3c90ec89ce779acd03ba7062ce1

SHA256
7abcb7628a2b0703de43a1fef239c8fe00ad50c9ca03092965cb1558ac8a7b64

SHA512
1f41edad5cbff895912acfbbea00558b6e6bb19ffac98b7cda35c691ad5e837286bf5b4f5eca8e13bc1d4b611a53aae3a5f831ba7257147060345c0e0d2f4b47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Webcrt.exe.log

Filesize
1KB

MD5
400b532c938aca538f01c5616cf318cd

SHA1
598a59a9434e51a6416f91a4c83bd02505ecb846

SHA256
28e57db6d7535775b5e65c90ab208c7fe392e373056db5d35e76854270ecd05d

SHA512
b15583323c457d389b873eb31b8e59fef450c0c0e684b0f797231e8d0abace9227b15d4e45b45f4c79ad044a28cc3d79f9f7c2a81bd38e43b0c09f07aaa95b73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Temp\18eSMsDQCm.bat

Filesize
240B

MD5
aaad573b1234925b5bab7e0345c5632a

SHA1
10e76588879d3aca81b2043a47a431e0b51a72d5

SHA256
88defd2b1a8fea18a508d00ef113d068c667f242f5717b264d1c4ad19a4ccede

SHA512
ac0f208fb6ffb746ad3a653136c206c690ace9a8f1fb379f71b17e5fb67c99865b8e924c0349fab00f149a0c6af9503f073dd19be707c04a9b892e7186a76d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat

Filesize
240B

MD5
e432e7679a8376e18ad93165c19f3618

SHA1
027c00a33fd91d4a71f75dea30c62814246bd3d1

SHA256
5bb409c4093f7427f1571232cb042eefb23dcf267e96c9dffa1890efb607fb71

SHA512
b20b65046ae02af5890b785de9dd66d504c0614c82f176f1b0cc27a048e4280ffcd6681dd1794081bffa24aab318114684854e14935e2239630762d3428e1429

Download Submit
C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat

Filesize
240B

MD5
8b2a223d987676789cc7ec6e43efee86

SHA1
cd921ace19cef581d9c7000ae87656788dd685cd

SHA256
29691156a34ed60dea2c9220af91b03d55ab0b59dcc4eec4fa8475206646645c

SHA512
6e6fd0b7682dc2a9be86dfccd80e8c8b6e2b441cef5160dd2ddd8ff3fd90a87f8a14c6c14b2015bf8ee2abeb36239d00c0752e073ea534feb18a64dc48975c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat

Filesize
240B

MD5
3e6d0397f21e8b8cb9a8cb043efd0e63

SHA1
3f3f3ff2c9398b3e76a4bdde9084ee7554ceada8

SHA256
8f65ff13af9dad9a4bb3fb86beb4231f209bd264242bd49736a6471695e93094

SHA512
61ed610536baac0df77c34fb17b17618b8873cccf74f9c23177f33b3d0b90a844fcd7b6f24f6dedbb168ae17bccc578c8d46392d5ffde11e175f09167e2a0137

Download Submit
C:\Users\Admin\AppData\Local\Temp\80JI9OTYea.bat

Filesize
240B

MD5
8d24074032e98f071644ebcdc36a2020

SHA1
0d0f24a745bac13559afae4a0046fc19d7c0e10d

SHA256
2ea3dad89bed6560405f3b073b722c635a10e8069f049ece10efc94136056297

SHA512
249c2c558b9d5f3c6fb351c069f45e6922f59d28bb3b0340176f39124df6c878688a26e4729d4d1cd9acf97c3a5b4b8b75cedef412629132b0afd5caadd23468

Download Submit
C:\Users\Admin\AppData\Local\Temp\8SsdorGsPC.bat

Filesize
240B

MD5
6a2e73c7232a698274bdea6f302733e3

SHA1
1aa9e2def2c61f7335dee7619278853b8dfd3039

SHA256
5bbd52a28551f204f80dfbc18f368c64702a9aa965c202e2fda954adce0cb505

SHA512
4c6aeab1a38b91c80b769081c4b9d36895ecb08f6adb2600407998da4cb1ee76162f23d6971dc574ac5e20ea9c4935a1cbf43ace5d0b8614d533942a756c7c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat

Filesize
240B

MD5
920e9a7783fbbdc497c32dc0512a156e

SHA1
f502219124b3b0bcc8b17ceba93c17fef05d0c6a

SHA256
f8bc98d78763b5b038e26a4d1937eeeaa511e2872b101370d48bd2a7cb0b964e

SHA512
9974eabf7d7125e9ea3a804aca2b9f4edf4247fab56ffa1ff4ae694b0536c1bb3b484489faeaa0c2a055cf579ffff1f8fe365b90cd718e358f305d2754729b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat

Filesize
240B

MD5
3ae768bfcc668e550cd32f14fd6aaa14

SHA1
b352d101bce185c05c0ba96a1c964b39deafdde0

SHA256
bda550dd4df912874a27e5d282f93a8a19559bbd0b54584cde991a75d7c184ee

SHA512
db0d5b17fcfda98ded138eb010415d14bcce3df8d05ef938440a58288dc44159e198ab1280e5a5bdeb3d9e5d209b25711a54bf853151679518c76183c36cbde1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat

Filesize
240B

MD5
20280dd5a9f63e088902e34226035482

SHA1
e133b1ad9aad3c93a57dd538319b24155f0cf41f

SHA256
6c6637dc3cc93fde39d194e37b4b420365479af848aea67039b1966e2f88697a

SHA512
51e6e809f5e272d91c5afcb0ee534f24f8c0374dc3632dfc20b5595ff560a945eb6235b52211cfa0e69d3d56c3f5c300295f315db68858b550b7708e8fc78324

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiMaLaQqUm.bat

Filesize
240B

MD5
9bc60963284ffab9ee078e571950e025

SHA1
06bf9a84fc5021c6d6025e3acf183e2e0d9bd761

SHA256
ddeca48354f3e13bc5d2d59f8492893ac6d01d3de09b0668d532c23c10787c7d

SHA512
3f7bf162a1260d77442a281a20403b576c3483bceffc812966c989095bba84ca237b9b09adc569263b38f6721ed128fe2958397c5ee7f896adb8b89b946dad8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3sOpJujjE.bat

Filesize
240B

MD5
383a5402d0d35a08b8c3833af3d13320

SHA1
79b84958c8ba0076a8451ac514f681f2f24e0812

SHA256
19b131628a9b279d3d3faf1e1406aadaa0f89575837625d78942ef013bda4912

SHA512
3368b0c8c3f65e0f50bf87a2c7b21bd0ece401839b83dd172857a0eb92682e91055f9db2f70b4d77b26cb3e507f55787060fc85cf87d4e22a03096d083e687e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gy1gqmGK9f.bat

Filesize
240B

MD5
bd0359fa4419aadd2d7739215e414078

SHA1
b42bb904ff501bc91f5c0d58fec75299e6253b3a

SHA256
27a05a1e2517343cda21bf1da63a60c7ee240263a2e8f2f54f97d0e114674d03

SHA512
23815b9d90c7bd7aa81957341cb93a2f7a7fe0db89781e90b24574ff9afd0ba857251b9342ee04adbda81177cdf283722069af753553525656d5ac6eb7d3e249

Download Submit
C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat

Filesize
240B

MD5
745ffb2087e047b17e89939c62519424

SHA1
b6e83e691598a90bf081870d3fb56ccf786ecd76

SHA256
4400d55839a84d877ec49e805123909fed347aa40f318c9018ea30804cfc116e

SHA512
275f52073aa08713b04037f278ba7a43bc5802e1615f9f1e9fb49691cfc90ec5de19d59bf5840eab054423fc1110285f3d0de0b0fdd336f7a18d43a42a201bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat

Filesize
240B

MD5
78ec1b487de7a7229fefbf7c10c10724

SHA1
2ddf92c880cd29f02309f16c3644682b4cd40d84

SHA256
27ca36db736faa93f7be81b1120c615ecce7fef470e941856532127ae6ebb903

SHA512
a35e19c84a7f89c159ab86acdd0e8cf498c611ff2e60166f2072c53ed3e7f62de5253d0918227b3810905ce484b20eeec0ec831247584a8dcc82b154e60c24ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\TiDn8Em9ri.bat

Filesize
240B

MD5
570193cb080857430b471a4b439b892a

SHA1
f73977f62598327b8d0c87fe25afd90609cd058c

SHA256
172412633bb3cbd40f4616bf49c2a33d5ceda70fa7f96b2fceba3728e30ec1ea

SHA512
48352f86b7e8270f1a47464af416660239466942cee278b996ac8c0a1cca9b9365ba94c6d454d1f72fc808d7d8ca7b9758b71e8d0228fd59d6a9927f14519568

Download Submit
C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat

Filesize
240B

MD5
9893d1a8295d874a13621b403d76f986

SHA1
621d6e70d4c38a182a96e3f0179e821bfdd4d4d9

SHA256
9277ef52318b8eda0e6eae0eb0e77dcdba2517ae6e90d4f56a743d35da8784fc

SHA512
bf3248875f290801b3ef65a1768aeae50140b47f07c9fc5a73a513e9239b6a21a5491c82a12b04f2f18f1fa7478eabf3bd855cc6f9bf421bbaf0387bb7917c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat

Filesize
240B

MD5
e1d3f74e85fe78aaf46175b655865fcf

SHA1
f053bae71d1f549be20fb80d6573565b52d42a0e

SHA256
31d9dd4c36f992020882ce8ec94bd5602ce89813da04aea9fe4414efba594e1b

SHA512
80b1c7f0605c63355b2af82b64b1a16823dcea40c6f3f09f844fcc547fd843935b15f32fbce652d6585fc9147175930405c431e65abe0e0fab6fe01e6ce92ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat

Filesize
240B

MD5
140d063b2ecde883859f1b0e4b948258

SHA1
e4c1fd808561f8267cf232122d067ec15f844aa2

SHA256
e3178fc9c4a08fd89e87bde5d4e86842ccc1e5a3ba53de3f71755b8d860f28de

SHA512
8adec57ab1e24d4918f111f06864834cd7c1b9651136994fffb61ce2be0ed357c56ad5bebf20a1bc55784465b84a880f705cad93d0e2564fbf8376818284a844

Download Submit
C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat

Filesize
240B

MD5
e811b0dff095da2335bd0b8a9631f522

SHA1
7c48614cde0fa6239cdccad92565c432203cb3bd

SHA256
6bf07107f4f109ef98732c55288c1ecef604dc87fa407a395389ea2d5f369b61

SHA512
d1661247b5b1fc3fd9f709e7312ab1e4a0ab3f4679389855999f6fb4c5645f50bae53cf7a0b8820c57f596d3af2b2e3ed5907938f0641462d1351bf7b3507787

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat

Filesize
240B

MD5
814c494c7f6de28bdc8d065f2e04b0f9

SHA1
f458d29bef863a280d9add4d026b5770febbdb2d

SHA256
cd2a3e9a53dffaaaa5ea696b928fc565fb99472f7c5f533a0031ec1c6d1bf9d8

SHA512
11f501eb7a27cb0173e22e4524d729aa6135f94ba2f8a3f94c5a91bac6b6e4af606b1008c8729e40b2ccd3ae3a00e8b0737a5a9b48f4e00cda08a164d8913614

Download Submit
C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat

Filesize
240B

MD5
463f577b4fb9f9cccc53c440953c5a25

SHA1
84024c59b5d7b58b3ce41f5b482cdf111e0baa2a

SHA256
91d43ac3475bc22f8542feeda42e9a71f68714dfbc37530aee3c7071de9add79

SHA512
c0820679d35922d73e8d0feef7098ffb1c68b3534288cd3d4865d2ec9077e2ff3afaafa147703a837a940be06f7c6d3b5a6e8c53f167d308bf539857cd6e2562

Download Submit
C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat

Filesize
240B

MD5
062a1d81479c63551d8cd37ecd3cfdd6

SHA1
22206652659ec5d4cbc6ecc4872c7278a041a55e

SHA256
52c4d9dc54e9f4c00577ee4947ed711e1cb9d9336a0962d56fab6da11e829860

SHA512
1a7d3ab73002b47f37911f654ca0a5f5267fecfbdc678ee105b97d35922267a2fde555d714d8bfe99ca44e2b1103d09e2dc4018addd8e636890618b65188c027

Download Submit
C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat

Filesize
240B

MD5
06deb1ff735dfa2b6812cf0024fd4eaf

SHA1
f5bbff3f57a6983ba357e0681b6879e56d5e1fa3

SHA256
c91f83683146093eb997c09456b465ea0842e640584b5d4a506c0c4061fc4faf

SHA512
1bc14840b850b007d36f662a5971d6bc108307864a7429c917229511fa73f33388ac1501f500f766c6aacf3a80c552dfdb86825595b23483e1bf99631d0d2955

Download Submit
C:\Users\Admin\AppData\Local\Temp\kOAwrWovpT.bat

Filesize
240B

MD5
73aa42217cae70abcd1e0355e2833090

SHA1
9c4bc36d1e34da918883078e0209afcaffac4ada

SHA256
9874857781ba4a47235d8b1024597c7dd289578adc71f84a00de053291e42886

SHA512
c75b4aeba107a7dc577a10e6269966fa8735631edc064b2194afd62158117fab44e0368b35e9f8a2d9a08e082b8a180f78669fa6a982ea02b5fda0c40157f8d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\p9sA7N8NGm.bat

Filesize
240B

MD5
3749fb7c608a4e1a7301240298a26b16

SHA1
2b0181c2606bcf599abd8be9faf2b3a7ffa83f31

SHA256
3afc9948f1021f6e0a93b6d171c40673e5a801280fa2b1c569955f4ae3b43901

SHA512
fcaa73bfbac495d7d2ab65a049e025af37d971368f6641a2a4d8b75c52effd55fb24434707a789099b7d942b1073995a790eddff45c37323b25d9b8e17558a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat

Filesize
240B

MD5
c2b3a29b4841dd20d7604d9b73a09a5c

SHA1
c6d31c7d4f8d63ee994af86e24c3d16f8b331b4f

SHA256
1e20f0c043b344ef7a87ef1f6dfc5bbab7461f477f67b189e4e215733719740c

SHA512
4e51b42d1804c88a8d3df8802da87a9243861d680ad32a7b688f35e06000ac09ded52dfb3c5e4baf124ce3e4c0f624d188303be131bbd5f899a7add253b96358

Download Submit
C:\Users\Admin\AppData\Local\Temp\qKN9Q7Smhq.bat

Filesize
240B

MD5
53d84ce8bed5ae692b2753312ab4dd7d

SHA1
875fc79396c74f45317c76231855abb21f86422c

SHA256
003534cb0183948abd6ebd545c3a6b197f38e957a3f6c69d59228af8f34c5593

SHA512
1f4c383fa76198df9631ad206e7960f7817725d3152c78cae2d027c2b9247f92b29678364255c7e808d74b75b137560d1d838297aea1b6098c835fd9575f0b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjauxUKpXQ.bat

Filesize
240B

MD5
944bf85c3af5ad5dd8d5a6b901d5ff5b

SHA1
1690938549329fb27ef3c53744a93643dd932d00

SHA256
c037c8b19d346777fb6e64fe2d231d0cb031331090bcc6001510956e75797849

SHA512
964a66e3f2ded21e4bd9931dd69762fb912c1e116b351271ef6a2a11ad29360b5f64e07e11ad98eac5b89ee597283d323a30bc8d0386357848aeaed72b74ecec

Download Submit
C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat

Filesize
240B

MD5
5bc048cf543ffc748a84d113057c3370

SHA1
7ce21cee141ffbaae81ecd8a5dd9e5a3d6c635f6

SHA256
d1dd63da258ac03f08d5645f06600f910c57bab979338c9d7b9127f8b7f1d3c5

SHA512
967102ccc557d474fa46a79218b31cdb4b4a229a0ef88f6cc7e0b0e4f417cf64a41d9d00b1412fb3a149f1967edf1a7be52ec916e7e4c6492bf9799db019b34b

Download Submit
memory/3636-111-0x000000001D450000-0x000000001D603000-memory.dmp

Filesize
1.7MB

Download
memory/4280-125-0x000000001DA90000-0x000000001DC43000-memory.dmp

Filesize
1.7MB

Download
memory/5096-118-0x000000001D500000-0x000000001D6B3000-memory.dmp

Filesize
1.7MB

Download
memory/5100-13-0x00000000001B0000-0x0000000000286000-memory.dmp

Filesize
856KB

Download
memory/5100-12-0x00007FFB5DE53000-0x00007FFB5DE55000-memory.dmp

Filesize
8KB

Download