dcrat | f8eb9b286a0d33e287568961f883aa9d1be6e9ec8cf5eee3a3a1a6b106d02f74

Analysis

max time kernel
146s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9f7b13b1d4a5686a42d38aaefabcaef.exe
Size

1.6MB
MD5

b9f7b13b1d4a5686a42d38aaefabcaef
SHA1

baef9eecc475391823826ba526c718bb37000265
SHA256

bbb979cf25c1acc089ab5d96f2a2a4f7d0276ad7d28f111f8f7d3b23226d07c9
SHA512

3905dc8820531d1c395c497ead44b034622b6277272cb64b0ed8c3906f4bd4dda396676db6cd8a520ad9c3a6420c67887ca2e5bbfc5388ea5e2b5caf8a9a7834
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2636	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2636	schtasks.exe	31

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral21/memory/2084-1-0x00000000008B0000-0x0000000000A52000-memory.dmp	dcrat
behavioral21/files/0x000b000000012259-27.dat	dcrat
behavioral21/files/0x0004000000004ed7-46.dat	dcrat
behavioral21/memory/2152-154-0x0000000000280000-0x0000000000422000-memory.dmp	dcrat
behavioral21/memory/1188-165-0x0000000000FF0000-0x0000000001192000-memory.dmp	dcrat
behavioral21/memory/2032-177-0x00000000012D0000-0x0000000001472000-memory.dmp	dcrat
behavioral21/memory/1212-211-0x0000000000150000-0x00000000002F2000-memory.dmp	dcrat
behavioral21/memory/1188-223-0x0000000000C40000-0x0000000000DE2000-memory.dmp	dcrat
behavioral21/memory/2192-246-0x0000000000D10000-0x0000000000EB2000-memory.dmp	dcrat
behavioral21/memory/900-258-0x0000000000210000-0x00000000003B2000-memory.dmp	dcrat
behavioral21/memory/2744-270-0x0000000000E00000-0x0000000000FA2000-memory.dmp	dcrat
behavioral21/memory/1504-293-0x00000000010C0000-0x0000000001262000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2588	powershell.exe
2152	powershell.exe
2296	powershell.exe
2924	powershell.exe
2692	powershell.exe
1768	powershell.exe
2164	powershell.exe
3024	powershell.exe
2700	powershell.exe
2668	powershell.exe
2088	powershell.exe
1524	powershell.exe

Executes dropped EXE 14 IoCs

pid	Process
2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe
2152	csrss.exe
1188	csrss.exe
2032	csrss.exe
2876	csrss.exe
1416	csrss.exe
1212	csrss.exe
1188	csrss.exe
664	csrss.exe
2192	csrss.exe
900	csrss.exe
2744	csrss.exe
2408	csrss.exe
1504	csrss.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Journal\ja-JP\lsass.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File created	C:\Program Files (x86)\Windows Media Player\886983d96e3d3e	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\csrss.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File created	C:\Program Files\Windows Journal\ja-JP\6203df4a6bafc7	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File created	C:\Program Files (x86)\Windows Media Player\csrss.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\lsass.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File created	C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File created	C:\Program Files (x86)\Uninstall Information\24dbde2999530e	b9f7b13b1d4a5686a42d38aaefabcaef.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Offline Web Pages\27d1bcfc3c54e0	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File opened for modification	C:\Windows\Offline Web Pages\System.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File created	C:\Windows\Help\Windows\taskhost.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File created	C:\Windows\Help\Windows\b75386f1303e64	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File opened for modification	C:\Windows\Help\Windows\RCXEFA0.tmp	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File opened for modification	C:\Windows\Help\Windows\RCXF00F.tmp	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File created	C:\Windows\DigitalLocker\en-US\dllhost.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File created	C:\Windows\Offline Web Pages\System.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\dllhost.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File opened for modification	C:\Windows\Help\Windows\taskhost.exe	b9f7b13b1d4a5686a42d38aaefabcaef.exe
File created	C:\Windows\DigitalLocker\en-US\5940a34987c991	b9f7b13b1d4a5686a42d38aaefabcaef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1784	schtasks.exe
2508	schtasks.exe
1952	schtasks.exe
2604	schtasks.exe
2548	schtasks.exe
3040	schtasks.exe
444	schtasks.exe
1704	schtasks.exe
2312	schtasks.exe
2688	schtasks.exe
2412	schtasks.exe
2368	schtasks.exe
2768	schtasks.exe
2528	schtasks.exe
1820	schtasks.exe
2620	schtasks.exe
2268	schtasks.exe
396	schtasks.exe
2504	schtasks.exe
2276	schtasks.exe
696	schtasks.exe
2016	schtasks.exe
1884	schtasks.exe
1996	schtasks.exe
752	schtasks.exe
1208	schtasks.exe
1632	schtasks.exe
1700	schtasks.exe
2996	schtasks.exe
1464	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2084	b9f7b13b1d4a5686a42d38aaefabcaef.exe
2152	powershell.exe
2296	powershell.exe
2588	powershell.exe
2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe
1768	powershell.exe
2924	powershell.exe
2164	powershell.exe
3024	powershell.exe
2692	powershell.exe
2088	powershell.exe
1524	powershell.exe
2700	powershell.exe
2668	powershell.exe
2152	csrss.exe
1188	csrss.exe
2032	csrss.exe
2876	csrss.exe
1416	csrss.exe
1212	csrss.exe
1188	csrss.exe
664	csrss.exe
2192	csrss.exe
900	csrss.exe
2744	csrss.exe
2408	csrss.exe
1504	csrss.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	b9f7b13b1d4a5686a42d38aaefabcaef.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2152	csrss.exe
Token: SeDebugPrivilege	1188	csrss.exe
Token: SeDebugPrivilege	2032	csrss.exe
Token: SeDebugPrivilege	2876	csrss.exe
Token: SeDebugPrivilege	1416	csrss.exe
Token: SeDebugPrivilege	1212	csrss.exe
Token: SeDebugPrivilege	1188	csrss.exe
Token: SeDebugPrivilege	664	csrss.exe
Token: SeDebugPrivilege	2192	csrss.exe
Token: SeDebugPrivilege	900	csrss.exe
Token: SeDebugPrivilege	2744	csrss.exe
Token: SeDebugPrivilege	2408	csrss.exe
Token: SeDebugPrivilege	1504	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2588	2084	b9f7b13b1d4a5686a42d38aaefabcaef.exe	38
PID 2084 wrote to memory of 2588	2084	b9f7b13b1d4a5686a42d38aaefabcaef.exe	38
PID 2084 wrote to memory of 2588	2084	b9f7b13b1d4a5686a42d38aaefabcaef.exe	38
PID 2084 wrote to memory of 2152	2084	b9f7b13b1d4a5686a42d38aaefabcaef.exe	39
PID 2084 wrote to memory of 2152	2084	b9f7b13b1d4a5686a42d38aaefabcaef.exe	39
PID 2084 wrote to memory of 2152	2084	b9f7b13b1d4a5686a42d38aaefabcaef.exe	39
PID 2084 wrote to memory of 2296	2084	b9f7b13b1d4a5686a42d38aaefabcaef.exe	40
PID 2084 wrote to memory of 2296	2084	b9f7b13b1d4a5686a42d38aaefabcaef.exe	40
PID 2084 wrote to memory of 2296	2084	b9f7b13b1d4a5686a42d38aaefabcaef.exe	40
PID 2084 wrote to memory of 2064	2084	b9f7b13b1d4a5686a42d38aaefabcaef.exe	44
PID 2084 wrote to memory of 2064	2084	b9f7b13b1d4a5686a42d38aaefabcaef.exe	44
PID 2084 wrote to memory of 2064	2084	b9f7b13b1d4a5686a42d38aaefabcaef.exe	44
PID 2064 wrote to memory of 3024	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	69
PID 2064 wrote to memory of 3024	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	69
PID 2064 wrote to memory of 3024	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	69
PID 2064 wrote to memory of 1524	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	70
PID 2064 wrote to memory of 1524	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	70
PID 2064 wrote to memory of 1524	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	70
PID 2064 wrote to memory of 2164	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	71
PID 2064 wrote to memory of 2164	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	71
PID 2064 wrote to memory of 2164	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	71
PID 2064 wrote to memory of 1768	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	73
PID 2064 wrote to memory of 1768	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	73
PID 2064 wrote to memory of 1768	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	73
PID 2064 wrote to memory of 2692	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	74
PID 2064 wrote to memory of 2692	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	74
PID 2064 wrote to memory of 2692	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	74
PID 2064 wrote to memory of 2924	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	75
PID 2064 wrote to memory of 2924	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	75
PID 2064 wrote to memory of 2924	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	75
PID 2064 wrote to memory of 2700	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	77
PID 2064 wrote to memory of 2700	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	77
PID 2064 wrote to memory of 2700	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	77
PID 2064 wrote to memory of 2088	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	79
PID 2064 wrote to memory of 2088	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	79
PID 2064 wrote to memory of 2088	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	79
PID 2064 wrote to memory of 2668	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	80
PID 2064 wrote to memory of 2668	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	80
PID 2064 wrote to memory of 2668	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	80
PID 2064 wrote to memory of 2152	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	87
PID 2064 wrote to memory of 2152	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	87
PID 2064 wrote to memory of 2152	2064	b9f7b13b1d4a5686a42d38aaefabcaef.exe	87
PID 2152 wrote to memory of 3048	2152	csrss.exe	88
PID 2152 wrote to memory of 3048	2152	csrss.exe	88
PID 2152 wrote to memory of 3048	2152	csrss.exe	88
PID 2152 wrote to memory of 1996	2152	csrss.exe	89
PID 2152 wrote to memory of 1996	2152	csrss.exe	89
PID 2152 wrote to memory of 1996	2152	csrss.exe	89
PID 3048 wrote to memory of 1188	3048	WScript.exe	90
PID 3048 wrote to memory of 1188	3048	WScript.exe	90
PID 3048 wrote to memory of 1188	3048	WScript.exe	90
PID 1188 wrote to memory of 2480	1188	csrss.exe	91
PID 1188 wrote to memory of 2480	1188	csrss.exe	91
PID 1188 wrote to memory of 2480	1188	csrss.exe	91
PID 1188 wrote to memory of 1428	1188	csrss.exe	92
PID 1188 wrote to memory of 1428	1188	csrss.exe	92
PID 1188 wrote to memory of 1428	1188	csrss.exe	92
PID 2480 wrote to memory of 2032	2480	WScript.exe	93
PID 2480 wrote to memory of 2032	2480	WScript.exe	93
PID 2480 wrote to memory of 2032	2480	WScript.exe	93
PID 2032 wrote to memory of 2356	2032	csrss.exe	94
PID 2032 wrote to memory of 2356	2032	csrss.exe	94
PID 2032 wrote to memory of 2356	2032	csrss.exe	94
PID 2032 wrote to memory of 348	2032	csrss.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b9f7b13b1d4a5686a42d38aaefabcaef.exe
"C:\Users\Admin\AppData\Local\Temp\b9f7b13b1d4a5686a42d38aaefabcaef.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b9f7b13b1d4a5686a42d38aaefabcaef.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\Windows\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Users\Admin\AppData\Local\Temp\b9f7b13b1d4a5686a42d38aaefabcaef.exe
  "C:\Users\Admin\AppData\Local\Temp\b9f7b13b1d4a5686a42d38aaefabcaef.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b9f7b13b1d4a5686a42d38aaefabcaef.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\ja-JP\lsass.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\en-US\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\b9f7b13b1d4a5686a42d38aaefabcaef.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\smss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2668
- - C:\Program Files (x86)\Windows Media Player\csrss.exe
    "C:\Program Files (x86)\Windows Media Player\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2df06ba6-7116-44bc-a2e6-173ff1f3c30c.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3048
    - - C:\Program Files (x86)\Windows Media Player\csrss.exe
        
        "C:\Program Files (x86)\Windows Media Player\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1188
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2760c7a0-44a8-42d1-b3b7-3b5587ad073f.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Program Files (x86)\Windows Media Player\csrss.exe
        
        "C:\Program Files (x86)\Windows Media Player\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a46c90b-658d-4ef3-8389-2475aab00cde.vbs"
        8⤵
        
        PID:2356
        
        C:\Program Files (x86)\Windows Media Player\csrss.exe
        
        "C:\Program Files (x86)\Windows Media Player\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d8d7798-aaa4-485a-b7e8-ff79a73b82d8.vbs"
        10⤵
        
        PID:1536
        
        C:\Program Files (x86)\Windows Media Player\csrss.exe
        
        "C:\Program Files (x86)\Windows Media Player\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48bf9937-6385-4d54-94fd-fa9502cb2c8a.vbs"
        12⤵
        
        PID:2064
        
        C:\Program Files (x86)\Windows Media Player\csrss.exe
        
        "C:\Program Files (x86)\Windows Media Player\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\400d3722-0505-4d23-a31c-db9290dfcaa2.vbs"
        14⤵
        
        PID:2016
        
        C:\Program Files (x86)\Windows Media Player\csrss.exe
        
        "C:\Program Files (x86)\Windows Media Player\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b49f40f-036e-4ac9-b9f2-b2e3e96bc238.vbs"
        16⤵
        
        PID:3036
        
        C:\Program Files (x86)\Windows Media Player\csrss.exe
        
        "C:\Program Files (x86)\Windows Media Player\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb4da8a8-027d-40cf-bc6d-878829e346f3.vbs"
        18⤵
        
        PID:2168
        
        C:\Program Files (x86)\Windows Media Player\csrss.exe
        
        "C:\Program Files (x86)\Windows Media Player\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44859855-27ea-4134-9b2b-b9bfc97ad175.vbs"
        20⤵
        
        PID:2472
        
        C:\Program Files (x86)\Windows Media Player\csrss.exe
        
        "C:\Program Files (x86)\Windows Media Player\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2792059f-e256-4be9-ba5f-0af5231ffffa.vbs"
        22⤵
        
        PID:796
        
        C:\Program Files (x86)\Windows Media Player\csrss.exe
        
        "C:\Program Files (x86)\Windows Media Player\csrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76efb2b8-6756-4fc2-80b9-6f796ddca904.vbs"
        24⤵
        
        PID:2108
        
        C:\Program Files (x86)\Windows Media Player\csrss.exe
        
        "C:\Program Files (x86)\Windows Media Player\csrss.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a870af31-79ec-4baf-800c-59297eaa3c61.vbs"
        26⤵
        
        PID:1216
        
        C:\Program Files (x86)\Windows Media Player\csrss.exe
        
        "C:\Program Files (x86)\Windows Media Player\csrss.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9640b068-f88a-420c-8aef-960d8bdd2e8f.vbs"
        28⤵
        
        PID:2168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09f86ec0-fc60-4210-9a7e-ecbfd359d81a.vbs"
        28⤵
        
        PID:2596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\539e8336-ad3c-43a3-a61f-18923b9a380b.vbs"
        26⤵
        
        PID:2264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f814668e-293a-46af-9e81-dfffca17f59d.vbs"
        24⤵
        
        PID:1592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\128cfd0a-1067-4f5f-a569-8f938def7261.vbs"
        22⤵
        
        PID:1680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d96922d-eea1-42f8-96c7-0e8313483234.vbs"
        20⤵
        
        PID:848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20cf6da9-2087-4f7c-b687-923489868536.vbs"
        18⤵
        
        PID:2356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0145da58-a0f9-4afc-9aa9-5cf855a8db57.vbs"
        16⤵
        
        PID:1684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74df774a-5e92-42bf-923c-8b839c0ad3b8.vbs"
        14⤵
        
        PID:2952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0b2d693-1671-4f41-a682-3408962b5d39.vbs"
        12⤵
        
        PID:2932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5858f033-49b6-4fc3-b930-48313cc63f68.vbs"
        10⤵
        
        PID:2080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2e4bf5e-2d84-440d-b04a-0d84f6fc32ab.vbs"
        8⤵
        
        PID:348
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9552f96e-2047-43ef-ada0-c9e8dcd9f4d4.vbs"
        6⤵
        
        PID:1428
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba03c7cd-c3ca-442f-9bd9-a4bd0fa1a886.vbs"
      4⤵
      PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\Help\Windows\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Help\Windows\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\Help\Windows\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\ja-JP\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\ja-JP\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\en-US\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\DigitalLocker\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b9f7b13b1d4a5686a42d38aaefabcaefb" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\b9f7b13b1d4a5686a42d38aaefabcaef.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b9f7b13b1d4a5686a42d38aaefabcaef" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\b9f7b13b1d4a5686a42d38aaefabcaef.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b9f7b13b1d4a5686a42d38aaefabcaefb" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\b9f7b13b1d4a5686a42d38aaefabcaef.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\Sample Pictures\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\Sample Pictures\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Default\My Documents\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\My Documents\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Default\My Documents\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\audiodg.exe

Filesize
1.6MB

MD5
b9f7b13b1d4a5686a42d38aaefabcaef

SHA1
baef9eecc475391823826ba526c718bb37000265

SHA256
bbb979cf25c1acc089ab5d96f2a2a4f7d0276ad7d28f111f8f7d3b23226d07c9

SHA512
3905dc8820531d1c395c497ead44b034622b6277272cb64b0ed8c3906f4bd4dda396676db6cd8a520ad9c3a6420c67887ca2e5bbfc5388ea5e2b5caf8a9a7834

Download Submit
C:\Users\Admin\AppData\Local\Temp\2760c7a0-44a8-42d1-b3b7-3b5587ad073f.vbs

Filesize
729B

MD5
f4b704b2da22e34c427c36854f04e68f

SHA1
6bcd1d165574369425c44010c891d1f7234822da

SHA256
04750068de227a8589d30abb7217bd179db7f623123b3908f2d784ddb03014f2

SHA512
49f8a5d2cc25aded865314a2a59a1a071eed9d1e2c77675b369aaf4d137fbb15eee511fdbe41326934e8e920f94f50522c5723b80bb141c4cf0a9bebf5253f93

Download Submit
C:\Users\Admin\AppData\Local\Temp\2792059f-e256-4be9-ba5f-0af5231ffffa.vbs

Filesize
728B

MD5
d0d5aa06e273f2234b9ece8a4460f7a7

SHA1
bc31f238ab0eada1a6c63f892de4a23c41c852d7

SHA256
b8d779b07ad947b7aaee250bf7323031d5528e67502a79cb4a93d133b3bbf949

SHA512
a14edfb43cac749d0a9e653fbb84601125cda7a0ff658b45a4c1398141fe82da86006241c2394dc377c317505ee81751771654d2dfc9bc95ce7dc385660b96c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2df06ba6-7116-44bc-a2e6-173ff1f3c30c.vbs

Filesize
729B

MD5
a04efbaf215dc7381e7d9b3956ea521e

SHA1
22359fd632be94513dfe4d1db486962f8bcfd8e6

SHA256
fafd81efb88c3fefcfb30ad776dc07508bf0b48477bbd34d7a5f3e642ebf2609

SHA512
b1191d26a2e745ec5e9b3d360634ab2c4b5692026c8316f372a48ef83e1415f56b5df32a63ec1c46ddd8c5b78a2f524dc3562a70a8dd5ef5cf1d758881be0d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\400d3722-0505-4d23-a31c-db9290dfcaa2.vbs

Filesize
729B

MD5
cae67794b678e9686bc2c51356373b26

SHA1
5f3252d649ed588a7a321e49c90ff3c72d4e4e70

SHA256
f8b0f3284e5b2ecff430bc2d08594f53024e6bd5425b8a9a1a45c39938a26a94

SHA512
45ca4eb8913e9b86988c93dc11ed90f150f5a135188381719b49dc4b088418028f543f00a03499a99d182e807ebd1adb61f2afcbe1d883a26d7ca4a03668d535

Download Submit
C:\Users\Admin\AppData\Local\Temp\44859855-27ea-4134-9b2b-b9bfc97ad175.vbs

Filesize
729B

MD5
5068a4cbf384701aa90ee26b0b7823e2

SHA1
53421571075ca7e19707b193e16c46d16f700b48

SHA256
9340a54e5b82224815b32ed75aa6b2e475e6840d4a09312e92bdcb07cf707e48

SHA512
6d558815a7c203fbbc5c0dc10fefb91f121dd622c2af8216c97190da4a3ebad7eb4400c7034a0e3a3446100ec185154ff162681c5f269223d2259213c09dc889

Download Submit
C:\Users\Admin\AppData\Local\Temp\48bf9937-6385-4d54-94fd-fa9502cb2c8a.vbs

Filesize
729B

MD5
4a27a28edeb891cac9085398d912da02

SHA1
4b3350b5fa7707a4369dc700d908c48db10fd578

SHA256
f3f4cbd404d09dc459b12eb03166218d70fa5881ea78aa351a8042aeceda1a40

SHA512
9710767d7eca0ec095552efc0a9b59d4fd75a6a3062915335cff15de1ae4cbdecbc0f88656825b9b698eb06d113946c31cde9bb1a9a72ea50357774497e2098c

Download Submit
C:\Users\Admin\AppData\Local\Temp\76efb2b8-6756-4fc2-80b9-6f796ddca904.vbs

Filesize
729B

MD5
5ad403e0c99c843ff8aef2170b98ec55

SHA1
77c62f7a49ae44f3ed6ad336e01ecb5284006302

SHA256
f49c81fa1ea5a4bec396c4e4fa3014728b9117078a9e6452ba0d50bf15d50e91

SHA512
f723ea785418a7c72f2c3fe7783ea643175377b8542f53e778695dba0ac32cfc6904cae95fb99d3551c40c4aef963995ab934b24857f9490dd45e0add9a3bd0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7d8d7798-aaa4-485a-b7e8-ff79a73b82d8.vbs

Filesize
729B

MD5
a13c5dc7dd32d644d5e5c9904d59b055

SHA1
98bcce39180a1b118a8ff07dc10ef8c554e346d8

SHA256
132ce0a28d350e72597ff7a3a1965b45fe61f97c58f76fbe88ea517b47a52985

SHA512
bd77ba7df212a208c7dbec5d0f0d839fde81ddad03548a86630b2c613ac7a3b5f9cf1b1a1a36bba8290479d3950e5d00ed7b5b0b9c6401cf9fc382bed17c91e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9640b068-f88a-420c-8aef-960d8bdd2e8f.vbs

Filesize
729B

MD5
dd4d8b2e27de11d35f5cc895bc827611

SHA1
e37f542ef2bb82727c83b9ccd1681cfdd54070f6

SHA256
c118e5d95efd6a0b1b0ce8a1e7538a8ab26bfb480ac34c933df4c3c6b3fa189c

SHA512
7e1e08982f99891825b767e54bce16ef0cdec8ad7081061c6ce49c0e68371c9fc86f8d9aeb97544c518d46c37cf830a18f1caa7be766900266796a02b3c6bbe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a46c90b-658d-4ef3-8389-2475aab00cde.vbs

Filesize
729B

MD5
9a1526be9598f18c28e9f6fbd8c8652b

SHA1
cd12629fc7806bd565e4a10ea9f82f2765674fe4

SHA256
f26f46aad8f7e9907d10e0df46b84de5a1216e22d02c25123cc3edfbf75a56eb

SHA512
2417345a1ad2571ae0fee98434b2951679f59f50cf1a46643e81ed93e9b3ed83c88499fb081ca0e93b06d5b0e2e07ad5f2b322067b167f0bda1fc4ae6a27f7ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\a870af31-79ec-4baf-800c-59297eaa3c61.vbs

Filesize
729B

MD5
2161e9396fe917fef8cdcc7245d54d6b

SHA1
d9590e4e3adab4d740ebf71dfabf8a0a8349ebd2

SHA256
195516c62b58133af57f5c0b6ddbbf4a5db6d712c38b816ba6ed8e89d77f6841

SHA512
45643fbca5ab3e54c524cb5a839193b0491d6dac1763af50134546192d5b44232680d9a4ce30a258dc8c1b4d4263ad3cafdfb29f19074e25f6f29ba85ccfb52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba03c7cd-c3ca-442f-9bd9-a4bd0fa1a886.vbs

Filesize
505B

MD5
0c6330f2cc25f47260aadfc47eaedeb9

SHA1
97135152ad8b59daa00908b7797bc81cc9989773

SHA256
a7a0a4ea76e458cd94f2de21cc5f506b2e0ad28db591cee6a44a57ff7d6df9a4

SHA512
4c90656229618b86d51f23074a2c5e339860731dae9038eca267f07cc5cb26c83119e68fd2be98f090c8a7d4d97eb34a3db7285ad5d2f1fa21f3f2db77bc5afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb4da8a8-027d-40cf-bc6d-878829e346f3.vbs

Filesize
728B

MD5
f124963d18f3f623d70310227ca897fd

SHA1
365d052cd2dce3b26b48a46dbdd229129883a146

SHA256
183c660b2a4d854f2ef253649e68a15ba73eea1487a7833561577437d5887e52

SHA512
64d263975896eb663663870753702a5472d0a43c4a521c64f4b79cff02f9331b4ad39f76ead5f0661fc75759becdae915f713c52777e39dddd82bd8d337d536d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8f6e81da6b25ad8a2634cb509623f278

SHA1
aeaba10f3d0d1adee0fe8e85589b093668edc6bc

SHA256
b7060b7f015e8f8d2e7a027531fc9566c9a61b0cc3a4db5c57fd1b906e3f49dd

SHA512
dd6e4429fa4711dadc0feef19d17cccf501dc1d330bfc952dd8521856d5a350022703ade93ff83253e8b3e3ad26a257d1816a618582f7ff37dfe6851087b15e9

Download Submit
C:\Windows\Help\Windows\taskhost.exe

Filesize
1.6MB

MD5
bb2660ca2806cf892e3c9844beb2f56e

SHA1
c9733453e6f806e793b7b6df9c6919d887b07fe6

SHA256
ca5a5dbbb8278b68f6d5bdd6d9e4d8f69cbf2ee68ad63be5f0f33373405bea90

SHA512
23e258d18bbf88ec8ca62e12257fc1de7eb58695e2af52ea583f0d843ad48e83ada7846047a69890af72d5afed2f03dcb11623f06ff75a659121108081cd5514

Download Submit
memory/900-258-0x0000000000210000-0x00000000003B2000-memory.dmp

Filesize
1.6MB

Download
memory/1188-223-0x0000000000C40000-0x0000000000DE2000-memory.dmp

Filesize
1.6MB

Download
memory/1188-165-0x0000000000FF0000-0x0000000001192000-memory.dmp

Filesize
1.6MB

Download
memory/1212-211-0x0000000000150000-0x00000000002F2000-memory.dmp

Filesize
1.6MB

Download
memory/1504-293-0x00000000010C0000-0x0000000001262000-memory.dmp

Filesize
1.6MB

Download
memory/1768-106-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/1768-108-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2032-177-0x00000000012D0000-0x0000000001472000-memory.dmp

Filesize
1.6MB

Download
memory/2084-11-0x0000000000820000-0x000000000082A000-memory.dmp

Filesize
40KB

Download
memory/2084-14-0x0000000000850000-0x0000000000858000-memory.dmp

Filesize
32KB

Download
memory/2084-1-0x00000000008B0000-0x0000000000A52000-memory.dmp

Filesize
1.6MB

Download
memory/2084-2-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2084-16-0x0000000000870000-0x000000000087C000-memory.dmp

Filesize
48KB

Download
memory/2084-15-0x0000000000860000-0x000000000086A000-memory.dmp

Filesize
40KB

Download
memory/2084-67-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2084-9-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/2084-10-0x0000000000810000-0x000000000081C000-memory.dmp

Filesize
48KB

Download
memory/2084-12-0x0000000000830000-0x000000000083E000-memory.dmp

Filesize
56KB

Download
memory/2084-3-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/2084-0-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp

Filesize
4KB

Download
memory/2084-13-0x0000000000840000-0x0000000000848000-memory.dmp

Filesize
32KB

Download
memory/2084-8-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/2084-4-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2084-7-0x00000000004C0000-0x00000000004D0000-memory.dmp

Filesize
64KB

Download
memory/2084-6-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/2084-5-0x00000000003F0000-0x0000000000406000-memory.dmp

Filesize
88KB

Download
memory/2152-154-0x0000000000280000-0x0000000000422000-memory.dmp

Filesize
1.6MB

Download
memory/2152-56-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2152-66-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2192-246-0x0000000000D10000-0x0000000000EB2000-memory.dmp

Filesize
1.6MB

Download
memory/2744-270-0x0000000000E00000-0x0000000000FA2000-memory.dmp

Filesize
1.6MB

Download