dcrat | e0b7deb5306d43671d3800515bdf5b31455b483a06862be563813eabea3e181d

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
Size

1.6MB
MD5

1d5a1ae245a5e111a2587dbdb7dce8af
SHA1

c3e74dedff703865d0455ab498b2fd3cb6e7aa00
SHA256

c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e
SHA512

75f5d287ebc247ac0aa2825dcb784894b31b4665a52994b0154ce9c1386dacb3fb72affaa32d9e86729e7da28f91c9c7f8eb2c755ac44c77c3c095e304ab367c
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	3048	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	3048	schtasks.exe	29

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral13/memory/2116-1-0x0000000001330000-0x00000000014D2000-memory.dmp	dcrat
behavioral13/files/0x000500000001a58f-25.dat	dcrat
behavioral13/files/0x000800000001c764-227.dat	dcrat
behavioral13/memory/2180-337-0x00000000013A0000-0x0000000001542000-memory.dmp	dcrat
behavioral13/memory/2996-392-0x00000000003D0000-0x0000000000572000-memory.dmp	dcrat
behavioral13/memory/888-404-0x0000000000EB0000-0x0000000001052000-memory.dmp	dcrat
behavioral13/memory/1816-427-0x0000000000190000-0x0000000000332000-memory.dmp	dcrat
behavioral13/memory/2356-439-0x0000000000380000-0x0000000000522000-memory.dmp	dcrat
behavioral13/memory/2228-451-0x0000000000B00000-0x0000000000CA2000-memory.dmp	dcrat
behavioral13/memory/2892-460-0x0000000000100000-0x00000000002A2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2036	powershell.exe
2016	powershell.exe
2620	powershell.exe
2636	powershell.exe
2324	powershell.exe
868	powershell.exe
1532	powershell.exe
1764	powershell.exe
1092	powershell.exe
1656	powershell.exe
2532	powershell.exe
2552	powershell.exe
1104	powershell.exe
1108	powershell.exe
2472	powershell.exe
2740	powershell.exe
276	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2180	Idle.exe
2024	Idle.exe
560	Idle.exe
648	Idle.exe
2068	Idle.exe
2996	Idle.exe
888	Idle.exe
2552	Idle.exe
1816	Idle.exe
2356	Idle.exe
2228	Idle.exe
2892	Idle.exe

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\System.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX3392.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Program Files\DVD Maker\ja-JP\Idle.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Program Files\DVD Maker\ja-JP\6ccacd8608530f	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\f3b6ecef712a24	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\0a1fd5f707cd16	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\RCX318D.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\RCX4089.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\RCX318C.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX399F.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX39A0.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\RCX401B.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\dwm.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sppsvc.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Program Files\Windows NT\c5b4cb5e9653cc	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\RCX2F1B.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files\Windows NT\RCX3DAA.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\7a0fd90576e088	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\RCX2F1A.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\System.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\27d1bcfc3c54e0	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Program Files\Windows NT\services.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\Idle.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX3391.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files\Windows NT\RCX3DA9.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files\Windows NT\services.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\explorer.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sppsvc.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\explorer.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\RCX2CA9.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Windows\system\dllhost.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\System.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Windows\TAPI\RCX269B.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Windows\TAPI\services.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Windows\TAPI\c5b4cb5e9653cc	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Windows\Boot\EFI\de-DE\OSPPSVC.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Windows\AppPatch\AppPatch64\System.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Windows\Performance\WinSAT\RCX429C.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Windows\Performance\WinSAT\RCX42AD.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\RCX379A.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\RCX379B.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Windows\Performance\WinSAT\csrss.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Windows\TAPI\RCX269A.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Windows\TAPI\services.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Windows\Vss\Writers\System\886983d96e3d3e	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Windows\system\5940a34987c991	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Windows\AppPatch\AppPatch64\27d1bcfc3c54e0	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Windows\Performance\WinSAT\886983d96e3d3e	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Windows\Vss\Writers\System\RCX2AA3.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Windows\Vss\Writers\System\RCX2AA4.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Windows\Vss\Writers\System\csrss.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Windows\system\dllhost.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File created	C:\Windows\Performance\WinSAT\csrss.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Windows\Vss\Writers\System\csrss.exe	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
File opened for modification	C:\Windows\system\RCX2CA8.tmp	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1044	schtasks.exe
1520	schtasks.exe
2356	schtasks.exe
432	schtasks.exe
2120	schtasks.exe
2400	schtasks.exe
2716	schtasks.exe
1636	schtasks.exe
1616	schtasks.exe
2796	schtasks.exe
2044	schtasks.exe
1256	schtasks.exe
2464	schtasks.exe
2436	schtasks.exe
2536	schtasks.exe
2272	schtasks.exe
1432	schtasks.exe
2660	schtasks.exe
2056	schtasks.exe
1080	schtasks.exe
2020	schtasks.exe
2032	schtasks.exe
2704	schtasks.exe
1732	schtasks.exe
1984	schtasks.exe
264	schtasks.exe
2820	schtasks.exe
2188	schtasks.exe
2732	schtasks.exe
2520	schtasks.exe
2576	schtasks.exe
3020	schtasks.exe
3008	schtasks.exe
1312	schtasks.exe
3012	schtasks.exe
1660	schtasks.exe
2640	schtasks.exe
1108	schtasks.exe
2244	schtasks.exe
1664	schtasks.exe
2744	schtasks.exe
3028	schtasks.exe
2896	schtasks.exe
2604	schtasks.exe
316	schtasks.exe
1012	schtasks.exe
1008	schtasks.exe
2432	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
2016	powershell.exe
1092	powershell.exe
868	powershell.exe
2740	powershell.exe
276	powershell.exe
1532	powershell.exe
2636	powershell.exe
2036	powershell.exe
1764	powershell.exe
1108	powershell.exe
1656	powershell.exe
2552	powershell.exe
2620	powershell.exe
2532	powershell.exe
1104	powershell.exe
2324	powershell.exe
2472	powershell.exe
2180	Idle.exe
2024	Idle.exe
560	Idle.exe
648	Idle.exe
2068	Idle.exe
2996	Idle.exe
888	Idle.exe
2552	Idle.exe
1816	Idle.exe
2356	Idle.exe
2228	Idle.exe
2892	Idle.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	276	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2180	Idle.exe
Token: SeDebugPrivilege	2024	Idle.exe
Token: SeDebugPrivilege	560	Idle.exe
Token: SeDebugPrivilege	648	Idle.exe
Token: SeDebugPrivilege	2068	Idle.exe
Token: SeDebugPrivilege	2996	Idle.exe
Token: SeDebugPrivilege	888	Idle.exe
Token: SeDebugPrivilege	2552	Idle.exe
Token: SeDebugPrivilege	1816	Idle.exe
Token: SeDebugPrivilege	2356	Idle.exe
Token: SeDebugPrivilege	2228	Idle.exe
Token: SeDebugPrivilege	2892	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2472	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	78
PID 2116 wrote to memory of 2472	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	78
PID 2116 wrote to memory of 2472	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	78
PID 2116 wrote to memory of 2636	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	79
PID 2116 wrote to memory of 2636	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	79
PID 2116 wrote to memory of 2636	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	79
PID 2116 wrote to memory of 2552	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	80
PID 2116 wrote to memory of 2552	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	80
PID 2116 wrote to memory of 2552	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	80
PID 2116 wrote to memory of 1656	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	81
PID 2116 wrote to memory of 1656	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	81
PID 2116 wrote to memory of 1656	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	81
PID 2116 wrote to memory of 1092	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	83
PID 2116 wrote to memory of 1092	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	83
PID 2116 wrote to memory of 1092	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	83
PID 2116 wrote to memory of 2740	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	85
PID 2116 wrote to memory of 2740	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	85
PID 2116 wrote to memory of 2740	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	85
PID 2116 wrote to memory of 1108	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	87
PID 2116 wrote to memory of 1108	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	87
PID 2116 wrote to memory of 1108	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	87
PID 2116 wrote to memory of 2324	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	88
PID 2116 wrote to memory of 2324	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	88
PID 2116 wrote to memory of 2324	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	88
PID 2116 wrote to memory of 276	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	90
PID 2116 wrote to memory of 276	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	90
PID 2116 wrote to memory of 276	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	90
PID 2116 wrote to memory of 868	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	92
PID 2116 wrote to memory of 868	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	92
PID 2116 wrote to memory of 868	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	92
PID 2116 wrote to memory of 1764	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	93
PID 2116 wrote to memory of 1764	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	93
PID 2116 wrote to memory of 1764	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	93
PID 2116 wrote to memory of 1532	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	94
PID 2116 wrote to memory of 1532	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	94
PID 2116 wrote to memory of 1532	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	94
PID 2116 wrote to memory of 1104	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	95
PID 2116 wrote to memory of 1104	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	95
PID 2116 wrote to memory of 1104	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	95
PID 2116 wrote to memory of 2620	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	96
PID 2116 wrote to memory of 2620	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	96
PID 2116 wrote to memory of 2620	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	96
PID 2116 wrote to memory of 2016	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	97
PID 2116 wrote to memory of 2016	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	97
PID 2116 wrote to memory of 2016	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	97
PID 2116 wrote to memory of 2036	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	98
PID 2116 wrote to memory of 2036	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	98
PID 2116 wrote to memory of 2036	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	98
PID 2116 wrote to memory of 2532	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	99
PID 2116 wrote to memory of 2532	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	99
PID 2116 wrote to memory of 2532	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	99
PID 2116 wrote to memory of 2112	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	112
PID 2116 wrote to memory of 2112	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	112
PID 2116 wrote to memory of 2112	2116	c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe	112
PID 2112 wrote to memory of 1576	2112	cmd.exe	114
PID 2112 wrote to memory of 1576	2112	cmd.exe	114
PID 2112 wrote to memory of 1576	2112	cmd.exe	114
PID 2112 wrote to memory of 2180	2112	cmd.exe	115
PID 2112 wrote to memory of 2180	2112	cmd.exe	115
PID 2112 wrote to memory of 2180	2112	cmd.exe	115
PID 2180 wrote to memory of 3016	2180	Idle.exe	116
PID 2180 wrote to memory of 3016	2180	Idle.exe	116
PID 2180 wrote to memory of 3016	2180	Idle.exe	116
PID 2180 wrote to memory of 1324	2180	Idle.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe
"C:\Users\Admin\AppData\Local\Temp\c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\System\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\ja-JP\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\AppPatch64\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Multiplayer\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JpXqSaXt99.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1576
- - C:\Program Files\DVD Maker\ja-JP\Idle.exe
    "C:\Program Files\DVD Maker\ja-JP\Idle.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f69acd15-6615-4636-9573-df3fee12ec99.vbs"
      4⤵
      PID:3016
    - - C:\Program Files\DVD Maker\ja-JP\Idle.exe
        
        "C:\Program Files\DVD Maker\ja-JP\Idle.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76f3d819-c94f-43ce-895f-1f71e168da42.vbs"
        6⤵
        
        PID:2136
        
        C:\Program Files\DVD Maker\ja-JP\Idle.exe
        
        "C:\Program Files\DVD Maker\ja-JP\Idle.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac7dcb1e-b604-4f41-b73c-faef898ea73f.vbs"
        8⤵
        
        PID:2936
        
        C:\Program Files\DVD Maker\ja-JP\Idle.exe
        
        "C:\Program Files\DVD Maker\ja-JP\Idle.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44067aaa-5220-455b-8eff-040b51b709b5.vbs"
        10⤵
        
        PID:1312
        
        C:\Program Files\DVD Maker\ja-JP\Idle.exe
        
        "C:\Program Files\DVD Maker\ja-JP\Idle.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55483735-c520-47ad-9540-467e6c30b207.vbs"
        12⤵
        
        PID:2188
        
        C:\Program Files\DVD Maker\ja-JP\Idle.exe
        
        "C:\Program Files\DVD Maker\ja-JP\Idle.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5015a05-3445-4c86-b5da-985ca7ed6b92.vbs"
        14⤵
        
        PID:1108
        
        C:\Program Files\DVD Maker\ja-JP\Idle.exe
        
        "C:\Program Files\DVD Maker\ja-JP\Idle.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b4dbeb3-04d1-4d85-9d0d-53b4ce2a01c1.vbs"
        16⤵
        
        PID:2488
        
        C:\Program Files\DVD Maker\ja-JP\Idle.exe
        
        "C:\Program Files\DVD Maker\ja-JP\Idle.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9248c976-92ed-4701-baf4-9f1ec3104648.vbs"
        18⤵
        
        PID:2688
        
        C:\Program Files\DVD Maker\ja-JP\Idle.exe
        
        "C:\Program Files\DVD Maker\ja-JP\Idle.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f7f5292-201b-4c3b-a8b6-d60fd906010e.vbs"
        20⤵
        
        PID:1516
        
        C:\Program Files\DVD Maker\ja-JP\Idle.exe
        
        "C:\Program Files\DVD Maker\ja-JP\Idle.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d39bdb8c-155c-4fdc-a0be-3b17a83870e8.vbs"
        22⤵
        
        PID:2772
        
        C:\Program Files\DVD Maker\ja-JP\Idle.exe
        
        "C:\Program Files\DVD Maker\ja-JP\Idle.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\beb4b3b9-2221-4191-90da-64bf1cde3f65.vbs"
        24⤵
        
        PID:624
        
        C:\Program Files\DVD Maker\ja-JP\Idle.exe
        
        "C:\Program Files\DVD Maker\ja-JP\Idle.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6eb21e3d-6aa6-4c82-a322-ad78431de5b0.vbs"
        26⤵
        
        PID:2992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2b1d17e-bc6b-4485-a608-3ea7bacd676c.vbs"
        26⤵
        
        PID:1092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\993bff30-c942-44a3-af91-4e3969cbfe53.vbs"
        24⤵
        
        PID:2540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b6fbf8c-35d4-4b61-b4d7-a82600292ab0.vbs"
        22⤵
        
        PID:2812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac2cbe57-6e52-486f-9388-befe68c95709.vbs"
        20⤵
        
        PID:2032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfc4c487-5250-4e13-a2fe-816f577f8650.vbs"
        18⤵
        
        PID:2832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d37f58f-5155-40e1-9735-4a58e70ca8ea.vbs"
        16⤵
        
        PID:1080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\735beb40-3a78-4d59-a1ea-d2627bf0db16.vbs"
        14⤵
        
        PID:2852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb8199c5-398a-490a-ae3e-389675ceb8af.vbs"
        12⤵
        
        PID:2344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27073767-e122-4526-b3e7-4b82c887f201.vbs"
        10⤵
        
        PID:2072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8762af31-0c03-45ba-a274-a25e253db970.vbs"
        8⤵
        
        PID:764
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8cd790c-ef6a-431a-bf41-3f024573094d.vbs"
        6⤵
        
        PID:2456
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c40cb6c5-73ac-4a1a-bd2d-de00f7449a28.vbs"
      4⤵
      PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\TAPI\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\System\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\System\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\system\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\system\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\system\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\ja-JP\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\AppPatch\AppPatch64\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\AppPatch\AppPatch64\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\AppPatch64\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows NT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Multiplayer\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Multiplayer\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Games\Multiplayer\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Performance\WinSAT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\WinSAT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Games\Multiplayer\explorer.exe

Filesize
1.6MB

MD5
15adf7a04d37c8b45c9303d220bcf945

SHA1
226768ce03466e0695340363b0b08b40174f46f8

SHA256
e75f874ce99bff21ee8d9c8562cc0debd24be3bf5b908201172181aa12bff989

SHA512
82ecacf8d5c712b1bde1d208d54cb3349d289f34e1c351dca73085d31c0f10536e6ae520dc965a1332c2b8791f07696f80b3f3c772af2483a59f37c9decd81c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\44067aaa-5220-455b-8eff-040b51b709b5.vbs

Filesize
716B

MD5
2ad2968d1cef65eff620c24c422a3b7e

SHA1
dc079ba0e9016730996efb1b37b28f939d0ceda3

SHA256
056911cbf0129dc11e757043103917b5cf6807d32dc471f496c8af3af9c961f8

SHA512
a5f759dac260e2725a643ea6ce4e0a0a69e74c13584e5d9038e6f85c6ee592f6f815d57ea709d4e00d7816001f736e1733d9ebef745fd34138002a0c7083a55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\55483735-c520-47ad-9540-467e6c30b207.vbs

Filesize
717B

MD5
88183e8090a4e4732222c1d1d9cea7ee

SHA1
dcdddef4e898a22d0d9fe374487a7f147cbdb4cf

SHA256
e7bb78688e70a617b454bf9751a7f37159e3fd0f472af4f2f713dbb6be2d2244

SHA512
2d1455f43a3a5c26b8d3c37e31f0016c09b04c1af0e0e2b6349bfcbe472d8e020935dd99a760a28a5f362e3120ccb7e8d120a3e71bec9ce607d7b7e9343dfac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f7f5292-201b-4c3b-a8b6-d60fd906010e.vbs

Filesize
717B

MD5
bb279f451519abfc4f9ea8aea51e51f0

SHA1
7764709c9d165a5098da7fdfc881b7416ea35b8a

SHA256
8ceefd80cc54afd7f2a652d4af1326c8fbf9c15c3f5c6dbb6042368c6db55347

SHA512
e4173c32ac9b567b0ec8585d231fa21a19f814edaed6b2819f196bd2bfec94afb040d2e73a2fbc51ab353e8c9d18e9ececeadfb1161c9affe1188c59c5904faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\76f3d819-c94f-43ce-895f-1f71e168da42.vbs

Filesize
717B

MD5
8f1d49080ee71a001922b21e6056534d

SHA1
0ed9ff3f62ae2aa921fbd93f3a18bd14e4779297

SHA256
f704094ec10cae94243e485be9ef8b2945da87e7b4ff34773fc1f0746748ad7c

SHA512
2c83cdcc05d2bb518fc29881507e9f35d15af6b45a66e2db03f463759134a4d79dbde265a7c216f571a38a0b379beb292a8c3a6f1b0b42572fe1daf42aa4342c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b4dbeb3-04d1-4d85-9d0d-53b4ce2a01c1.vbs

Filesize
716B

MD5
a0fe7b05a84bdf91756c24af4b2cf339

SHA1
fe506a009d095d2e568899d2ea8ff10c00e46bf3

SHA256
8b3b6fc4bf65d8deb132b066dc0cfc238c3998433853ab69dfdde7e3eae0f4ad

SHA512
ad0b096d501e56ef4f517f8d99ce7c8310d75e6fb9bb0fc43d9d5b6dd8509ade6ae8d633782b664fd88d8a39af5cf92a32e27bf774e4aba5efd7ea927fe54b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\9248c976-92ed-4701-baf4-9f1ec3104648.vbs

Filesize
717B

MD5
dbbcb7a16007d95230c4c7a11f768df7

SHA1
2679b502c6640c99bd19ed3986979ef3fc2bfa62

SHA256
fd358aff8345c23f908abcd86d716c711d250d9a03332d19bca951a599a2f8ac

SHA512
7c3ddc6c15c3b03bc3100aa806c42286ffddcc86181d13aeda2f98b9130196d4ff92f1e57defa2d71505c8e73a5078c7b86b48239b83e42afb4642453261ca38

Download Submit
C:\Users\Admin\AppData\Local\Temp\JpXqSaXt99.bat

Filesize
206B

MD5
fb4ddaf35292e65d7d8f8dea16e60c80

SHA1
63c5a5fd119280714ef80ea67154f764711a10e7

SHA256
e909c66835584a516873a59933bbcd703da79f31d90d02e8ee1e735eb5023e00

SHA512
02eabde464b3409a1521408fe42736e5f8a08dfb6b48a761f703187ad7935259a1d54c3f58b78814feb5ddb973e66b2dbccbba26e3e779a5d6a9435a1724660b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac7dcb1e-b604-4f41-b73c-faef898ea73f.vbs

Filesize
716B

MD5
0fcb00b193530d4098f616f33350716e

SHA1
131eb85c10fd4e181eb6fb72ccac0d863f5c92e4

SHA256
49cd386b92a05a47bac0b577ef33caec539b0d316a46ba8e91e36e627b87fb30

SHA512
0547284e36949b9ef2f4cf737380d5cbf563fc82f461d1fb410a6af18d0e6fe30fb621da06b16d2c5e530902cc1b54e085b17504acb0b49fed371da558fd5751

Download Submit
C:\Users\Admin\AppData\Local\Temp\c40cb6c5-73ac-4a1a-bd2d-de00f7449a28.vbs

Filesize
493B

MD5
a985d1563f49d643a50d4626546d615d

SHA1
44e31719afbbbb1be98fb471a4fd6c034360a875

SHA256
adf523d11d21bfa9a32847b1c28e65b0fd62264bf913dfdddedfeb65267ad953

SHA512
9e9c02ceb5e8ba1c79a28fc6413c4124ce19bf3bdfab3f9b846d4aafb2ea6df48d0a6487a7023935515ce5cf1bb31f7470306798e7aa5f8ce8be6106135c789f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5015a05-3445-4c86-b5da-985ca7ed6b92.vbs

Filesize
717B

MD5
a623416a2e7f79a99d10984999f385f4

SHA1
c9f30751c642f50f3b244f3d771ba9fc50131328

SHA256
ecdfed455fd6d9def93f89097af8c936173d0d8b7387bee2790bca826c9872fe

SHA512
8e7b3c0215e818af7f87865b8536e61575cc98bd1bac2b37db32f89cd148172cbea03f057e249f0cdb818386e5f054a1206d7f14ca1fb995edea92a9b4fd3815

Download Submit
C:\Users\Admin\AppData\Local\Temp\d39bdb8c-155c-4fdc-a0be-3b17a83870e8.vbs

Filesize
717B

MD5
72c3ec297d72bc976d15a2ea5d6c80e8

SHA1
35239af0db6838cf4f5d9727697cb5cf093d9d96

SHA256
be52b3041c912547affffccb90b60d5aae1f396b5f1a5aa16042941d83964ce4

SHA512
f0ed46c850ee35a916b57aacbbe4220ceb7e8ca7e110877b8719c524870637c224fc49488cb7e6560c37c3fd7c845208d621a4daa5992f433078b4b9f4a5453c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f69acd15-6615-4636-9573-df3fee12ec99.vbs

Filesize
717B

MD5
478a6749ba18f1d545e84aafdd561b92

SHA1
afa03d7af0dc3b4a18c128579be18e51ab97a5cd

SHA256
930e91ea7e142f76bcca0f4a3af1829202d7ab9ed5e782031da8c2e6a1f37643

SHA512
82bf5f250b6d9ca23bd7c00c2f91d6a5e25af796b4cd16b7779641f680bb9ff68d3703f2d5df8871e8733417b479b79876dd772e248b40c511393407344cc2a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6fabd20dd97da8fa5942e2f98ec934b3

SHA1
62c68c1c44ffd3cba088fe40cb71ecee491fab22

SHA256
481f4626b6f6f4b15bbb750d64e872c6b6700f4565ec9151ac5e494fc9c29726

SHA512
ad7e5b2dae96675955728dbbc2b11a7444d8c39b3b5dd67dfb296c525dcb44c438ca23095d333cc3eb858254a311f01b1eb2faf1c6daba86eda3bba4f6363525

Download Submit
C:\Windows\Vss\Writers\System\csrss.exe

Filesize
1.6MB

MD5
1d5a1ae245a5e111a2587dbdb7dce8af

SHA1
c3e74dedff703865d0455ab498b2fd3cb6e7aa00

SHA256
c08fd2b60b6a2e2facc33281aff9f6f0eb6aff73c828e233da1f65bd92f24e1e

SHA512
75f5d287ebc247ac0aa2825dcb784894b31b4665a52994b0154ce9c1386dacb3fb72affaa32d9e86729e7da28f91c9c7f8eb2c755ac44c77c3c095e304ab367c

Download Submit
memory/888-404-0x0000000000EB0000-0x0000000001052000-memory.dmp

Filesize
1.6MB

Download
memory/1816-427-0x0000000000190000-0x0000000000332000-memory.dmp

Filesize
1.6MB

Download
memory/2016-257-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2016-265-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/2116-12-0x0000000000B40000-0x0000000000B4E000-memory.dmp

Filesize
56KB

Download
memory/2116-3-0x00000000001D0000-0x00000000001EC000-memory.dmp

Filesize
112KB

Download
memory/2116-247-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2116-207-0x000007FEF5AF3000-0x000007FEF5AF4000-memory.dmp

Filesize
4KB

Download
memory/2116-16-0x0000000000B80000-0x0000000000B8C000-memory.dmp

Filesize
48KB

Download
memory/2116-5-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2116-8-0x00000000005B0000-0x00000000005B8000-memory.dmp

Filesize
32KB

Download
memory/2116-1-0x0000000001330000-0x00000000014D2000-memory.dmp

Filesize
1.6MB

Download
memory/2116-9-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/2116-11-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

Filesize
40KB

Download
memory/2116-0-0x000007FEF5AF3000-0x000007FEF5AF4000-memory.dmp

Filesize
4KB

Download
memory/2116-13-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/2116-14-0x0000000000B60000-0x0000000000B68000-memory.dmp

Filesize
32KB

Download
memory/2116-15-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/2116-2-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2116-10-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/2116-6-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/2116-7-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/2116-4-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2116-230-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2180-337-0x00000000013A0000-0x0000000001542000-memory.dmp

Filesize
1.6MB

Download
memory/2228-451-0x0000000000B00000-0x0000000000CA2000-memory.dmp

Filesize
1.6MB

Download
memory/2356-439-0x0000000000380000-0x0000000000522000-memory.dmp

Filesize
1.6MB

Download
memory/2892-460-0x0000000000100000-0x00000000002A2000-memory.dmp

Filesize
1.6MB

Download
memory/2996-392-0x00000000003D0000-0x0000000000572000-memory.dmp

Filesize
1.6MB

Download