dcrat | f08d555b265bc840ef4d7904f37de7886b276d3b2f85180bb63b0e29445e02b1

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Size

1.6MB
MD5

3300bfaf9bf1b6c6ad8edd215d41f472
SHA1

410ca541b614b044273f9ce3be0aeb5eb185097a
SHA256

c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812
SHA512

c628e19818f92eb95e068fba254ce8be88a712cb28607034d99bb66352aa1640222b89412b26e1324862834f2d271db0432f338a9273707755e08c2bfff9deac
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	356	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2332	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2332	schtasks.exe	31

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral27/memory/2692-1-0x0000000001220000-0x00000000013C2000-memory.dmp	dcrat
behavioral27/files/0x000500000001a4b7-25.dat	dcrat
behavioral27/files/0x000600000001c301-78.dat	dcrat
behavioral27/files/0x000600000001a4b2-111.dat	dcrat
behavioral27/files/0x000800000001a4b7-134.dat	dcrat
behavioral27/files/0x000700000001a4d0-145.dat	dcrat
behavioral27/files/0x000a00000001a4d6-180.dat	dcrat
behavioral27/files/0x001100000001a4e8-264.dat	dcrat
behavioral27/memory/1200-284-0x00000000000E0000-0x0000000000282000-memory.dmp	dcrat
behavioral27/memory/2120-382-0x0000000001010000-0x00000000011B2000-memory.dmp	dcrat
behavioral27/memory/3064-405-0x00000000013E0000-0x0000000001582000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2752	powershell.exe
988	powershell.exe
1212	powershell.exe
1640	powershell.exe
1816	powershell.exe
1724	powershell.exe
2704	powershell.exe
700	powershell.exe
1788	powershell.exe
2684	powershell.exe
2508	powershell.exe
1916	powershell.exe
1036	powershell.exe
2672	powershell.exe
1792	powershell.exe
3024	powershell.exe
1876	powershell.exe
2740	powershell.exe
1044	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
1200	lsm.exe
2120	lsm.exe
668	lsm.exe
3064	lsm.exe
2548	lsm.exe
1716	lsm.exe
1764	lsm.exe
2632	lsm.exe
2360	lsm.exe
1592	lsm.exe
2216	lsm.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX1CD3.tmp	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File created	C:\Program Files (x86)\Uninstall Information\886983d96e3d3e	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\5940a34987c991	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\RCX16F.tmp	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\WmiPrvSE.exe	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\csrss.exe	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File created	C:\Program Files (x86)\Uninstall Information\csrss.exe	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\101b941d020240	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\RCX1ACF.tmp	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\WmiPrvSE.exe	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\RCX16E.tmp	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX8D4.tmp	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\24dbde2999530e	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX8D3.tmp	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\RCX1ACE.tmp	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX1CD2.tmp	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Downloaded Program Files\RCX11E1.tmp	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File created	C:\Windows\Tasks\886983d96e3d3e	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File created	C:\Windows\Downloaded Program Files\winlogon.exe	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\lsm.exe	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCX11E0.tmp	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Windows\addins\RCX18CA.tmp	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Windows\addins\spoolsv.exe	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCX20DC.tmp	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File created	C:\Windows\Downloaded Program Files\cc11b995f2a76d	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Windows\Downloaded Program Files\winlogon.exe	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File created	C:\Windows\Tasks\csrss.exe	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\101b941d020240	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Windows\Tasks\RCXFDC.tmp	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Windows\Tasks\csrss.exe	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File created	C:\Windows\addins\spoolsv.exe	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File created	C:\Windows\addins\f3b6ecef712a24	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Windows\Tasks\RCXFDB.tmp	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Windows\addins\RCX18C9.tmp	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCX20DD.tmp	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\lsm.exe	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2532	schtasks.exe
2612	schtasks.exe
2596	schtasks.exe
1292	schtasks.exe
2148	schtasks.exe
2992	schtasks.exe
320	schtasks.exe
2428	schtasks.exe
2168	schtasks.exe
1908	schtasks.exe
400	schtasks.exe
1028	schtasks.exe
1668	schtasks.exe
2856	schtasks.exe
2224	schtasks.exe
2960	schtasks.exe
808	schtasks.exe
1280	schtasks.exe
2108	schtasks.exe
356	schtasks.exe
2244	schtasks.exe
1940	schtasks.exe
1952	schtasks.exe
2088	schtasks.exe
1680	schtasks.exe
2432	schtasks.exe
1036	schtasks.exe
1584	schtasks.exe
2944	schtasks.exe
536	schtasks.exe
1520	schtasks.exe
2200	schtasks.exe
2480	schtasks.exe
1476	schtasks.exe
1896	schtasks.exe
1332	schtasks.exe
2720	schtasks.exe
2892	schtasks.exe
3000	schtasks.exe
2508	schtasks.exe
2144	schtasks.exe
2548	schtasks.exe
2112	schtasks.exe
988	schtasks.exe
108	schtasks.exe
1716	schtasks.exe
1572	schtasks.exe
2672	schtasks.exe
2116	schtasks.exe
2520	schtasks.exe
1832	schtasks.exe
700	schtasks.exe
2608	schtasks.exe
2172	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
2704	powershell.exe
1792	powershell.exe
700	powershell.exe
2752	powershell.exe
1044	powershell.exe
2508	powershell.exe
2672	powershell.exe
2740	powershell.exe
1724	powershell.exe
1640	powershell.exe
1916	powershell.exe
1876	powershell.exe
1788	powershell.exe
1816	powershell.exe
2684	powershell.exe
1036	powershell.exe
988	powershell.exe
1212	powershell.exe
3024	powershell.exe
1200	lsm.exe
2120	lsm.exe
668	lsm.exe
3064	lsm.exe
2548	lsm.exe
1716	lsm.exe
1764	lsm.exe
2632	lsm.exe
2360	lsm.exe
1592	lsm.exe
2216	lsm.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	1200	lsm.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2120	lsm.exe
Token: SeDebugPrivilege	668	lsm.exe
Token: SeDebugPrivilege	3064	lsm.exe
Token: SeDebugPrivilege	2548	lsm.exe
Token: SeDebugPrivilege	1716	lsm.exe
Token: SeDebugPrivilege	1764	lsm.exe
Token: SeDebugPrivilege	2632	lsm.exe
Token: SeDebugPrivilege	2360	lsm.exe
Token: SeDebugPrivilege	1592	lsm.exe
Token: SeDebugPrivilege	2216	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 700	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	87
PID 2692 wrote to memory of 700	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	87
PID 2692 wrote to memory of 700	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	87
PID 2692 wrote to memory of 2704	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	88
PID 2692 wrote to memory of 2704	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	88
PID 2692 wrote to memory of 2704	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	88
PID 2692 wrote to memory of 1044	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	89
PID 2692 wrote to memory of 1044	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	89
PID 2692 wrote to memory of 1044	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	89
PID 2692 wrote to memory of 2752	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	91
PID 2692 wrote to memory of 2752	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	91
PID 2692 wrote to memory of 2752	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	91
PID 2692 wrote to memory of 1916	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	92
PID 2692 wrote to memory of 1916	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	92
PID 2692 wrote to memory of 1916	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	92
PID 2692 wrote to memory of 1792	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	94
PID 2692 wrote to memory of 1792	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	94
PID 2692 wrote to memory of 1792	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	94
PID 2692 wrote to memory of 988	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	96
PID 2692 wrote to memory of 988	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	96
PID 2692 wrote to memory of 988	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	96
PID 2692 wrote to memory of 1724	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	97
PID 2692 wrote to memory of 1724	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	97
PID 2692 wrote to memory of 1724	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	97
PID 2692 wrote to memory of 1816	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	98
PID 2692 wrote to memory of 1816	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	98
PID 2692 wrote to memory of 1816	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	98
PID 2692 wrote to memory of 2508	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	99
PID 2692 wrote to memory of 2508	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	99
PID 2692 wrote to memory of 2508	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	99
PID 2692 wrote to memory of 1640	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	100
PID 2692 wrote to memory of 1640	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	100
PID 2692 wrote to memory of 1640	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	100
PID 2692 wrote to memory of 2740	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	101
PID 2692 wrote to memory of 2740	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	101
PID 2692 wrote to memory of 2740	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	101
PID 2692 wrote to memory of 2672	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	102
PID 2692 wrote to memory of 2672	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	102
PID 2692 wrote to memory of 2672	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	102
PID 2692 wrote to memory of 2684	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	103
PID 2692 wrote to memory of 2684	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	103
PID 2692 wrote to memory of 2684	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	103
PID 2692 wrote to memory of 1212	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	104
PID 2692 wrote to memory of 1212	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	104
PID 2692 wrote to memory of 1212	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	104
PID 2692 wrote to memory of 1788	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	105
PID 2692 wrote to memory of 1788	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	105
PID 2692 wrote to memory of 1788	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	105
PID 2692 wrote to memory of 1036	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	106
PID 2692 wrote to memory of 1036	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	106
PID 2692 wrote to memory of 1036	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	106
PID 2692 wrote to memory of 1876	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	107
PID 2692 wrote to memory of 1876	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	107
PID 2692 wrote to memory of 1876	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	107
PID 2692 wrote to memory of 3024	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	108
PID 2692 wrote to memory of 3024	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	108
PID 2692 wrote to memory of 3024	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	108
PID 2692 wrote to memory of 1200	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	125
PID 2692 wrote to memory of 1200	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	125
PID 2692 wrote to memory of 1200	2692	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	125
PID 1200 wrote to memory of 816	1200	lsm.exe	127
PID 1200 wrote to memory of 816	1200	lsm.exe	127
PID 1200 wrote to memory of 816	1200	lsm.exe	127
PID 1200 wrote to memory of 3020	1200	lsm.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
"C:\Users\Admin\AppData\Local\Temp\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Local Settings\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fr-FR\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe
  "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11ee7a2f-603f-471f-9df5-36c649ce6da6.vbs"
    3⤵
    PID:816
  - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe
      "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2120
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8482969-510c-405c-80e0-48a44ffe6ce0.vbs"
        5⤵
        
        PID:2756
      - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17020cab-c821-44d8-87d6-25a83e865745.vbs"
        7⤵
        
        PID:2916
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4a4cc28-04f4-4d0f-9fc6-629e7b1dceb5.vbs"
        9⤵
        
        PID:1876
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0de37589-fb96-4f95-9533-20e732e84946.vbs"
        11⤵
        
        PID:948
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fccf2972-dfb6-474e-86e7-7adc6ae276a5.vbs"
        13⤵
        
        PID:448
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d3382c3-ec14-48f7-83db-f6ce1603513e.vbs"
        15⤵
        
        PID:1816
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44c3a2e6-46db-4fce-b834-c3359d41ad50.vbs"
        17⤵
        
        PID:1228
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1f24701-a28a-4eb1-bf1a-007be6f24bfe.vbs"
        19⤵
        
        PID:2236
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7758be5-2e93-450d-9363-08baa1573298.vbs"
        21⤵
        
        PID:816
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\979cd845-6b8d-4131-81ae-5fa1ededfe03.vbs"
        21⤵
        
        PID:2428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8deea39b-45e3-48bf-a58d-bb8e43cf216f.vbs"
        19⤵
        
        PID:2612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d83fe3e0-2c73-4a5f-9e40-5df8e9ca42c2.vbs"
        17⤵
        
        PID:1760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1f2215e-eb6d-4a70-b65e-cc2450bc45fe.vbs"
        15⤵
        
        PID:2748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fac701d8-9775-451c-a964-d2fa39356be5.vbs"
        13⤵
        
        PID:896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0399ac23-c8eb-4fe0-8aa9-799eed8af119.vbs"
        11⤵
        
        PID:3004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7a9fbed-922b-4bc5-a19c-cde6a3936e73.vbs"
        9⤵
        
        PID:2824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8ca7ce3-d963-48fb-9f07-af0405ee110c.vbs"
        7⤵
        
        PID:3000
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37db0e69-a77d-4e59-88a9-b47522b11fb3.vbs"
        5⤵
        
        PID:2172
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c69c138-09ab-43d3-98dd-fc429d1d3128.vbs"
    3⤵
    PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Local Settings\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Local Settings\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Tasks\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\addins\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\addins\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Desktop\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe

Filesize
1.6MB

MD5
3300bfaf9bf1b6c6ad8edd215d41f472

SHA1
410ca541b614b044273f9ce3be0aeb5eb185097a

SHA256
c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812

SHA512
c628e19818f92eb95e068fba254ce8be88a712cb28607034d99bb66352aa1640222b89412b26e1324862834f2d271db0432f338a9273707755e08c2bfff9deac

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe

Filesize
1.6MB

MD5
f4fa7b0487861fa761e06993550a001e

SHA1
80fad9d1af9511a87a0d1fb3621ce0023c3f398a

SHA256
736b8c7e53cfe2db28f625317839640857c9c82518c3dd9c30ed9f64e02bb3ab

SHA512
b4ea965d16b747e475b8b7e343ddb1bd27249e5a3ffcf577a5597387e228125a1eeece1ca1b30584319136dbbdf106d6c9aea549aa53ac61364f6f34e7a883fd

Download Submit
C:\ProgramData\sppsvc.exe

Filesize
1.6MB

MD5
0cccbc8f24252e27d1f9929fe1b7e1a0

SHA1
217b5091baca3f4ccc8386a5cfd42e5fd3459472

SHA256
b45cf9502662f9e32cf50435a69123e3fcebd0ef76ddc043098064c6041bcf3b

SHA512
54af997c2bbd917837111ad907b0c4dc9b0e38fd6105aed105f8c1952ed05daaccf1922aa974d03f83f834259bf385edb2ad83c82765752be415b13510058733

Download Submit
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe

Filesize
1.6MB

MD5
457adff54896297b8f89fe05d9042c4d

SHA1
92eaeedaf88f442beb133c4c7275c3fc16371a28

SHA256
d08b50ca64310e17afd4f891d7352925ffc6ba68deb37b2f9251eb1a8b364461

SHA512
b06693e5bd5f70587a1c1ce87fe532a9c228ae00effe40f9f14ca31059794d9a0c90a10ed154962b42fc725d0d8b58d9aafee4226f08a983ac3404eed8a37f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\0de37589-fb96-4f95-9533-20e732e84946.vbs

Filesize
756B

MD5
013e563cd7fa2a79d7e0fa51ba228e7b

SHA1
5fc89514924f8453be6e158bd6c0857ed37a8c80

SHA256
e11f0c2878c2ce4e934c38eb8477203d9710737cadb5f1e207f693d20bba7405

SHA512
28e85d1365ee587b4a01c8555626d3f0a04f99b9a22d2f75d99aa9dbc563025ee88efa42eef0fb7023f8838ff114b7fefa4bd693498aebbd9cfea81ad5d21d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\11ee7a2f-603f-471f-9df5-36c649ce6da6.vbs

Filesize
756B

MD5
39bd2df74996b8089c9acb49acc03f56

SHA1
dfc22a75c41df312ba387baa78611e6120ec23dc

SHA256
6281700f2f7d5c0a871078e871a5a5c03db908e4c291ac4d8d7eadb54a95b5d4

SHA512
4118247e309a6e166a5014a4c38faf38f80a3abf5a3b79d0b03ab9f23f37ea1dbe0c38eba369634e9427f07a7d1001127ef382963e98ebfc96f152e9644ed90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\17020cab-c821-44d8-87d6-25a83e865745.vbs

Filesize
755B

MD5
0687e9fcd9306d898d94c27333fccdc7

SHA1
b138033ae40b6f1b787a09027bf9622f19a21fa2

SHA256
f2b4897655d462d1cc3df846b21b1bc4922eb5271b635f71f2740d2dc10cff5b

SHA512
4eb8057134e7534612d47863a48993cc3b76a4e58a16132c3b9ced522a85a9d171ee4530721a07477f32fb90fc0ecf250afddd53afe9593a01c1c694d82fe5a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d3382c3-ec14-48f7-83db-f6ce1603513e.vbs

Filesize
756B

MD5
f3327f32268b085bc104b256cdd128bb

SHA1
dc755fd00919d0b76021e0f101a28b7a2a261c28

SHA256
3dddf89837523f8996694e52428ae454634baabb0fca95b1fefb2e0d99cf29c2

SHA512
c7583c83289efff619e701474dd98cfce234b8df7f2b9445dc738b2c06909a7bc24762d7109a7c108997945590b678ab4a44bdcab8efdb0090ddbca0ad7af6c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c69c138-09ab-43d3-98dd-fc429d1d3128.vbs

Filesize
532B

MD5
00fe44b19081762da917f314bb1dab17

SHA1
8e1949ae4a9721fe5bb2383d4871401b20201032

SHA256
cffbe81ad304047e20893ab51d329113309cc5dd87faf162972a23fad65be64d

SHA512
4ba7728824cb70c53547d862bf0422420ff106e6b2cf1e3983a70ecbc06b4879b436b095fd5ee6d583015b946974c63fd2d104ec1130a7d377e94b02ac3a39f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\44c3a2e6-46db-4fce-b834-c3359d41ad50.vbs

Filesize
756B

MD5
d565d4115dbb1483a05edb37d495a557

SHA1
e5afc5100c6a514fb4f6d6c7932be662c66263af

SHA256
f8a944f1364098ce0319a40557e635b5ac288bb7425cbb01584a6bb3f833d636

SHA512
fce38feaf11bdc1b7f571c4e4dd4ec233fce1ee595d1b310f6dd443cea06df9375fd54579c8fb1473af1c92aac0a9adf34e2aad31df9dd5de1c241354e421b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7758be5-2e93-450d-9363-08baa1573298.vbs

Filesize
756B

MD5
eaf91cdaf0caeee2a6ae2de04b061f79

SHA1
37968e30786d5d85c4e738dedc613802ce3ac7d5

SHA256
3a6f49df2e1dc596c8490bf9d8a8502a7225eed7cf1e3b8ea55ca918efc902a4

SHA512
f1e3f5a15b2176ea022ccf1e5fb8d47f372ef979bd13453e0581e2922ed059b2b4727590c1ba6b21ffec166046da131d91b935fd7378bd290a5230d1e899089e

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4a4cc28-04f4-4d0f-9fc6-629e7b1dceb5.vbs

Filesize
756B

MD5
fe46d1a1b87122af73521903ca716cf1

SHA1
e1f3763e0305a6f8db966cb254c365a8bccbdf89

SHA256
1add9e865b94a81abe15d743672d548d107e86f585d4a0b7098496de7f919eef

SHA512
45390709968888e47e72460752a4411b4d963e1891d42b677bc70f3e957aa172aad2c51118c1111b45a0bcd9006487103c3c1a7d953bcb763e3efde8303594b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1f24701-a28a-4eb1-bf1a-007be6f24bfe.vbs

Filesize
756B

MD5
3af3920d56aa05c50cf27a54c6225af3

SHA1
68aae7beb3fce109a5b2fabaa0592dfa826b8576

SHA256
402e30dc3f36ed3a33ffc064aba216381a9a426ec65c8760aedc3fdf3d6743dd

SHA512
4984b3919eecbf2820e83bd50572f261c603e82ab0b5b34d22e48704a43f96aa861117249f9179e8a23acc0fdf01538d6b909398b2c8f9deee2a47a696e043e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8482969-510c-405c-80e0-48a44ffe6ce0.vbs

Filesize
756B

MD5
9c2b678e752235b740a93626787fb74e

SHA1
f7443302ccfaec36aa40458f4917c73c1b9680a5

SHA256
2bad746a85bfcbe5cdd9acd2252a6b2a3f3fdfb59d332700eca3c71aaf8ed7c0

SHA512
40c5374c76790932071f38f51032cc063fb288992141fa1e420de716121790f1bf80ac332cbd3742127ae938632bc10b2364e10b4ee26d36ff29ec836849d343

Download Submit
C:\Users\Admin\AppData\Local\Temp\fccf2972-dfb6-474e-86e7-7adc6ae276a5.vbs

Filesize
756B

MD5
22537eeca736aa0694b139a70bf8cd48

SHA1
8117eab9a15dae52f33562d03ed2263c959df244

SHA256
55c848324599c443b83becd575bcd98f1f9f3bc15788ba84ac4ec223faae154f

SHA512
eaa21314340837c3aefd1f916ec4cf6c9785df8361a982d8b853e757d28b09158157a4735dc774a4098acc318b9e0872ffd27123ea0ee6e4e4178ca8df6d0192

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
23bb04d9afb0bba4ac36943f53dce136

SHA1
87be929fd22e861d25f486f3e5d7cef1887a534b

SHA256
35312525779e1832869003832133513ae9551d5209ae70d1b2abd03c9f044f68

SHA512
3bedeb0008939accab5c869f75c83ef1e5c0b874a93875d8f0bc0b8066a7e12f974b6e4edc6ea172048b20d2371891831e8137b025177b234050b180bca924fb

Download Submit
C:\Users\Default\OSPPSVC.exe

Filesize
1.6MB

MD5
bb29f3a79547f255b435bf8074109b42

SHA1
06667b87963134418c912ff1a19dcd979a3ba6a4

SHA256
a07f65f0797ad08152589a9340873b30ff97fac377eade880a06df76b8410664

SHA512
5c23e0e98bd2d459f985681b803fb248ca2f9ee39bd6f05d4ae6dd89fc90cb9919782a673792d3f7d6116f6af46f5bcf8465dc9de31c4422f56fd3e6de4bb0da

Download Submit
C:\Users\Default\System.exe

Filesize
1.6MB

MD5
593c951124d0dd934f7f7a16f92474b1

SHA1
5232c8aac1e16af19daf7cabea36da8c5d493718

SHA256
589eb9197223f0b69075cdc45183218bad8e156cd93d580bae0e7afd26b2d1b6

SHA512
043bfcaf3fc44b5ed60ae0d93ce60c45a55dd16b2906e100f3f5aba0c617b4cb967517e354d188b6b2e989514f90f2c9060444cce1da2a12b88a164441df0fcd

Download Submit
C:\Users\Public\Desktop\csrss.exe

Filesize
1.6MB

MD5
e1e5f8dded81f91f14c80f489bb64474

SHA1
afb90ad52ed92e3163a3d2fb521eec4e6663a722

SHA256
554f884c8f7d1888335b3edd230a0ae02bbdbeef83320890de8f02ef8abfc6e2

SHA512
315ce98431c6c093c42b1db158a22ed000eb34cc984497292d40af493f1b7517ed3739ff6e15c543caf6743571192789dba91ef9b662e0ad3e1d2e8108273834

Download Submit
memory/1200-284-0x00000000000E0000-0x0000000000282000-memory.dmp

Filesize
1.6MB

Download
memory/1792-286-0x0000000001C80000-0x0000000001C88000-memory.dmp

Filesize
32KB

Download
memory/2120-382-0x0000000001010000-0x00000000011B2000-memory.dmp

Filesize
1.6MB

Download
memory/2692-10-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

Filesize
48KB

Download
memory/2692-7-0x0000000000C70000-0x0000000000C80000-memory.dmp

Filesize
64KB

Download
memory/2692-219-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

Filesize
9.9MB

Download
memory/2692-15-0x0000000000D00000-0x0000000000D0A000-memory.dmp

Filesize
40KB

Download
memory/2692-14-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download
memory/2692-13-0x0000000000CE0000-0x0000000000CE8000-memory.dmp

Filesize
32KB

Download
memory/2692-1-0x0000000001220000-0x00000000013C2000-memory.dmp

Filesize
1.6MB

Download
memory/2692-12-0x0000000000CD0000-0x0000000000CDE000-memory.dmp

Filesize
56KB

Download
memory/2692-371-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

Filesize
9.9MB

Download
memory/2692-9-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/2692-194-0x000007FEF4E13000-0x000007FEF4E14000-memory.dmp

Filesize
4KB

Download
memory/2692-0-0x000007FEF4E13000-0x000007FEF4E14000-memory.dmp

Filesize
4KB

Download
memory/2692-11-0x0000000000CC0000-0x0000000000CCA000-memory.dmp

Filesize
40KB

Download
memory/2692-8-0x0000000000C60000-0x0000000000C68000-memory.dmp

Filesize
32KB

Download
memory/2692-2-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

Filesize
9.9MB

Download
memory/2692-6-0x0000000000300000-0x0000000000308000-memory.dmp

Filesize
32KB

Download
memory/2692-16-0x0000000001190000-0x000000000119C000-memory.dmp

Filesize
48KB

Download
memory/2692-5-0x00000000005A0000-0x00000000005B6000-memory.dmp

Filesize
88KB

Download
memory/2692-4-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2692-3-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/2704-285-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/3064-405-0x00000000013E0000-0x0000000001582000-memory.dmp

Filesize
1.6MB

Download