dcrat | 8d4b33f016a0358ab33a61a53be27b775979a15719e2168d66bae6a7a598d2e1

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
Size

1.6MB
MD5

897ea9c4d942c8ff6dad7af9d25612b5
SHA1

4e34616e3bc3414cb3d264575f865c4a0f9eefbc
SHA256

cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5
SHA512

0c580b68fec12b9621a6c62b572cf9035c74fe288db14658aa8a3b04f49419ee19036213bf5c1dfa335e37f409fb816bf04d420905880321aeedb7a3fddee35b
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2828	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2828	schtasks.exe	29

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral11/memory/3008-1-0x0000000001210000-0x00000000013B2000-memory.dmp	dcrat
behavioral11/files/0x000500000001a46d-25.dat	dcrat
behavioral11/files/0x000900000001a479-184.dat	dcrat
behavioral11/files/0x000a00000001a479-201.dat	dcrat
behavioral11/files/0x000a00000001a48d-236.dat	dcrat
behavioral11/memory/2712-312-0x0000000000B50000-0x0000000000CF2000-memory.dmp	dcrat
behavioral11/memory/1816-405-0x0000000000C30000-0x0000000000DD2000-memory.dmp	dcrat
behavioral11/memory/972-417-0x0000000000140000-0x00000000002E2000-memory.dmp	dcrat
behavioral11/memory/1304-429-0x0000000001070000-0x0000000001212000-memory.dmp	dcrat
behavioral11/memory/1448-441-0x00000000001D0000-0x0000000000372000-memory.dmp	dcrat
behavioral11/memory/1572-453-0x0000000001150000-0x00000000012F2000-memory.dmp	dcrat
behavioral11/memory/1244-476-0x00000000011F0000-0x0000000001392000-memory.dmp	dcrat
behavioral11/memory/1000-488-0x0000000000310000-0x00000000004B2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1448	powershell.exe
800	powershell.exe
2888	powershell.exe
1816	powershell.exe
2608	powershell.exe
2420	powershell.exe
436	powershell.exe
1096	powershell.exe
2844	powershell.exe
2820	powershell.exe
3032	powershell.exe
1560	powershell.exe
2328	powershell.exe
2536	powershell.exe
2376	powershell.exe
2204	powershell.exe
2236	powershell.exe
2756	powershell.exe
1124	powershell.exe
1992	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2712	taskhost.exe
436	taskhost.exe
1816	taskhost.exe
972	taskhost.exe
1304	taskhost.exe
1448	taskhost.exe
1572	taskhost.exe
2844	taskhost.exe
1244	taskhost.exe
1000	taskhost.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\winlogon.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCX5F33.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\RCX67B4.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Program Files\Internet Explorer\images\RCX6E10.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\RCX7091.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\OSPPSVC.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Program Files\Internet Explorer\images\b75386f1303e64	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\101b941d020240	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Program Files\Internet Explorer\images\RCX6DFF.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Program Files\Internet Explorer\images\taskhost.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\winlogon.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCX72C5.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\services.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\c5b4cb5e9653cc	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Program Files\Internet Explorer\images\taskhost.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\lsm.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\RCX6784.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\RCX70A1.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Program Files\Mozilla Firefox\fonts\OSPPSVC.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Program Files\Mozilla Firefox\fonts\1610b97d3ab4a7	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\cc11b995f2a76d	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCX5F23.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\services.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCX72B5.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\lsm.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Vss\Writers\Application\lsm.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\addins\explorer.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\tracing\Idle.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Windows\Vss\Writers\Application\lsm.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Windows\tracing\Idle.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Windows\tracing\6ccacd8608530f	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\addins\RCX79AD.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\tracing\RCX8096.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Windows\Vss\Writers\Application\101b941d020240	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Windows\addins\7a0fd90576e088	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\Vss\Writers\Application\RCX6147.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\addins\RCX79BE.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\tracing\RCX80A6.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File created	C:\Windows\addins\explorer.exe	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
File opened for modification	C:\Windows\Vss\Writers\Application\RCX6148.tmp	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2224	schtasks.exe
2700	schtasks.exe
1840	schtasks.exe
2260	schtasks.exe
2052	schtasks.exe
1556	schtasks.exe
2292	schtasks.exe
2848	schtasks.exe
2744	schtasks.exe
2536	schtasks.exe
2248	schtasks.exe
2392	schtasks.exe
3040	schtasks.exe
1536	schtasks.exe
956	schtasks.exe
2028	schtasks.exe
1408	schtasks.exe
2564	schtasks.exe
572	schtasks.exe
2664	schtasks.exe
2712	schtasks.exe
1652	schtasks.exe
1752	schtasks.exe
2940	schtasks.exe
2024	schtasks.exe
2228	schtasks.exe
340	schtasks.exe
1992	schtasks.exe
1656	schtasks.exe
2108	schtasks.exe
2860	schtasks.exe
2760	schtasks.exe
2200	schtasks.exe
1608	schtasks.exe
1260	schtasks.exe
660	schtasks.exe
900	schtasks.exe
1292	schtasks.exe
3032	schtasks.exe
2996	schtasks.exe
2740	schtasks.exe
1996	schtasks.exe
2688	schtasks.exe
2948	schtasks.exe
2592	schtasks.exe
2104	schtasks.exe
1136	schtasks.exe
2212	schtasks.exe
2168	schtasks.exe
1832	schtasks.exe
2032	schtasks.exe
112	schtasks.exe
1304	schtasks.exe
3060	schtasks.exe
2908	schtasks.exe
2864	schtasks.exe
1736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
1124	powershell.exe
436	powershell.exe
2820	powershell.exe
2236	powershell.exe
1096	powershell.exe
2844	powershell.exe
2420	powershell.exe
1448	powershell.exe
2712	taskhost.exe
2756	powershell.exe
800	powershell.exe
3032	powershell.exe
1992	powershell.exe
2608	powershell.exe
2376	powershell.exe
2328	powershell.exe
1816	powershell.exe
2888	powershell.exe
2204	powershell.exe
1560	powershell.exe
2536	powershell.exe
436	taskhost.exe
1816	taskhost.exe
972	taskhost.exe
1304	taskhost.exe
1448	taskhost.exe
1572	taskhost.exe
2844	taskhost.exe
1244	taskhost.exe
1000	taskhost.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2712	taskhost.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	436	taskhost.exe
Token: SeDebugPrivilege	1816	taskhost.exe
Token: SeDebugPrivilege	972	taskhost.exe
Token: SeDebugPrivilege	1304	taskhost.exe
Token: SeDebugPrivilege	1448	taskhost.exe
Token: SeDebugPrivilege	1572	taskhost.exe
Token: SeDebugPrivilege	2844	taskhost.exe
Token: SeDebugPrivilege	1244	taskhost.exe
Token: SeDebugPrivilege	1000	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2236	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	87
PID 3008 wrote to memory of 2236	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	87
PID 3008 wrote to memory of 2236	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	87
PID 3008 wrote to memory of 2328	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	88
PID 3008 wrote to memory of 2328	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	88
PID 3008 wrote to memory of 2328	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	88
PID 3008 wrote to memory of 436	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	90
PID 3008 wrote to memory of 436	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	90
PID 3008 wrote to memory of 436	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	90
PID 3008 wrote to memory of 1096	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	91
PID 3008 wrote to memory of 1096	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	91
PID 3008 wrote to memory of 1096	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	91
PID 3008 wrote to memory of 1448	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	92
PID 3008 wrote to memory of 1448	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	92
PID 3008 wrote to memory of 1448	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	92
PID 3008 wrote to memory of 800	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	93
PID 3008 wrote to memory of 800	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	93
PID 3008 wrote to memory of 800	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	93
PID 3008 wrote to memory of 2844	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	95
PID 3008 wrote to memory of 2844	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	95
PID 3008 wrote to memory of 2844	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	95
PID 3008 wrote to memory of 2820	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	96
PID 3008 wrote to memory of 2820	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	96
PID 3008 wrote to memory of 2820	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	96
PID 3008 wrote to memory of 2888	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	97
PID 3008 wrote to memory of 2888	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	97
PID 3008 wrote to memory of 2888	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	97
PID 3008 wrote to memory of 1816	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	98
PID 3008 wrote to memory of 1816	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	98
PID 3008 wrote to memory of 1816	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	98
PID 3008 wrote to memory of 2756	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	99
PID 3008 wrote to memory of 2756	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	99
PID 3008 wrote to memory of 2756	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	99
PID 3008 wrote to memory of 3032	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	100
PID 3008 wrote to memory of 3032	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	100
PID 3008 wrote to memory of 3032	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	100
PID 3008 wrote to memory of 1124	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	101
PID 3008 wrote to memory of 1124	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	101
PID 3008 wrote to memory of 1124	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	101
PID 3008 wrote to memory of 2608	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	102
PID 3008 wrote to memory of 2608	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	102
PID 3008 wrote to memory of 2608	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	102
PID 3008 wrote to memory of 2536	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	103
PID 3008 wrote to memory of 2536	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	103
PID 3008 wrote to memory of 2536	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	103
PID 3008 wrote to memory of 2420	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	104
PID 3008 wrote to memory of 2420	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	104
PID 3008 wrote to memory of 2420	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	104
PID 3008 wrote to memory of 1560	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	105
PID 3008 wrote to memory of 1560	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	105
PID 3008 wrote to memory of 1560	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	105
PID 3008 wrote to memory of 1992	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	106
PID 3008 wrote to memory of 1992	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	106
PID 3008 wrote to memory of 1992	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	106
PID 3008 wrote to memory of 2376	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	107
PID 3008 wrote to memory of 2376	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	107
PID 3008 wrote to memory of 2376	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	107
PID 3008 wrote to memory of 2204	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	108
PID 3008 wrote to memory of 2204	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	108
PID 3008 wrote to memory of 2204	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	108
PID 3008 wrote to memory of 2712	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	127
PID 3008 wrote to memory of 2712	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	127
PID 3008 wrote to memory of 2712	3008	cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe	127
PID 2712 wrote to memory of 2576	2712	taskhost.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe
"C:\Users\Admin\AppData\Local\Temp\cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Application\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\es-ES\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\images\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Application Data\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Users\Default\taskhost.exe
  "C:\Users\Default\taskhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a77c3170-141b-4641-b4c4-11f5155c7b10.vbs"
    3⤵
    PID:2576
  - - C:\Users\Default\taskhost.exe
      C:\Users\Default\taskhost.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:436
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fc170de-696b-47aa-9359-7a75fc1bf286.vbs"
        5⤵
        
        PID:2232
      - C:\Users\Default\taskhost.exe
        
        C:\Users\Default\taskhost.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09940daa-0080-450a-957a-3b83ba47d18c.vbs"
        7⤵
        
        PID:2132
        
        C:\Users\Default\taskhost.exe
        
        C:\Users\Default\taskhost.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60d84736-3617-4d50-983c-c471c1636f77.vbs"
        9⤵
        
        PID:876
        
        C:\Users\Default\taskhost.exe
        
        C:\Users\Default\taskhost.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd4e1992-398e-4df2-8290-85fd46b98eec.vbs"
        11⤵
        
        PID:1712
        
        C:\Users\Default\taskhost.exe
        
        C:\Users\Default\taskhost.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02684364-b58a-463e-8020-de365314cdd6.vbs"
        13⤵
        
        PID:2284
        
        C:\Users\Default\taskhost.exe
        
        C:\Users\Default\taskhost.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a4bf5be-82b7-40f3-914d-4a32963d97e4.vbs"
        15⤵
        
        PID:3048
        
        C:\Users\Default\taskhost.exe
        
        C:\Users\Default\taskhost.exe
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9cb729d-456e-4c12-89f9-cf8bc97dee05.vbs"
        17⤵
        
        PID:1840
        
        C:\Users\Default\taskhost.exe
        
        C:\Users\Default\taskhost.exe
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\229e9c50-b13b-4b2f-ad13-315f4efa3213.vbs"
        19⤵
        
        PID:2424
        
        C:\Users\Default\taskhost.exe
        
        C:\Users\Default\taskhost.exe
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fed07b93-0c16-4eba-9d05-9d0ca6d32447.vbs"
        21⤵
        
        PID:2500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adc0f6d8-98ee-403c-b14a-6037a1d99d7d.vbs"
        21⤵
        
        PID:1096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8da0587-9b00-445b-b5d9-07dbb9eeea67.vbs"
        19⤵
        
        PID:1672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\978caf2f-0650-4b19-b3ef-361f3420cd10.vbs"
        17⤵
        
        PID:1668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\318440f7-e453-4447-a35a-3501b85f1650.vbs"
        15⤵
        
        PID:2736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e76d565a-6e11-41f9-bf2e-679a68035405.vbs"
        13⤵
        
        PID:680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa212dc5-b211-4217-9c08-4363d6eb6746.vbs"
        11⤵
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\615b5155-e6c4-47d6-9d73-3a787ba874fd.vbs"
        9⤵
        
        PID:2476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13b1d4d6-bfc8-4dc5-8a65-681d36922f97.vbs"
        7⤵
        
        PID:2296
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8115743d-4667-4ea2-bfb7-f40e48f4b6ad.vbs"
        5⤵
        
        PID:1556
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96098622-6580-4091-8003-c4e0b2da9208.vbs"
    3⤵
    PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\fonts\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\fonts\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\Application\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\Application\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\images\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\images\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\addins\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Default\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Default\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\tracing\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\tracing\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Adobe\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Application Data\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Application Data\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Application Data\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RCX74D9.tmp

Filesize
1.6MB

MD5
3b87b2e37555fdda3a606759763add43

SHA1
20edf8cf1fdc5e2a97d5b266d2fa99ac1c5a5e8e

SHA256
c48b740d0eca0101ba77272da709e937848870b39bc6fe6044694ed8d0590c1a

SHA512
6e95438b5777e3b2e44477eb2385f2f468c10b69ff0621bae90a44feee31cf7b911dcc7a61e2afa1267e223dfb9442469f5933b92637b3d4e2180932893922d1

Download Submit
C:\Program Files (x86)\Windows Defender\es-ES\services.exe

Filesize
1.6MB

MD5
897ea9c4d942c8ff6dad7af9d25612b5

SHA1
4e34616e3bc3414cb3d264575f865c4a0f9eefbc

SHA256
cbaee22513b50ab9996a4eb49254d1d6f36faf585e45332e2504efe04ad00ba5

SHA512
0c580b68fec12b9621a6c62b572cf9035c74fe288db14658aa8a3b04f49419ee19036213bf5c1dfa335e37f409fb816bf04d420905880321aeedb7a3fddee35b

Download Submit
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe

Filesize
1.6MB

MD5
a9e2c22229e58b21f8eeb2a16e6fa404

SHA1
33fb87b683e19e3773df889c5bf3982b81eec848

SHA256
3bc9fb7abea353c2a4e040777084fc8d5936bec2daf8bf1f4f3c30e3ca51be03

SHA512
bb9868dbb54a602e030a80756bd5cd16bf328f4b8b4f76c249e6a5b9e6f7202dbb7815b2ac16b926730af7f2186e0ee0f86f4ddd87bcf06a3dcbb7ec50998ae0

Download Submit
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe

Filesize
1.6MB

MD5
4f75f28be9d06540f73a92896f5c3f50

SHA1
a38123b5621bf2d95a4cc4cecbe539fe579e714d

SHA256
c790284f9b6ef941d27cde1737f7ad080edb1b0b21352adede52dbb702da5ab5

SHA512
da1004bbd56a0473190083909b7f8e2cde0393e173136a19c614bcace5186647f597d9e21cab7830751ddaa8f5878e9dc8c822520ca97663332c3f47a37e5157

Download Submit
C:\Users\Admin\AppData\Local\Temp\02684364-b58a-463e-8020-de365314cdd6.vbs

Filesize
705B

MD5
42fe80c73bc1d8b8a51fa4cf7c0bf88b

SHA1
64a63b5a90d96dbb27982572dbda19d4a9af857a

SHA256
06e579282cdedef70118ac4d708cc507db9484f0d67e1c9b3ec6a3c0a9a9b290

SHA512
f97b5ab47f36960b8f7a83f468486f192dce5ea944afa4ff5532e22b7d7c8d8ba53c31811688f325aeac22dabbc71a21d529ff086e637f07aa159afcbf0d6b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\09940daa-0080-450a-957a-3b83ba47d18c.vbs

Filesize
705B

MD5
57601d2ed2a9eec49d08a24a2a40438c

SHA1
2c73474b92a97122f13c6c9779b82195ee22d7ff

SHA256
bc35d70017ef8ffe5c5c29b030ba25ecac14780845fc3cc3014efe970b9fa917

SHA512
c497bda2491e13f890fbad60d9d2f3a43da026b43504558272fdddfad95f31d2e9455659643eae4ff3af05008586de812469c070c6b77e2bb61224d8ba9abe8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0fc170de-696b-47aa-9359-7a75fc1bf286.vbs

Filesize
704B

MD5
0857cd9d5c25e2e7d00d3acc79958410

SHA1
213dfe9133e807a0d6209c089f57d974d905f5cd

SHA256
0dd4f5936c30348ba48c0ea3f0cddf7b618fcacd6ac62fec14d522eee2a4f55a

SHA512
af777e848e5d7f11a9b1f618232b0defa3c1ab363f54471b278082fd2ea257dbea6490862d45c5a8c8a51a49c5081e602399413119cf83e1cbadff4ccd61ee86

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a4bf5be-82b7-40f3-914d-4a32963d97e4.vbs

Filesize
705B

MD5
3fb95032c3324af90b210593ac6f645e

SHA1
b8bb26ac8168409fd63c94db8094745e90a6bd44

SHA256
184b1d7fadcc8cd2b842c276a4827be19eaf21921c568b3fa57e6b94c1d88803

SHA512
c2a895fb49ca5189b532abbe6220a12b626878d8bc291026d5218bd566631217fa3f02db28c3066eacdb88bdf417ed6a330e5f90f6fec3ad7986a4b8c279f729

Download Submit
C:\Users\Admin\AppData\Local\Temp\229e9c50-b13b-4b2f-ad13-315f4efa3213.vbs

Filesize
705B

MD5
c72c6f375ecc5bbd356a43734c3a2a0e

SHA1
6dbb97a8692f1097c5f8cd2593e125ab281d7d87

SHA256
327aa3f9f9d40af5ce89ee5c4eda6fcf47cf1e9f311b4cc9d119e82ee390e9a5

SHA512
94dd2cfba2325bc73bd039dfcd25fd2705d520544e03428c52552d2ce71676766870e8e59b83bd5c426475d1bafcf76c4e752cb1ef8e33ecdd2af226c865ec77

Download Submit
C:\Users\Admin\AppData\Local\Temp\60d84736-3617-4d50-983c-c471c1636f77.vbs

Filesize
704B

MD5
575e867718d0284c96ac5614ffbed5f7

SHA1
753b20cfd5fb30a51c114bdbb5ab6b92154dbb88

SHA256
887abb5f1f6a61fb2e3517498c10923fac4cd6f80f30ede8e1b9cbf056a785af

SHA512
622e0f1ea322e30c9f696b1876e99ea322e736e0819f7313020c772d8e9012753e9165e0c9e6382867f262a1522ee5069c5f83076f0c844f2c75020088634e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\96098622-6580-4091-8003-c4e0b2da9208.vbs

Filesize
481B

MD5
62a032e197e3a0b65987c1ea5ed8eb94

SHA1
440da2e680ccfd60c96ab6a1009ae0addb53fed5

SHA256
2b2363a878a3f74bd653d6b8d887edc211e69b83bc6ec66e06dc219c13bf221b

SHA512
fe18c2f89af492ccb6feba826e992c67070536b58142487df397478e44b4d916cf66b33a30e3327a0a554f88259a0fce61d3a5e7760e0b1c5a70e852fe8f176b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a77c3170-141b-4641-b4c4-11f5155c7b10.vbs

Filesize
705B

MD5
f4452bedeca85da82721f3ab0765a395

SHA1
c679b3579198977fe4bd6a4ed2c0fd7a25949d12

SHA256
7e334b6f9ba2441c3fd81156105be9ca0e67e4c376660e81e051194af6a433cf

SHA512
95aa2108d56416b501b0dcdf7ea4c6027040178942274941b5495a950260b6953de2238886ae576efec81735e035267d0607e998894736486d43672a63412ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9cb729d-456e-4c12-89f9-cf8bc97dee05.vbs

Filesize
705B

MD5
532fbcde6ef2f9d1d2a794963b078157

SHA1
dbb00ae1157fa0e9442e7d0826b9c025d74ef7d9

SHA256
1012068e793fe883393a1f613bfe9809249e93e3bfa4127c656b0b68fae62785

SHA512
00bfb81aba0971b78a70259f4356a2d40277ec7b5d1569af283f750e2fd1a98df16218fff6ccc3b2760cb93afa720d4c3c88f8d28cb3e1cdf6e1ea06f99e50f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd4e1992-398e-4df2-8290-85fd46b98eec.vbs

Filesize
705B

MD5
8354923e1de4aac788023e8dbbd84d5a

SHA1
b4eee7fe0f62b6dec67ebb25fc3464974f41ac5b

SHA256
512485557ef70288e744b7b10e863be704f6240c40597ba802df3c3a80a55cd1

SHA512
35d7d8b8eae62735f6b5803986629f477623a062cada05bf2c9aee7c08870213a24d60f2b97fb92633e12c8b23f3e4f79261ed422a2e3a2da6b121f82bbf53f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fed07b93-0c16-4eba-9d05-9d0ca6d32447.vbs

Filesize
705B

MD5
a76915957698e74ec8284ca48f2f0dd8

SHA1
b0a932d4dc6b7129c6ffdf9421776cebd2af9e74

SHA256
d7bc18c0cb926c372d40ef74684583b555e4db68549ffa25905e4f4baff04f2a

SHA512
320e6db5632540769a55edc5b2c8213fa7d2ba1d857f65f05079d822698c7b977862b700651f775c76f6320b926c0607e37e088c492a638ec56c0e741193160d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\15SXDCW02SRVOAQRV1DZ.temp

Filesize
7KB

MD5
fd80efce7709214929c22ab5ce334790

SHA1
1b759d3f55b174d3fb465534ee5526a93c95c802

SHA256
0203cd812a335cb31fdf75edf8929c54db662b4fb2af4b9ce35a2b3202529bb6

SHA512
b75606fd1d4419cb0096c48d458b5022073c7ea02478262e566b863f06210ce2310aaec90540d60ddca0f55a089be3d6d659e75096e671c11e2efb9b60690b7a

Download Submit
memory/972-417-0x0000000000140000-0x00000000002E2000-memory.dmp

Filesize
1.6MB

Download
memory/1000-488-0x0000000000310000-0x00000000004B2000-memory.dmp

Filesize
1.6MB

Download
memory/1124-313-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/1244-476-0x00000000011F0000-0x0000000001392000-memory.dmp

Filesize
1.6MB

Download
memory/1304-429-0x0000000001070000-0x0000000001212000-memory.dmp

Filesize
1.6MB

Download
memory/1448-441-0x00000000001D0000-0x0000000000372000-memory.dmp

Filesize
1.6MB

Download
memory/1572-453-0x0000000001150000-0x00000000012F2000-memory.dmp

Filesize
1.6MB

Download
memory/1816-405-0x0000000000C30000-0x0000000000DD2000-memory.dmp

Filesize
1.6MB

Download
memory/2712-312-0x0000000000B50000-0x0000000000CF2000-memory.dmp

Filesize
1.6MB

Download
memory/2820-293-0x000000001B440000-0x000000001B722000-memory.dmp

Filesize
2.9MB

Download
memory/3008-14-0x0000000000610000-0x0000000000618000-memory.dmp

Filesize
32KB

Download
memory/3008-13-0x0000000000600000-0x0000000000608000-memory.dmp

Filesize
32KB

Download
memory/3008-12-0x00000000005F0000-0x00000000005FE000-memory.dmp

Filesize
56KB

Download
memory/3008-10-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/3008-9-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/3008-16-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/3008-8-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/3008-0-0x000007FEF5E03000-0x000007FEF5E04000-memory.dmp

Filesize
4KB

Download
memory/3008-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3008-314-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/3008-7-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/3008-15-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/3008-5-0x0000000000170000-0x0000000000186000-memory.dmp

Filesize
88KB

Download
memory/3008-11-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/3008-4-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/3008-3-0x0000000000140000-0x000000000015C000-memory.dmp

Filesize
112KB

Download
memory/3008-156-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/3008-2-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/3008-108-0x000007FEF5E03000-0x000007FEF5E04000-memory.dmp

Filesize
4KB

Download
memory/3008-1-0x0000000001210000-0x00000000013B2000-memory.dmp

Filesize
1.6MB

Download