dcrat | 5656064ae4d3c302be4f376131bce57fa83ba30e94c329f33adb91836d7f4bf8

Analysis

max time kernel
147s
max time network
146s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
Size

1.6MB
MD5

43460cdfde5083d6f692f08813ef6dd1
SHA1

55756e184df04ffe1c502a40f8f859de16d19003
SHA256

33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b
SHA512

23dc4dc7bfa6f60da960b314c940e3e17e15e5719d5453a5ad1ca6f2c7f034357ad71a1a3a46b16b508076af878d7972c2d24cc3a6a7721a12bd851ff63c6e66
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2572	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2572	schtasks.exe	30

DCRat payload 19 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral11/memory/2236-1-0x0000000000A00000-0x0000000000BA2000-memory.dmp	dcrat
behavioral11/files/0x000500000001a4bd-25.dat	dcrat
behavioral11/files/0x000600000001c8b3-70.dat	dcrat
behavioral11/files/0x000700000001a4af-81.dat	dcrat
behavioral11/files/0x000700000001a4b3-92.dat	dcrat
behavioral11/files/0x000700000001a4bd-185.dat	dcrat
behavioral11/memory/2528-297-0x0000000000A80000-0x0000000000C22000-memory.dmp	dcrat
behavioral11/memory/992-309-0x0000000000BE0000-0x0000000000D82000-memory.dmp	dcrat
behavioral11/memory/1052-321-0x0000000000EA0000-0x0000000001042000-memory.dmp	dcrat
behavioral11/memory/2864-333-0x0000000001190000-0x0000000001332000-memory.dmp	dcrat
behavioral11/memory/2928-345-0x0000000000300000-0x00000000004A2000-memory.dmp	dcrat
behavioral11/memory/888-357-0x0000000001220000-0x00000000013C2000-memory.dmp	dcrat
behavioral11/memory/1272-369-0x00000000002E0000-0x0000000000482000-memory.dmp	dcrat
behavioral11/memory/912-381-0x00000000002D0000-0x0000000000472000-memory.dmp	dcrat
behavioral11/memory/2892-393-0x0000000000010000-0x00000000001B2000-memory.dmp	dcrat
behavioral11/memory/824-405-0x0000000000260000-0x0000000000402000-memory.dmp	dcrat
behavioral11/memory/2780-417-0x0000000001060000-0x0000000001202000-memory.dmp	dcrat
behavioral11/memory/1520-440-0x0000000000240000-0x00000000003E2000-memory.dmp	dcrat
behavioral11/memory/928-449-0x0000000000C40000-0x0000000000DE2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2436	powershell.exe
2068	powershell.exe
3028	powershell.exe
2116	powershell.exe
1876	powershell.exe
912	powershell.exe
2588	powershell.exe
2984	powershell.exe
2168	powershell.exe
1340	powershell.exe
696	powershell.exe
2344	powershell.exe
2920	powershell.exe
688	powershell.exe
468	powershell.exe

Executes dropped EXE 14 IoCs

pid	Process
2528	lsass.exe
992	lsass.exe
1052	lsass.exe
2864	lsass.exe
2928	lsass.exe
888	lsass.exe
1272	lsass.exe
912	lsass.exe
2892	lsass.exe
824	lsass.exe
2780	lsass.exe
932	lsass.exe
1520	lsass.exe
928	lsass.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\ja-JP\Idle.exe	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File created	C:\Program Files (x86)\Uninstall Information\69ddcba757bf72	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File created	C:\Program Files (x86)\Google\CrashReports\lsm.exe	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\RCX54AE.tmp	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files\Windows Sidebar\ja-JP\RCX56C3.tmp	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File created	C:\Program Files\Windows Defender\es-ES\audiodg.exe	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX51CE.tmp	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX523C.tmp	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\RCX5440.tmp	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files\Internet Explorer\images\33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File created	C:\Program Files\Internet Explorer\images\3ac35a0c4843f0	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files\Internet Explorer\images\RCX5934.tmp	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\smss.exe	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\lsm.exe	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File created	C:\Program Files (x86)\Uninstall Information\smss.exe	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files\Windows Sidebar\ja-JP\Idle.exe	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX5F42.tmp	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\f3b6ecef712a24	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File created	C:\Program Files\Windows Defender\es-ES\42af1c969fbb7b	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCX4D57.tmp	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX5F43.tmp	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCX6148.tmp	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\6cb0b6c459d5d3	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File created	C:\Program Files\Windows Sidebar\ja-JP\6ccacd8608530f	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCX4D58.tmp	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\audiodg.exe	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files\Internet Explorer\images\RCX5935.tmp	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File created	C:\Program Files\Internet Explorer\images\33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File created	C:\Program Files (x86)\Google\CrashReports\101b941d020240	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files\Windows Sidebar\ja-JP\RCX56C2.tmp	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCX6147.tmp	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\ModemLogs\lsass.exe	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File created	C:\Windows\ModemLogs\6203df4a6bafc7	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Windows\ModemLogs\RCX6A35.tmp	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Windows\ModemLogs\RCX6A36.tmp	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Windows\ModemLogs\lsass.exe	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1844	schtasks.exe
1320	schtasks.exe
2112	schtasks.exe
1616	schtasks.exe
1272	schtasks.exe
1572	schtasks.exe
1652	schtasks.exe
1148	schtasks.exe
2184	schtasks.exe
1692	schtasks.exe
1368	schtasks.exe
1812	schtasks.exe
3020	schtasks.exe
2536	schtasks.exe
2188	schtasks.exe
1796	schtasks.exe
2220	schtasks.exe
2380	schtasks.exe
2012	schtasks.exe
2080	schtasks.exe
1864	schtasks.exe
2568	schtasks.exe
2884	schtasks.exe
2724	schtasks.exe
292	schtasks.exe
580	schtasks.exe
3044	schtasks.exe
2972	schtasks.exe
2648	schtasks.exe
2156	schtasks.exe
3000	schtasks.exe
2628	schtasks.exe
1268	schtasks.exe
2440	schtasks.exe
2036	schtasks.exe
2552	schtasks.exe
3028	schtasks.exe
1944	schtasks.exe
2276	schtasks.exe
316	schtasks.exe
2904	schtasks.exe
1076	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
1876	powershell.exe
688	powershell.exe
2168	powershell.exe
1340	powershell.exe
2116	powershell.exe
2344	powershell.exe
2984	powershell.exe
696	powershell.exe
2436	powershell.exe
2068	powershell.exe
2588	powershell.exe
2920	powershell.exe
912	powershell.exe
3028	powershell.exe
468	powershell.exe
2528	lsass.exe
992	lsass.exe
1052	lsass.exe
2864	lsass.exe
2928	lsass.exe
888	lsass.exe
1272	lsass.exe
912	lsass.exe
2892	lsass.exe
824	lsass.exe
2780	lsass.exe
932	lsass.exe
1520	lsass.exe
928	lsass.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	468	powershell.exe
Token: SeDebugPrivilege	2528	lsass.exe
Token: SeDebugPrivilege	992	lsass.exe
Token: SeDebugPrivilege	1052	lsass.exe
Token: SeDebugPrivilege	2864	lsass.exe
Token: SeDebugPrivilege	2928	lsass.exe
Token: SeDebugPrivilege	888	lsass.exe
Token: SeDebugPrivilege	1272	lsass.exe
Token: SeDebugPrivilege	912	lsass.exe
Token: SeDebugPrivilege	2892	lsass.exe
Token: SeDebugPrivilege	824	lsass.exe
Token: SeDebugPrivilege	2780	lsass.exe
Token: SeDebugPrivilege	932	lsass.exe
Token: SeDebugPrivilege	1520	lsass.exe
Token: SeDebugPrivilege	928	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2344	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	73
PID 2236 wrote to memory of 2344	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	73
PID 2236 wrote to memory of 2344	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	73
PID 2236 wrote to memory of 2920	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	74
PID 2236 wrote to memory of 2920	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	74
PID 2236 wrote to memory of 2920	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	74
PID 2236 wrote to memory of 3028	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	75
PID 2236 wrote to memory of 3028	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	75
PID 2236 wrote to memory of 3028	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	75
PID 2236 wrote to memory of 688	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	77
PID 2236 wrote to memory of 688	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	77
PID 2236 wrote to memory of 688	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	77
PID 2236 wrote to memory of 2116	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	78
PID 2236 wrote to memory of 2116	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	78
PID 2236 wrote to memory of 2116	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	78
PID 2236 wrote to memory of 2984	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	79
PID 2236 wrote to memory of 2984	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	79
PID 2236 wrote to memory of 2984	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	79
PID 2236 wrote to memory of 468	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	80
PID 2236 wrote to memory of 468	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	80
PID 2236 wrote to memory of 468	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	80
PID 2236 wrote to memory of 2168	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	81
PID 2236 wrote to memory of 2168	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	81
PID 2236 wrote to memory of 2168	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	81
PID 2236 wrote to memory of 1340	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	82
PID 2236 wrote to memory of 1340	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	82
PID 2236 wrote to memory of 1340	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	82
PID 2236 wrote to memory of 1876	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	83
PID 2236 wrote to memory of 1876	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	83
PID 2236 wrote to memory of 1876	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	83
PID 2236 wrote to memory of 2436	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	84
PID 2236 wrote to memory of 2436	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	84
PID 2236 wrote to memory of 2436	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	84
PID 2236 wrote to memory of 2068	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	85
PID 2236 wrote to memory of 2068	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	85
PID 2236 wrote to memory of 2068	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	85
PID 2236 wrote to memory of 912	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	86
PID 2236 wrote to memory of 912	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	86
PID 2236 wrote to memory of 912	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	86
PID 2236 wrote to memory of 696	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	87
PID 2236 wrote to memory of 696	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	87
PID 2236 wrote to memory of 696	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	87
PID 2236 wrote to memory of 2588	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	88
PID 2236 wrote to memory of 2588	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	88
PID 2236 wrote to memory of 2588	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	88
PID 2236 wrote to memory of 2528	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	103
PID 2236 wrote to memory of 2528	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	103
PID 2236 wrote to memory of 2528	2236	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	103
PID 2528 wrote to memory of 1784	2528	lsass.exe	104
PID 2528 wrote to memory of 1784	2528	lsass.exe	104
PID 2528 wrote to memory of 1784	2528	lsass.exe	104
PID 2528 wrote to memory of 3060	2528	lsass.exe	105
PID 2528 wrote to memory of 3060	2528	lsass.exe	105
PID 2528 wrote to memory of 3060	2528	lsass.exe	105
PID 1784 wrote to memory of 992	1784	WScript.exe	106
PID 1784 wrote to memory of 992	1784	WScript.exe	106
PID 1784 wrote to memory of 992	1784	WScript.exe	106
PID 992 wrote to memory of 3052	992	lsass.exe	107
PID 992 wrote to memory of 3052	992	lsass.exe	107
PID 992 wrote to memory of 3052	992	lsass.exe	107
PID 992 wrote to memory of 2360	992	lsass.exe	108
PID 992 wrote to memory of 2360	992	lsass.exe	108
PID 992 wrote to memory of 2360	992	lsass.exe	108
PID 3052 wrote to memory of 1052	3052	WScript.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
"C:\Users\Admin\AppData\Local\Temp\33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\es-ES\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\ja-JP\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\images\33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Pictures\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\ModemLogs\lsass.exe
  "C:\Windows\ModemLogs\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07cdadeb-d84e-420e-93ef-0ca399b941f7.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Windows\ModemLogs\lsass.exe
      C:\Windows\ModemLogs\lsass.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:992
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e39da85-ab5b-43a8-807b-b6a578afdebe.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3052
      - C:\Windows\ModemLogs\lsass.exe
        
        C:\Windows\ModemLogs\lsass.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\661765f9-7895-4d99-bfc0-187298f61a00.vbs"
        7⤵
        
        PID:2552
        
        C:\Windows\ModemLogs\lsass.exe
        
        C:\Windows\ModemLogs\lsass.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b01d97db-ddc8-49ea-b3bf-ed05752067bf.vbs"
        9⤵
        
        PID:1960
        
        C:\Windows\ModemLogs\lsass.exe
        
        C:\Windows\ModemLogs\lsass.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f911faa6-331e-495c-9bf6-856b908b1d6f.vbs"
        11⤵
        
        PID:2304
        
        C:\Windows\ModemLogs\lsass.exe
        
        C:\Windows\ModemLogs\lsass.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a7267db-55cd-4dcf-977f-4b309840ca3c.vbs"
        13⤵
        
        PID:2064
        
        C:\Windows\ModemLogs\lsass.exe
        
        C:\Windows\ModemLogs\lsass.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9f4d59e-dbad-4dd1-97c8-29b8518cdabf.vbs"
        15⤵
        
        PID:3052
        
        C:\Windows\ModemLogs\lsass.exe
        
        C:\Windows\ModemLogs\lsass.exe
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0e296a2-778d-4050-b557-dca9d41892aa.vbs"
        17⤵
        
        PID:1728
        
        C:\Windows\ModemLogs\lsass.exe
        
        C:\Windows\ModemLogs\lsass.exe
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52bf112e-cc90-4173-8493-21ce4d0f9cf3.vbs"
        19⤵
        
        PID:560
        
        C:\Windows\ModemLogs\lsass.exe
        
        C:\Windows\ModemLogs\lsass.exe
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7860ce80-043e-434e-b80b-7c96218a046e.vbs"
        21⤵
        
        PID:1492
        
        C:\Windows\ModemLogs\lsass.exe
        
        C:\Windows\ModemLogs\lsass.exe
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\997aa4f2-dc10-4530-ba16-6fee0e1030f2.vbs"
        23⤵
        
        PID:2248
        
        C:\Windows\ModemLogs\lsass.exe
        
        C:\Windows\ModemLogs\lsass.exe
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5359ac96-3567-48ac-afa9-749bd70b2db7.vbs"
        25⤵
        
        PID:2756
        
        C:\Windows\ModemLogs\lsass.exe
        
        C:\Windows\ModemLogs\lsass.exe
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31b988be-c4d6-4b0e-881d-c738c0b7e834.vbs"
        27⤵
        
        PID:2772
        
        C:\Windows\ModemLogs\lsass.exe
        
        C:\Windows\ModemLogs\lsass.exe
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1f83d0b-98ea-4407-b5cf-16028d2b25dc.vbs"
        29⤵
        
        PID:320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa3eb72c-e378-4eb3-bc35-1975a80af911.vbs"
        29⤵
        
        PID:2440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51c445c4-4431-4613-9816-63d53d8703fc.vbs"
        27⤵
        
        PID:556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fa35f81-a764-4144-9134-16263e7866bd.vbs"
        25⤵
        
        PID:2140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\109aa8ba-e716-4172-bf02-6d7729a0d09b.vbs"
        23⤵
        
        PID:3004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78218ac2-563e-45e7-af87-8914f2b53ae1.vbs"
        21⤵
        
        PID:3012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\562d27f8-88ad-47b6-aab6-1fc8142254b5.vbs"
        19⤵
        
        PID:2040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\298e8530-441e-47b9-9590-b11f6715ebab.vbs"
        17⤵
        
        PID:2376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f1efd7e-e993-49d1-abb5-ca41cbe2548a.vbs"
        15⤵
        
        PID:1052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7a0b6dc-cd33-451d-9888-74d7a8ef91a6.vbs"
        13⤵
        
        PID:292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8dad051-e942-472c-8e35-a167e867d1ad.vbs"
        11⤵
        
        PID:1944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7de8751-5486-4f09-ba8c-f7e49a544e79.vbs"
        9⤵
        
        PID:1092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2722f2c9-d9ba-4de9-b69d-1539e68f4e6e.vbs"
        7⤵
        
        PID:1928
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00ea24ef-da88-4be1-b9d8-5c26735dd61a.vbs"
        5⤵
        
        PID:2360
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78ed9ee4-7cff-4879-a0bf-97ae143a3e10.vbs"
    3⤵
    PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\es-ES\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\ja-JP\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b3" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\images\33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b3" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\images\33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Pictures\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Pictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\CrashReports\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\CrashReports\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\Documents\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\ModemLogs\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\ModemLogs\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe

Filesize
1.6MB

MD5
f367ff7d7b627d63e73cec205dc83745

SHA1
937a9ff01a0e41784137303c27083dcf2051a4e6

SHA256
9fa7790c9d1c02ba7f7475031c2b6e93c3681865df88fa1cf261d02e8cf53f29

SHA512
628bd9f8541cb4f6f384c421eadb16fa9ccfa751459721d8b532cfcf003441c346b1bb5457b9bc4ee5a7c3eb5eae919ce5fe017ea7fc43350902ac4ee76ca086

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe

Filesize
1.6MB

MD5
cbf427e6d795d6c1c55056d203485b15

SHA1
026e2e135f2bc5fde70a1c2745c49fe55d88b8a5

SHA256
94ee35a329ad3d3787aa81c8fd236f443815893ea6a564bdeb45b9c21220da14

SHA512
2981d6816b33ccd05440bd7530c6cd5b09b030af813a70b225bf94229647f7a4967aae376b1d40744ad3e1f9bb24c85b8a7980d6861e5df054b91f6df861ef4e

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe

Filesize
1.6MB

MD5
f93399e4ad01a226c998e1f6a628632a

SHA1
133df3de49ed7dc4857280165adc9b03b76e7f7c

SHA256
ca90c478ef9acdaa44b672bb988716e9b893090fc32ffb000a18ec2d229a1b50

SHA512
c791d1c74813c7142f86e5ae40ffe5f1243eb24fc8a7e2d7e469580b9f017a36fcfc912bfeef869942ae3030a1aca23b3922d43331a92948bc2fd76a91daf5a4

Download Submit
C:\Program Files\Windows Defender\es-ES\audiodg.exe

Filesize
1.6MB

MD5
a50ab6759d9feb89fa3fe4c9f82a68de

SHA1
4d8768d0669eef110c5454a5b34280be99be6c24

SHA256
7dcf5cf2bbaafe6f21d6dd75ab75218526a6975a360f01ad8b4c50a5579c3dc8

SHA512
faa9319dc54fb2da6cc19b296b789432a5a48a9cd1239984d30b00c7ebc4390765201952981a0ed1884fa8ce18a6d2e0db24ea87a6691163222b5a1c0a81daa3

Download Submit
C:\Program Files\Windows Sidebar\ja-JP\Idle.exe

Filesize
1.6MB

MD5
43460cdfde5083d6f692f08813ef6dd1

SHA1
55756e184df04ffe1c502a40f8f859de16d19003

SHA256
33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b

SHA512
23dc4dc7bfa6f60da960b314c940e3e17e15e5719d5453a5ad1ca6f2c7f034357ad71a1a3a46b16b508076af878d7972c2d24cc3a6a7721a12bd851ff63c6e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\07cdadeb-d84e-420e-93ef-0ca399b941f7.vbs

Filesize
706B

MD5
3e0c05a01b7e06a9f55d339f2c5be7f3

SHA1
5e98032038e9ecd13b1afbd9ed1d77fe0c2c271f

SHA256
d3667fa9b814f9b966cd20a5c8e3a10d9a25690ceef3007e261a9d68b7f6be00

SHA512
b7dae7f10bfdb476eb5cf9bb46a8f74be472a30bc3d75f615bff5082ae89a35230839415b8e316bc443bcd3a3bdaf7ec530c3503d9fd00c338e235f605e13353

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a7267db-55cd-4dcf-977f-4b309840ca3c.vbs

Filesize
705B

MD5
3f1aac07d1fe086e186b3a597473680b

SHA1
aca38c0391cc559f91219a40ce0e2fffd0aeb714

SHA256
e285019b2762bbbc120c6339ecd0e8524c508c2c58e0f48b683c15e8d0f37154

SHA512
3597f4377d8bb7277ff8df9520550e632bd90f3b3bdca36ab95eb529025edf2268b1de097e3a008109a249780b92c24f4e3b7274ad9b3af9b564e45ccd570e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\52bf112e-cc90-4173-8493-21ce4d0f9cf3.vbs

Filesize
706B

MD5
5f725c524ee6c990650e416d298d93fc

SHA1
00f82c0afff6d6a5ca647673477b588d1a321b30

SHA256
0b3273ca694836df2c792357c1ac4f8d734e1071ca1c3eff2213178b3a8bcae3

SHA512
abb6605449b41a186548eb80ac689575d3cc485ee73c11ee03385ca48544175c2e98f9d6b1b949f8363062aaf0b7f72025ed1b6906d79980e4ff39b142cef1e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5359ac96-3567-48ac-afa9-749bd70b2db7.vbs

Filesize
705B

MD5
ad9489e32d2e23f8934542b0e94fd049

SHA1
16c48842fe7fbe2e94c3de7bfe795466169ae506

SHA256
392ebaeda1b1d857d32f5a6d85af119b671d8bb545c3d5bcb39cf559715d4028

SHA512
a9853ec3e840e050c11183bb8d43756361b3565cd73e6004ae5ba04c934b99f3be5bbf3a395d5a7e350ea232ab56af8c58cc3f6133e094733a6b71d4bf82ed79

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e39da85-ab5b-43a8-807b-b6a578afdebe.vbs

Filesize
705B

MD5
e8c13267bea90cd1aa95e5880c53b65e

SHA1
26dbf5bcf3ec47f9b1d2ebd0d8cf6de8576821b7

SHA256
0a345c46f98e9d390197cd646077618419009b22587e77e638f9b4d86b0c0e62

SHA512
1331ac31de48723e772c57642abe89a7bba57b7d47fa2dda59a8faad75ce8f7418c3d244152dc93218bee04227d79ca93b999857a18ac51bc3fd8524b8c7cf55

Download Submit
C:\Users\Admin\AppData\Local\Temp\661765f9-7895-4d99-bfc0-187298f61a00.vbs

Filesize
706B

MD5
eb706cb157bab78d3adec2febb345d58

SHA1
e4cb80b5ecf24e2734129a0fc0c4e8caa38593dd

SHA256
067cdea51efe265e0324ef1db0dbb40988eac1f5326a9f0a1398342c53226d9c

SHA512
c0c45441ad8c448a4fdc88a7fb942da9411135d0e6cbbf3107f8c54db397a25fde0c82622dcba0dcb65f9e12077165daaebd475169ea17cc42f4e273f90c6a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\7860ce80-043e-434e-b80b-7c96218a046e.vbs

Filesize
705B

MD5
20cec5f8e3bd4d2796b448c6bd650df9

SHA1
826d40c8507259ddf2569192d738852936c54b1e

SHA256
587637bc12c50f1d6ed3ef3d2210590309da91198955ecd22e2027f8e4241f65

SHA512
cdaa9f4b7f848f69495805eeb19708bc7ae467acc8aea94e6da878f599a3b13d5e125eedfa0e05f372358289c6106f4a007a494a78625ba8fb327017063ce7ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\78ed9ee4-7cff-4879-a0bf-97ae143a3e10.vbs

Filesize
482B

MD5
0b81bb4a3d5bc2ac9b91da75126d3f7f

SHA1
3e2aec1bd8432dd0852c8558d99226511e9ed907

SHA256
686348ff9e9ef463f481edda664430fe8358b9f368f319a378454d74dd9876d8

SHA512
1fe7f12d352ee7e155e8f7d835d3c7a9316745dd6927809a8c93f0ee5766f9079112593133dd467c43ff9a915b1537ba0bbb5b7fccba185fc2abaa8317d0dda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\997aa4f2-dc10-4530-ba16-6fee0e1030f2.vbs

Filesize
706B

MD5
35e66fadebfff78f76e2bfc01a8dccc8

SHA1
968d71622087835fc6101000b9ad32ddaf7a5f58

SHA256
fba474c37bd4657622c6c7c371a4569072695bac473d55e0241fac85fb97d896

SHA512
b73ba5335eb4570d66c226074448684fa148422526bda3e6da8264f793aa4fc1ce8fa7db09bebe7f279016b3315a35d99c3ee585ff851a2d9312ec7fcb9f31a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b01d97db-ddc8-49ea-b3bf-ed05752067bf.vbs

Filesize
706B

MD5
b2810cc7510a3448a68126cc23ed5694

SHA1
e449e848948fc2ab8da5d3906af74e47cfb14d65

SHA256
b16267bc16adc4bb6b972487e0b8529dc5f2d05cc91f9819c96cb8c7149778da

SHA512
d7603f1150185798b0ee1abfd8ecf27458424213a19a0a18148bd9e06b7419daabd6cdcc36b14db9ee9feb0e1778bccccf85fc01fe55b6eb28e1dbb132e0b75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0e296a2-778d-4050-b557-dca9d41892aa.vbs

Filesize
705B

MD5
689925925db641e616f82fece69026a9

SHA1
a9836ff72dde2e68c4deacbb5b3d8ca40d625875

SHA256
dcfa24881f8ca02f595d0923f0cbe78b89c01248c46e086f6dae1ec8b607b286

SHA512
be6ae17c4bd017f4299ae62130dc3bec1768fb8e5cf274510e171b4bc40bdd61b20314a558b05ba95348a113b857a99b5a21a6064b2b1b1113ea930a2e0e3204

Download Submit
C:\Users\Admin\AppData\Local\Temp\c9f4d59e-dbad-4dd1-97c8-29b8518cdabf.vbs

Filesize
706B

MD5
23de1808a6a15dc5ab58c6a461d43b6e

SHA1
4399ca1e507458fefcbe39ba5d54648c3038fc90

SHA256
b36054a8b87264b43c060c11eeea6bcf9486afbc8e5afc3a9a75fab5fc6eed3c

SHA512
5ad428ce315cfc30b21c4e5567e36b9797f73f01dbdc893371ae11e23a4af1c800ad0b73d017e5436ffaa0a419fe8d3d583e6929fb23b3b283cdaa4deab14cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\f911faa6-331e-495c-9bf6-856b908b1d6f.vbs

Filesize
706B

MD5
66ea08d28b6eb15d531ad57038c3daf2

SHA1
8193d6e84828d49742c9cb0df26584aa435492a3

SHA256
39b1f18012f58dba4c178b240bafc80adf2b975bdb8ff41741c99a5c6e804bf3

SHA512
e3ffb386b4c1ab74c1c22ebed68832d5bee76d8f21a09e0ea19fce371000f0428138c1a60f464cd1a02dbd7fd7b6a9e2e28f7d93803b8d0823a1904d0224bec0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
90c8f5142904721e52e22eb7079f3eb7

SHA1
70183d9746e35db683f5c52e395138f497098332

SHA256
e497e0c45ad8495372a03c01826971e43a7106b9c00dedb6efe4830c2705c0a3

SHA512
86efcc618085138332b54c8d7b8b0a4b39e70a8db9e3ba8978b456f21b4004933aa289e05f12f9db7bb18f033192b0eb506d0579ea213c97eb5a58e2fc1c5403

Download Submit
memory/688-255-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/824-405-0x0000000000260000-0x0000000000402000-memory.dmp

Filesize
1.6MB

Download
memory/888-357-0x0000000001220000-0x00000000013C2000-memory.dmp

Filesize
1.6MB

Download
memory/912-381-0x00000000002D0000-0x0000000000472000-memory.dmp

Filesize
1.6MB

Download
memory/928-449-0x0000000000C40000-0x0000000000DE2000-memory.dmp

Filesize
1.6MB

Download
memory/992-309-0x0000000000BE0000-0x0000000000D82000-memory.dmp

Filesize
1.6MB

Download
memory/1052-321-0x0000000000EA0000-0x0000000001042000-memory.dmp

Filesize
1.6MB

Download
memory/1272-369-0x00000000002E0000-0x0000000000482000-memory.dmp

Filesize
1.6MB

Download
memory/1520-440-0x0000000000240000-0x00000000003E2000-memory.dmp

Filesize
1.6MB

Download
memory/1876-260-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2236-15-0x000000001A890000-0x000000001A89A000-memory.dmp

Filesize
40KB

Download
memory/2236-10-0x00000000020D0000-0x00000000020DC000-memory.dmp

Filesize
48KB

Download
memory/2236-1-0x0000000000A00000-0x0000000000BA2000-memory.dmp

Filesize
1.6MB

Download
memory/2236-281-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmp

Filesize
9.9MB

Download
memory/2236-212-0x000007FEF5C03000-0x000007FEF5C04000-memory.dmp

Filesize
4KB

Download
memory/2236-16-0x000000001AC70000-0x000000001AC7C000-memory.dmp

Filesize
48KB

Download
memory/2236-2-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmp

Filesize
9.9MB

Download
memory/2236-13-0x0000000002180000-0x0000000002188000-memory.dmp

Filesize
32KB

Download
memory/2236-3-0x00000000005C0000-0x00000000005DC000-memory.dmp

Filesize
112KB

Download
memory/2236-14-0x000000001A880000-0x000000001A888000-memory.dmp

Filesize
32KB

Download
memory/2236-0-0x000007FEF5C03000-0x000007FEF5C04000-memory.dmp

Filesize
4KB

Download
memory/2236-11-0x0000000002160000-0x000000000216A000-memory.dmp

Filesize
40KB

Download
memory/2236-12-0x0000000002170000-0x000000000217E000-memory.dmp

Filesize
56KB

Download
memory/2236-298-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmp

Filesize
9.9MB

Download
memory/2236-9-0x00000000009E0000-0x00000000009EC000-memory.dmp

Filesize
48KB

Download
memory/2236-8-0x00000000009D0000-0x00000000009D8000-memory.dmp

Filesize
32KB

Download
memory/2236-4-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/2236-6-0x0000000000610000-0x0000000000618000-memory.dmp

Filesize
32KB

Download
memory/2236-7-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/2236-5-0x00000000005F0000-0x0000000000606000-memory.dmp

Filesize
88KB

Download
memory/2528-297-0x0000000000A80000-0x0000000000C22000-memory.dmp

Filesize
1.6MB

Download
memory/2780-417-0x0000000001060000-0x0000000001202000-memory.dmp

Filesize
1.6MB

Download
memory/2864-333-0x0000000001190000-0x0000000001332000-memory.dmp

Filesize
1.6MB

Download
memory/2892-393-0x0000000000010000-0x00000000001B2000-memory.dmp

Filesize
1.6MB

Download
memory/2928-345-0x0000000000300000-0x00000000004A2000-memory.dmp

Filesize
1.6MB

Download