dcrat | 545403ae8941712ac4f021d5867ac8df35a554d5754192c54da66f7b2a2d4e5f

Analysis

max time kernel
148s
max time network
157s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
Size

1.6MB
MD5

c86673bf3955f4820c9d706e1724c4ac
SHA1

73a227f97cfe0ecd848e57cbf9d026b34ac9c6bf
SHA256

682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27
SHA512

9010711d04d87d92cdfed6f1dc56d022fc9d5529b45443dcf9ad3fc0040a3e1695784525d81f5617b78bb7472c4293a1cc9599b388d1c5c9dc23d6b8b191b0f9
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 17 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral11/memory/2204-1-0x0000000001170000-0x0000000001312000-memory.dmp	dcrat
behavioral11/files/0x000600000001a4c6-75.dat	dcrat
behavioral11/files/0x000500000001a4d4-25.dat	dcrat
behavioral11/files/0x000600000001a4d4-118.dat	dcrat
behavioral11/files/0x000a00000001a4da-155.dat	dcrat
behavioral11/files/0x000a00000001a4ed-164.dat	dcrat
behavioral11/files/0x000600000001a4f6-188.dat	dcrat
behavioral11/files/0x000900000001a4f8-212.dat	dcrat
behavioral11/memory/1464-333-0x0000000000E30000-0x0000000000FD2000-memory.dmp	dcrat
behavioral11/memory/648-344-0x0000000000020000-0x00000000001C2000-memory.dmp	dcrat
behavioral11/memory/2860-356-0x0000000000D00000-0x0000000000EA2000-memory.dmp	dcrat
behavioral11/memory/340-368-0x00000000011B0000-0x0000000001352000-memory.dmp	dcrat
behavioral11/memory/1628-380-0x00000000001B0000-0x0000000000352000-memory.dmp	dcrat
behavioral11/memory/1752-392-0x0000000000DC0000-0x0000000000F62000-memory.dmp	dcrat
behavioral11/memory/1588-415-0x0000000000EE0000-0x0000000001082000-memory.dmp	dcrat
behavioral11/memory/3044-449-0x00000000002F0000-0x0000000000492000-memory.dmp	dcrat
behavioral11/memory/1148-461-0x0000000000C70000-0x0000000000E12000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1216	powershell.exe
836	powershell.exe
2900	powershell.exe
3000	powershell.exe
1648	powershell.exe
564	powershell.exe
1256	powershell.exe
1708	powershell.exe
2304	powershell.exe
2980	powershell.exe
2612	powershell.exe
2104	powershell.exe
1772	powershell.exe
2136	powershell.exe
1072	powershell.exe
1608	powershell.exe
948	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
1464	csrss.exe
648	csrss.exe
2860	csrss.exe
340	csrss.exe
1628	csrss.exe
1752	csrss.exe
2272	csrss.exe
1588	csrss.exe
1328	csrss.exe
2988	csrss.exe
3044	csrss.exe
1148	csrss.exe
2312	csrss.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\audiodg.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\42af1c969fbb7b	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\csrss.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\886983d96e3d3e	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\e2a09d12b3b848	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\csrss.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\27d1bcfc3c54e0	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\RCXE621.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\RCXE622.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\RCXF58A.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXFF53.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\audiodg.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\RCXF5F8.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCXFADC.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\System.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\System.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCXFA6E.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXFEE5.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	C:\Windows\Offline Web Pages\c5b4cb5e9653cc	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Windows\CSC\RCXEF0F.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Windows\CSC\WMIADAP.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Windows\ja-JP\RCXF114.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Windows\ja-JP\WmiPrvSE.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Windows\ja-JP\WmiPrvSE.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Windows\ja-JP\24dbde2999530e	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Windows\AppCompat\Programs\taskhost.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Windows\CSC\RCXEF0E.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Windows\es-ES\RCXF318.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Windows\es-ES\WmiPrvSE.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Windows\Offline Web Pages\services.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Windows\AppCompat\Programs\RCXEA2A.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Windows\AppCompat\Programs\RCXEA2B.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Windows\es-ES\RCXF386.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Windows\Offline Web Pages\RCXFCE0.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Windows\Offline Web Pages\services.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Windows\AppCompat\Programs\b75386f1303e64	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Windows\CSC\WMIADAP.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Windows\CSC\75a57c1bdf437c	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Windows\es-ES\WmiPrvSE.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Windows\ja-JP\RCXF113.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File opened for modification	C:\Windows\Offline Web Pages\RCXFCE1.tmp	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Windows\AppCompat\Programs\taskhost.exe	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
File created	C:\Windows\es-ES\24dbde2999530e	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1660	schtasks.exe
2668	schtasks.exe
1736	schtasks.exe
2108	schtasks.exe
1528	schtasks.exe
600	schtasks.exe
2212	schtasks.exe
2288	schtasks.exe
852	schtasks.exe
676	schtasks.exe
2144	schtasks.exe
2524	schtasks.exe
1428	schtasks.exe
2748	schtasks.exe
1904	schtasks.exe
2620	schtasks.exe
2592	schtasks.exe
2076	schtasks.exe
2268	schtasks.exe
2744	schtasks.exe
2720	schtasks.exe
2948	schtasks.exe
1688	schtasks.exe
1692	schtasks.exe
1632	schtasks.exe
1668	schtasks.exe
2104	schtasks.exe
2964	schtasks.exe
2940	schtasks.exe
2284	schtasks.exe
2680	schtasks.exe
2904	schtasks.exe
2684	schtasks.exe
2816	schtasks.exe
1336	schtasks.exe
568	schtasks.exe
2180	schtasks.exe
2116	schtasks.exe
2820	schtasks.exe
2572	schtasks.exe
1676	schtasks.exe
1608	schtasks.exe
2664	schtasks.exe
528	schtasks.exe
2656	schtasks.exe
2636	schtasks.exe
2128	schtasks.exe
540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
2612	powershell.exe
2104	powershell.exe
1256	powershell.exe
2136	powershell.exe
3000	powershell.exe
1216	powershell.exe
564	powershell.exe
2900	powershell.exe
1072	powershell.exe
836	powershell.exe
1648	powershell.exe
948	powershell.exe
2304	powershell.exe
1608	powershell.exe
1772	powershell.exe
2980	powershell.exe
1708	powershell.exe
1464	csrss.exe
648	csrss.exe
2860	csrss.exe
340	csrss.exe
1628	csrss.exe
1752	csrss.exe
2272	csrss.exe
1588	csrss.exe
1328	csrss.exe
2988	csrss.exe
3044	csrss.exe
1148	csrss.exe
2312	csrss.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	1464	csrss.exe
Token: SeDebugPrivilege	648	csrss.exe
Token: SeDebugPrivilege	2860	csrss.exe
Token: SeDebugPrivilege	340	csrss.exe
Token: SeDebugPrivilege	1628	csrss.exe
Token: SeDebugPrivilege	1752	csrss.exe
Token: SeDebugPrivilege	2272	csrss.exe
Token: SeDebugPrivilege	1588	csrss.exe
Token: SeDebugPrivilege	1328	csrss.exe
Token: SeDebugPrivilege	2988	csrss.exe
Token: SeDebugPrivilege	3044	csrss.exe
Token: SeDebugPrivilege	1148	csrss.exe
Token: SeDebugPrivilege	2312	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 1772	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	80
PID 2204 wrote to memory of 1772	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	80
PID 2204 wrote to memory of 1772	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	80
PID 2204 wrote to memory of 836	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	81
PID 2204 wrote to memory of 836	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	81
PID 2204 wrote to memory of 836	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	81
PID 2204 wrote to memory of 2104	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	82
PID 2204 wrote to memory of 2104	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	82
PID 2204 wrote to memory of 2104	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	82
PID 2204 wrote to memory of 2612	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	83
PID 2204 wrote to memory of 2612	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	83
PID 2204 wrote to memory of 2612	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	83
PID 2204 wrote to memory of 1648	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	85
PID 2204 wrote to memory of 1648	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	85
PID 2204 wrote to memory of 1648	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	85
PID 2204 wrote to memory of 3000	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	86
PID 2204 wrote to memory of 3000	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	86
PID 2204 wrote to memory of 3000	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	86
PID 2204 wrote to memory of 2136	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	88
PID 2204 wrote to memory of 2136	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	88
PID 2204 wrote to memory of 2136	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	88
PID 2204 wrote to memory of 564	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	90
PID 2204 wrote to memory of 564	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	90
PID 2204 wrote to memory of 564	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	90
PID 2204 wrote to memory of 2900	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	91
PID 2204 wrote to memory of 2900	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	91
PID 2204 wrote to memory of 2900	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	91
PID 2204 wrote to memory of 2304	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	93
PID 2204 wrote to memory of 2304	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	93
PID 2204 wrote to memory of 2304	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	93
PID 2204 wrote to memory of 1216	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	94
PID 2204 wrote to memory of 1216	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	94
PID 2204 wrote to memory of 1216	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	94
PID 2204 wrote to memory of 1708	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	95
PID 2204 wrote to memory of 1708	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	95
PID 2204 wrote to memory of 1708	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	95
PID 2204 wrote to memory of 2980	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	96
PID 2204 wrote to memory of 2980	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	96
PID 2204 wrote to memory of 2980	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	96
PID 2204 wrote to memory of 948	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	97
PID 2204 wrote to memory of 948	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	97
PID 2204 wrote to memory of 948	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	97
PID 2204 wrote to memory of 1608	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	98
PID 2204 wrote to memory of 1608	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	98
PID 2204 wrote to memory of 1608	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	98
PID 2204 wrote to memory of 1256	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	99
PID 2204 wrote to memory of 1256	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	99
PID 2204 wrote to memory of 1256	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	99
PID 2204 wrote to memory of 1072	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	100
PID 2204 wrote to memory of 1072	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	100
PID 2204 wrote to memory of 1072	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	100
PID 2204 wrote to memory of 3068	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	114
PID 2204 wrote to memory of 3068	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	114
PID 2204 wrote to memory of 3068	2204	682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe	114
PID 3068 wrote to memory of 2736	3068	cmd.exe	116
PID 3068 wrote to memory of 2736	3068	cmd.exe	116
PID 3068 wrote to memory of 2736	3068	cmd.exe	116
PID 3068 wrote to memory of 1464	3068	cmd.exe	117
PID 3068 wrote to memory of 1464	3068	cmd.exe	117
PID 3068 wrote to memory of 1464	3068	cmd.exe	117
PID 1464 wrote to memory of 2336	1464	csrss.exe	118
PID 1464 wrote to memory of 2336	1464	csrss.exe	118
PID 1464 wrote to memory of 2336	1464	csrss.exe	118
PID 1464 wrote to memory of 2480	1464	csrss.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe
"C:\Users\Admin\AppData\Local\Temp\682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\fr-FR\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppCompat\Programs\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CSC\WMIADAP.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yKOwmxbhQD.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2736
- - C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
    "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1464
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c808b902-6c2a-40d1-b372-82e35a6abe8e.vbs"
      4⤵
      PID:2336
    - - C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:648
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2376b2d0-57b2-4481-9fd2-a0e924fbc71d.vbs"
        6⤵
        
        PID:2164
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5bc596a-651f-41a4-809a-81a40232882b.vbs"
        8⤵
        
        PID:2996
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3902c9aa-8022-40ea-97f0-a5770a9f7b21.vbs"
        10⤵
        
        PID:3012
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b58a6616-5503-4063-aa9c-6f479a7e42c9.vbs"
        12⤵
        
        PID:2268
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11dddfd2-3e0a-4d6b-a619-f1f0f41f8fb9.vbs"
        14⤵
        
        PID:2680
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bee0a35-14d2-48f2-9ebc-6e8edfb6bf1f.vbs"
        16⤵
        
        PID:3056
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed739496-d500-47df-bd6e-85c139743555.vbs"
        18⤵
        
        PID:2836
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9155e40-f749-42fe-95fa-92a64a37a526.vbs"
        20⤵
        
        PID:3032
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a427cdf8-44e4-4d41-bebb-721f9552d028.vbs"
        22⤵
        
        PID:2812
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d6edf84-8b45-4ebe-9a1b-d2db34478b99.vbs"
        24⤵
        
        PID:2604
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd69e868-0c7d-4359-8d75-188c971ec5eb.vbs"
        26⤵
        
        PID:1704
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54f58d88-7b33-4224-afdf-2887d6f32de6.vbs"
        28⤵
        
        PID:2508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bffc61a-2220-431a-8ad3-e0bc53ad87f9.vbs"
        28⤵
        
        PID:944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50ad51d3-10c0-4862-bd53-5928b6ea6887.vbs"
        26⤵
        
        PID:872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cad6d44f-0b42-42b5-a2a0-59713c2149b3.vbs"
        24⤵
        
        PID:1600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd8c9822-eced-4435-bb0d-270b0313e5b1.vbs"
        22⤵
        
        PID:648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\967b7b21-40b7-4fdd-9b87-d1287050fe8d.vbs"
        20⤵
        
        PID:1184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4beac725-44c5-460f-aed4-3d16de8d2f90.vbs"
        18⤵
        
        PID:1088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91cd7382-9499-4514-8c72-7fd7a1f38ba5.vbs"
        16⤵
        
        PID:2224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23a622b5-39fd-4aaa-a3b2-81046db0efc3.vbs"
        14⤵
        
        PID:752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbb83adc-a6bf-4e80-a414-d4f99a72ec3e.vbs"
        12⤵
        
        PID:1372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea566add-6398-416d-86ba-976434f20663.vbs"
        10⤵
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12c0aea5-d920-4c6e-8b69-db1b4d4f0214.vbs"
        8⤵
        
        PID:2612
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21e4408f-dde1-47d3-a060-dc75e2fbaaab.vbs"
        6⤵
        
        PID:836
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd23a7f0-f26c-44a3-9351-66272fd0ab4c.vbs"
      4⤵
      PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Recent\sppsvc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Recent\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Recent\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\taskhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\audiodg.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\audiodg.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\audiodg.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\AppCompat\Programs\taskhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\AppCompat\Programs\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Windows\CSC\WMIADAP.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\CSC\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Windows\CSC\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\WmiPrvSE.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\WmiPrvSE.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\System.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\services.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Offline Web Pages\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac276" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac276" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe

Filesize
1.6MB

MD5
73c01f90f26f70f262897ac77ad58824

SHA1
70a9b42993bdd456ff00e6fdb6813ad73e85e0aa

SHA256
863ce0242adf834a9e1c736eb776e9fd410794e8deb0fa3918d949b3bf5e2b03

SHA512
1283204dfdbf5f8a416ed1fe0ba634a78e13297bf4280eeed8f21a1044d458b9a15628a6c3c2c200a97eb6a10977b346f08a71d975a916f0a91f61aabe6c0ccc

Download Submit
C:\Program Files (x86)\Microsoft Sync Framework\System.exe

Filesize
1.6MB

MD5
14610463beb5caca2cded8e2eec2d59f

SHA1
a69ca4dd88ef8cf4e01dcdffc789e22a79a11adc

SHA256
1b7c9c4b59b392dc9d5b960a3143b69f2d7b57dcf72fcfc8240f73cc69bb4e5c

SHA512
7f024ff97353b8028e02bbeed3a8fcec8f125e01548d75faa94bae23cfddb954c4f26781b1b4dfa622685169aad452113f3f4da293a9c0c59b012f1a26cf16aa

Download Submit
C:\Program Files\Microsoft Office\Office14\1033\csrss.exe

Filesize
1.6MB

MD5
0890ac793c4360f992f8685fcd4f649e

SHA1
eb87e993d4053b186fa881ff2e8221cbb54897a4

SHA256
7b73a34bdddd1786dd6950a250978f275d738d72a9d57c1f6ddb97608a25200f

SHA512
b9438f6ceefecaa0649a4659590a7bbb96a4e8a13b5247d9d1c8af28f6aa43c0fff6a25f1d932864394dc9fb15caf613cac9d6138d0953bae12d08bb334ca1b0

Download Submit
C:\ProgramData\RCXE41D.tmp

Filesize
1.6MB

MD5
ffb727373f120d43b159876e41b52014

SHA1
68330860e15ebec0ec5c1957eca15b37a538157d

SHA256
de24bf047dd27a8ec78cab06b9058be43e655ee5df7d445bda05965eee4429e2

SHA512
a0006dbfde4ca19e4ea6a2449d869b7aa66fe340002be892ac36d3fb91646ca3d502c68893dd460e67e7ee8a574c2268706d6dec7e0243d32b538f0dd6bdbb8d

Download Submit
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe

Filesize
1.6MB

MD5
2517e05b4c4c5f080378538319c00e62

SHA1
c821de528d4474c4ed990b110544413af9119caa

SHA256
649d4cb2bf9cd4d45ea0401f04172debe495a624b65be93c63d3275e8b215fb0

SHA512
c5f6ee429da1fe14e07dbaa1ad75e8ed3c76a2d2045e7ee8061e7b1e05d9dca787c0a8f0c463518a39a5e0cf79e1a79956bca01ab3298d44f6fc00599618cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\11dddfd2-3e0a-4d6b-a619-f1f0f41f8fb9.vbs

Filesize
757B

MD5
52921d40aa57c15ba4d1e771431a8913

SHA1
13c6769a49a40f54fe8ec57aa101e9dcc7b584f2

SHA256
70353fc90958173bb7f56acb2ed781dc76ec105c3cefd5219ece9890c235d6c5

SHA512
eaf1c24a862f67d2c9b6e59c6f3857ec6312d248340d26902431339ba7f87dbeffe0e912d4a21b775f673408c1afdf9943fa060b3f4547846792a44910ddddf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bee0a35-14d2-48f2-9ebc-6e8edfb6bf1f.vbs

Filesize
757B

MD5
e739903655017df652b6077b8ed78096

SHA1
36a0242444d7d7f60d54de4f159ceb84cdaadb41

SHA256
a8d025342b3bf3746b3fb03e086b5065c191a20b1107f2a7a548485a87cf878c

SHA512
aea1373b9b34c097c84d53e49f46c9558e1e8eee0b01af52f63d55fa78b27712081c5da26b52cb4031a1ba55e98902ed0756e1ac7f06e9fbbcf08490873f15d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2376b2d0-57b2-4481-9fd2-a0e924fbc71d.vbs

Filesize
756B

MD5
1416c77b96affb5b255ecf724c374759

SHA1
4360b23411050cfd210168b9737ca747160aece4

SHA256
264820a06f2632b16bb02e3bd550b1d96064e000ed2cfb35f0596e884223f631

SHA512
d9648508c629d481b21ac58fa6e1fa69767504b10e35afeb4417943c8582a227563005d78cb30df56916c508016e0cc6641192622b4c0373a6e9202c17c1114f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d6edf84-8b45-4ebe-9a1b-d2db34478b99.vbs

Filesize
757B

MD5
90a5afedc691fc8fcd7463ef021d1b3c

SHA1
058b6e36d23d2e42ab338342430b95d28dc633a5

SHA256
599d2796bbceed0c58b9ddde7b7256b1c372f54ba30cbd2328069a90309a47d8

SHA512
ed9bd1835e9aec7b113fffdd3b71fab8cc6b74ed7c51099ff4a019e697cbac51da0c88acade108f64b71929ef66e643932e25d522d4511671a34cae88a2e0484

Download Submit
C:\Users\Admin\AppData\Local\Temp\3902c9aa-8022-40ea-97f0-a5770a9f7b21.vbs

Filesize
756B

MD5
149ff11556a61cd4040535d37fd714d4

SHA1
65b7cec5d55e448abb264704135e1206ca1e094f

SHA256
6a82473a3216fa2b954f631bc3a14108824b7a7fb229ef36aed58373eff04b4c

SHA512
7b75a0bd9920a6f3c1a3fbe0ee7465369c9e6822a4d4192fe87f21ae58ff76b0d3f52929be90c417c42c029956a8d4d10d6fb2adfe4472afc0b6db27b7fa831e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a427cdf8-44e4-4d41-bebb-721f9552d028.vbs

Filesize
757B

MD5
f73bd03177249b85459172d8e6d1609c

SHA1
75c7b7b282dc22417c75dc34bc99b4b4faa61e5b

SHA256
d0ef25ba99d2f42bd301604565452784ccb6ebc0b129efeda229aceb31ca5f08

SHA512
09e969c359eed34d1a8dcb0674d57c476d375e6f17a55558433121acc7c97ad4f8cd1cc4368d08f377c5f56badadf1073af33178eac3ba2410a6a79f08298019

Download Submit
C:\Users\Admin\AppData\Local\Temp\b58a6616-5503-4063-aa9c-6f479a7e42c9.vbs

Filesize
757B

MD5
ea3d4923ced8405c50afe8680d27f663

SHA1
744b60bb998dd5f17759a6e849227fcbf6b483ea

SHA256
489efdbbb7096f055f14aec030ad915a9a08ad93e3007f7e2f288a21cd76a4aa

SHA512
3a40aaa5f24641d0a5ae171ce44101054c31401ed9225959f8c8ed29bb061b4eb4de1bf2d577241b265157f48a4d8c0e0514bdbfff5db5b1df495acaff7a975e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c808b902-6c2a-40d1-b372-82e35a6abe8e.vbs

Filesize
757B

MD5
09f5b93ec000fbf666110a4965ef8424

SHA1
e0b23736de75a3ce8831623adcf666053c3f3cad

SHA256
90dee29aff005199720339edde33c48005b304511cb9c96f626c8e257ce12c12

SHA512
b7ec1ab7bd962522d3b94032b85d44a2176dadfbf49c8ea0648e268d2df0fe4bd6ae3a1fc282e2c8dad65401f20c0241c20c27f5a04c290ef52d4b8ece63f6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9155e40-f749-42fe-95fa-92a64a37a526.vbs

Filesize
757B

MD5
aa57b2874d16c4ac4859aa3fe5e5f73d

SHA1
ff14d456b0d7fb5ed2e3648aebf9c3f34c05e4e6

SHA256
099d501bc8034a8b4c0d7c21ce136b6d41447fb6ceddac91fd11e18f232e3ae2

SHA512
1cb11f0cfc6be27377db97f0126eff74c29ed0a732271b0bf4921bcd8816521ab0aa368958b36054cef09b6b62faaf79fa26a6fff78ff680bfa7365baae49a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd23a7f0-f26c-44a3-9351-66272fd0ab4c.vbs

Filesize
533B

MD5
0b561223d4d3fd8e369c23cbade2c5b2

SHA1
084d5cb57ade5148b00653d4e17bf2978c48ad45

SHA256
93a3badb4c77bb2f42e17c6667b3e92538eddff8650a229ab3b0447522a6e85d

SHA512
b5845c3a4502856f9306533ef82203ec9159c0beb39336bee85e4ecdd217bb5b049e21ce00f67450a4cdaa4dcad5230bed9848f1a78de57681745adcd9000d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5bc596a-651f-41a4-809a-81a40232882b.vbs

Filesize
757B

MD5
ad353c0da20ea00c0efb527fac103ffd

SHA1
21bded93975662047408f5cdc2b2df4a3731d4f1

SHA256
bccb283208dbce33926506ff43d19ef6a247e918b0a3916d7c382d537b0edccd

SHA512
5b19f7469163b8824133298b931afb388381754011431926e036abd857f5bdff923cf806e96033e2f12f4edca8d1c2ca5b575b6508b954af903a53ccb327878c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed739496-d500-47df-bd6e-85c139743555.vbs

Filesize
757B

MD5
12f85af3623616a692b3a822648fe334

SHA1
ea606b7d71c38b8e8e8073c784ed24e59a0dcb12

SHA256
7f402b1362dbf6de943e7b1b67fee2160180d9a0b5197ad3ba5b4e762835f6ec

SHA512
f7d773c6fd9223863122fec5747e0f5c131061db3ac13caa7afde5b1fd1e240d3fe6b8e0b83801be4f707a1150e2d4c6767829ddbf3e562d5376af94a7f15e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd69e868-0c7d-4359-8d75-188c971ec5eb.vbs

Filesize
757B

MD5
7dcbee08ee615731a48a873484fbf270

SHA1
7db61e8948a5daca81d32291e9b0364a2003681a

SHA256
9b995cc7e9426bddaab8997cf83f5e57721d6f028c6a6487801e3dc6bedf4778

SHA512
0046683d1aa6fb0efd3d0b03d2b100aefa272bf0089f5688da9e6f4edc8a03c16b692ca40f12c14d6493e38b41c55d122afde391ae2ebd434a684e59513b8c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\yKOwmxbhQD.bat

Filesize
246B

MD5
1d4396ded82e8e103cf6e5a88ec16949

SHA1
e71630fd3c866682f92a29db31d29a969f6720ee

SHA256
6ad0e6a5d1500876e55b5d8553215f8d95c60bd5b87f229b6fc7b181e7d78eb6

SHA512
2d38f3606c5c6de03a62dd06d34f077e59e635d1ac10127713defec772d6d9b950841d69f3afb5261c8fc66010eaa813eb32910bacb7c491fef39e3d323c6759

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ad25936f00532b84822fc665e17234d4

SHA1
169f5462cabae453a8a0cc9f84d3456e99cf8f35

SHA256
fd75d0214b48c3a3c706094b5b9d3c58f8d6d91576ec92eec12a98651d15c6e0

SHA512
9de060b5738444b034e025aa5d20d30b0f2e63e811ff040abfbb1905756e05a8470bcef075419551dda39921871e55ca6b410c680b906b1e5b9fe2a65eca8ba7

Download Submit
C:\Windows\AppCompat\Programs\taskhost.exe

Filesize
1.6MB

MD5
c86673bf3955f4820c9d706e1724c4ac

SHA1
73a227f97cfe0ecd848e57cbf9d026b34ac9c6bf

SHA256
682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27

SHA512
9010711d04d87d92cdfed6f1dc56d022fc9d5529b45443dcf9ad3fc0040a3e1695784525d81f5617b78bb7472c4293a1cc9599b388d1c5c9dc23d6b8b191b0f9

Download Submit
C:\Windows\es-ES\WmiPrvSE.exe

Filesize
1.6MB

MD5
0374108754541a12dd1b3826ae329e10

SHA1
8ab71c8734a40a23d53d988c90f277b43b508f15

SHA256
32fcf4c2674d3df7bf3faa1385d864bfb30add2cdf1f44adb96bc578d2caf9e4

SHA512
c3bcaeb4df63223f894816fbbb66674904671f66e057cdcca3c00a12d6d307bceebad8af72f10040610285cdc12ab96389412a5b767fa3218ed495755af37ede

Download Submit
memory/340-368-0x00000000011B0000-0x0000000001352000-memory.dmp

Filesize
1.6MB

Download
memory/648-344-0x0000000000020000-0x00000000001C2000-memory.dmp

Filesize
1.6MB

Download
memory/1148-461-0x0000000000C70000-0x0000000000E12000-memory.dmp

Filesize
1.6MB

Download
memory/1464-333-0x0000000000E30000-0x0000000000FD2000-memory.dmp

Filesize
1.6MB

Download
memory/1588-415-0x0000000000EE0000-0x0000000001082000-memory.dmp

Filesize
1.6MB

Download
memory/1628-380-0x00000000001B0000-0x0000000000352000-memory.dmp

Filesize
1.6MB

Download
memory/1752-392-0x0000000000DC0000-0x0000000000F62000-memory.dmp

Filesize
1.6MB

Download
memory/2204-10-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/2204-9-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2204-249-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2204-1-0x0000000001170000-0x0000000001312000-memory.dmp

Filesize
1.6MB

Download
memory/2204-226-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2204-203-0x000007FEF5A23000-0x000007FEF5A24000-memory.dmp

Filesize
4KB

Download
memory/2204-4-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2204-2-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2204-5-0x0000000000270000-0x0000000000286000-memory.dmp

Filesize
88KB

Download
memory/2204-6-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/2204-8-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/2204-3-0x0000000000240000-0x000000000025C000-memory.dmp

Filesize
112KB

Download
memory/2204-0-0x000007FEF5A23000-0x000007FEF5A24000-memory.dmp

Filesize
4KB

Download
memory/2204-11-0x0000000000B50000-0x0000000000B5A000-memory.dmp

Filesize
40KB

Download
memory/2204-12-0x0000000000B60000-0x0000000000B6E000-memory.dmp

Filesize
56KB

Download
memory/2204-14-0x0000000000C70000-0x0000000000C78000-memory.dmp

Filesize
32KB

Download
memory/2204-15-0x0000000000C80000-0x0000000000C8A000-memory.dmp

Filesize
40KB

Download
memory/2204-16-0x0000000000E10000-0x0000000000E1C000-memory.dmp

Filesize
48KB

Download
memory/2204-13-0x0000000000B70000-0x0000000000B78000-memory.dmp

Filesize
32KB

Download
memory/2204-7-0x0000000000560000-0x0000000000570000-memory.dmp

Filesize
64KB

Download
memory/2612-248-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download
memory/2612-247-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2860-356-0x0000000000D00000-0x0000000000EA2000-memory.dmp

Filesize
1.6MB

Download
memory/3044-449-0x00000000002F0000-0x0000000000492000-memory.dmp

Filesize
1.6MB

Download