dcrat | 13998cf5ce3fc1b1fb20635ef2c1e476c880d72eec7afb7e8ec74808928700da

Analysis

max time kernel
111s
max time network
152s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a73951d8730beba8a769c882801bd767.exe
Size

1.6MB
MD5

a73951d8730beba8a769c882801bd767
SHA1

d7a91fcad4c3477b2bb17168404b015249dc9925
SHA256

fd491ef92bb1de6bc677badbca3c26699d3cd713e5803c82757768965be9ded3
SHA512

12f5bb32eba7a028f0ef7dc29d6d75efb5460ce34209c677539daa83cadf1c689961a8a076a7d8acc90479fba8fc526ee1e83f0e19af5d784525425a5e15c6e6
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2836	schtasks.exe	31

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral9/memory/1956-1-0x0000000000040000-0x00000000001E2000-memory.dmp	dcrat
behavioral9/files/0x000500000001950e-25.dat	dcrat
behavioral9/files/0x000600000001962f-96.dat	dcrat
behavioral9/files/0x000b0000000164b1-109.dat	dcrat
behavioral9/files/0x000900000001950e-132.dat	dcrat
behavioral9/files/0x0009000000019623-157.dat	dcrat
behavioral9/memory/1660-390-0x00000000012F0000-0x0000000001492000-memory.dmp	dcrat
behavioral9/memory/3000-467-0x00000000000C0000-0x0000000000262000-memory.dmp	dcrat
behavioral9/memory/2908-479-0x0000000001350000-0x00000000014F2000-memory.dmp	dcrat
behavioral9/memory/3032-502-0x0000000001370000-0x0000000001512000-memory.dmp	dcrat
behavioral9/files/0x000500000001a506-501.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 26 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2304	powershell.exe
1740	powershell.exe
3040	powershell.exe
2372	powershell.exe
2304	powershell.exe
2068	powershell.exe
1504	powershell.exe
304	powershell.exe
1320	powershell.exe
1692	powershell.exe
1752	powershell.exe
2776	powershell.exe
1372	powershell.exe
1784	powershell.exe
2248	powershell.exe
2444	powershell.exe
1536	powershell.exe
2400	powershell.exe
3028	powershell.exe
1968	powershell.exe
2592	powershell.exe
2248	powershell.exe
884	powershell.exe
3048	powershell.exe
2984	powershell.exe
2008	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
1820	a73951d8730beba8a769c882801bd767.exe
1660	conhost.exe
2528	conhost.exe
2196	conhost.exe
316	conhost.exe
960	conhost.exe
2092	conhost.exe
1752	conhost.exe
3000	conhost.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\a73951d8730beba8a769c882801bd767.exe	a73951d8730beba8a769c882801bd767.exe
File created	C:\Program Files\DVD Maker\27d1bcfc3c54e0	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\RCXE3AD.tmp	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RCXEC2E.tmp	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Program Files\DVD Maker\System.exe	a73951d8730beba8a769c882801bd767.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\a73951d8730beba8a769c882801bd767.exe	a73951d8730beba8a769c882801bd767.exe
File created	C:\Program Files\MSBuild\Microsoft\a73951d8730beba8a769c882801bd767.exe	a73951d8730beba8a769c882801bd767.exe
File created	C:\Program Files (x86)\Reference Assemblies\3c00a60130a398	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\a73951d8730beba8a769c882801bd767.exe	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Program Files\DVD Maker\RCXF037.tmp	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\powershell.exe	a73951d8730beba8a769c882801bd767.exe
File created	C:\Program Files\MSBuild\Microsoft\3c00a60130a398	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\RCXE41B.tmp	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\a73951d8730beba8a769c882801bd767.exe	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RCXEC2F.tmp	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Program Files\DVD Maker\RCXF038.tmp	a73951d8730beba8a769c882801bd767.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\e978f868350d50	a73951d8730beba8a769c882801bd767.exe
File created	C:\Program Files\Google\conhost.exe	a73951d8730beba8a769c882801bd767.exe
File created	C:\Program Files\Google\088424020bedd6	a73951d8730beba8a769c882801bd767.exe
File created	C:\Program Files\DVD Maker\System.exe	a73951d8730beba8a769c882801bd767.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\powershell.exe	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Program Files\Google\conhost.exe	a73951d8730beba8a769c882801bd767.exe

Drops file in Windows directory 38 IoCs

description	ioc	Process
File created	C:\Windows\system\OSPPSVC.exe	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Windows\TAPI\RCXD447.tmp	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Windows\TAPI\WmiPrvSE.exe	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Windows\system\RCXDB2F.tmp	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Windows\system\RCXDB30.tmp	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Windows\Fonts\RCXDF36.tmp	a73951d8730beba8a769c882801bd767.exe
File created	C:\Windows\system\1610b97d3ab4a7	a73951d8730beba8a769c882801bd767.exe
File created	C:\Windows\DigitalLocker\es-ES\lsass.exe	a73951d8730beba8a769c882801bd767.exe
File created	C:\Windows\TAPI\WmiPrvSE.exe	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Windows\Migration\WTR\RCXEE32.tmp	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\a73951d8730beba8a769c882801bd767.exe	a73951d8730beba8a769c882801bd767.exe
File created	C:\Windows\DigitalLocker\es-ES\6203df4a6bafc7	a73951d8730beba8a769c882801bd767.exe
File created	C:\Windows\PCHEALTH\explorer.exe	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Windows\system\OSPPSVC.exe	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Windows\PCHEALTH\explorer.exe	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Windows\Migration\WTR\sppsvc.exe	a73951d8730beba8a769c882801bd767.exe
File created	C:\Windows\Vss\Writers\System\886983d96e3d3e	a73951d8730beba8a769c882801bd767.exe
File created	C:\Windows\Migration\WTR\sppsvc.exe	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Windows\DigitalLocker\es-ES\RCXE61F.tmp	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Windows\PCHEALTH\RCXEA2A.tmp	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Windows\Migration\WTR\RCXEE33.tmp	a73951d8730beba8a769c882801bd767.exe
File created	C:\Windows\Fonts\5940a34987c991	a73951d8730beba8a769c882801bd767.exe
File created	C:\Windows\PCHEALTH\7a0fd90576e088	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Windows\TAPI\RCXD446.tmp	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Windows\Vss\Writers\System\csrss.exe	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Windows\Fonts\RCXDFA5.tmp	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Windows\Fonts\dllhost.exe	a73951d8730beba8a769c882801bd767.exe
File created	C:\Windows\DigitalLocker\en-US\a73951d8730beba8a769c882801bd767.exe	a73951d8730beba8a769c882801bd767.exe
File created	C:\Windows\DigitalLocker\en-US\3c00a60130a398	a73951d8730beba8a769c882801bd767.exe
File created	C:\Windows\TAPI\24dbde2999530e	a73951d8730beba8a769c882801bd767.exe
File created	C:\Windows\Fonts\dllhost.exe	a73951d8730beba8a769c882801bd767.exe
File created	C:\Windows\Migration\WTR\0a1fd5f707cd16	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Windows\DigitalLocker\es-ES\lsass.exe	a73951d8730beba8a769c882801bd767.exe
File created	C:\Windows\Vss\Writers\System\csrss.exe	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Windows\Vss\Writers\System\RCXD8BD.tmp	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Windows\Vss\Writers\System\RCXD92B.tmp	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Windows\DigitalLocker\es-ES\RCXE620.tmp	a73951d8730beba8a769c882801bd767.exe
File opened for modification	C:\Windows\PCHEALTH\RCXEA29.tmp	a73951d8730beba8a769c882801bd767.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
772	schtasks.exe
2008	schtasks.exe
1308	schtasks.exe
2892	schtasks.exe
2924	schtasks.exe
2476	schtasks.exe
2196	schtasks.exe
1260	schtasks.exe
2464	schtasks.exe
1688	schtasks.exe
1944	schtasks.exe
2956	schtasks.exe
888	schtasks.exe
3028	schtasks.exe
2900	schtasks.exe
800	schtasks.exe
1516	schtasks.exe
1288	schtasks.exe
1256	schtasks.exe
2692	schtasks.exe
1504	schtasks.exe
1520	schtasks.exe
2748	schtasks.exe
2312	schtasks.exe
2424	schtasks.exe
2144	schtasks.exe
2736	schtasks.exe
896	schtasks.exe
2556	schtasks.exe
1104	schtasks.exe
3040	schtasks.exe
3008	schtasks.exe
852	schtasks.exe
2816	schtasks.exe
2244	schtasks.exe
1140	schtasks.exe
2660	schtasks.exe
2504	schtasks.exe
1056	schtasks.exe
2384	schtasks.exe
1992	schtasks.exe
324	schtasks.exe
1344	schtasks.exe
2608	schtasks.exe
1852	schtasks.exe
3000	schtasks.exe
2296	schtasks.exe
692	schtasks.exe
2752	schtasks.exe
2080	schtasks.exe
1856	schtasks.exe
1268	schtasks.exe
2144	schtasks.exe
2528	schtasks.exe
2576	schtasks.exe
2236	schtasks.exe
2360	schtasks.exe
548	schtasks.exe
1948	schtasks.exe
2304	schtasks.exe
1540	schtasks.exe
2860	schtasks.exe
2924	schtasks.exe
2096	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1956	a73951d8730beba8a769c882801bd767.exe
1956	a73951d8730beba8a769c882801bd767.exe
1956	a73951d8730beba8a769c882801bd767.exe
1956	a73951d8730beba8a769c882801bd767.exe
1956	a73951d8730beba8a769c882801bd767.exe
1692	powershell.exe
1504	powershell.exe
3048	powershell.exe
884	powershell.exe
2372	powershell.exe
1752	powershell.exe
1320	powershell.exe
304	powershell.exe
3028	powershell.exe
1968	powershell.exe
2248	powershell.exe
3040	powershell.exe
1372	powershell.exe
2304	powershell.exe
1784	powershell.exe
2776	powershell.exe
2068	powershell.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
1820	a73951d8730beba8a769c882801bd767.exe
2984	powershell.exe
2592	powershell.exe
2400	powershell.exe
2304	powershell.exe
1740	powershell.exe
1536	powershell.exe
2248	powershell.exe
2008	powershell.exe
1660	conhost.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	a73951d8730beba8a769c882801bd767.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	1820	a73951d8730beba8a769c882801bd767.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	304	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	1660	conhost.exe
Token: SeDebugPrivilege	2528	conhost.exe
Token: SeDebugPrivilege	2196	conhost.exe
Token: SeDebugPrivilege	316	conhost.exe
Token: SeDebugPrivilege	960	conhost.exe
Token: SeDebugPrivilege	2092	conhost.exe
Token: SeDebugPrivilege	1752	conhost.exe
Token: SeDebugPrivilege	3000	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1968	1956	a73951d8730beba8a769c882801bd767.exe	80
PID 1956 wrote to memory of 1968	1956	a73951d8730beba8a769c882801bd767.exe	80
PID 1956 wrote to memory of 1968	1956	a73951d8730beba8a769c882801bd767.exe	80
PID 1956 wrote to memory of 1692	1956	a73951d8730beba8a769c882801bd767.exe	81
PID 1956 wrote to memory of 1692	1956	a73951d8730beba8a769c882801bd767.exe	81
PID 1956 wrote to memory of 1692	1956	a73951d8730beba8a769c882801bd767.exe	81
PID 1956 wrote to memory of 2248	1956	a73951d8730beba8a769c882801bd767.exe	148
PID 1956 wrote to memory of 2248	1956	a73951d8730beba8a769c882801bd767.exe	148
PID 1956 wrote to memory of 2248	1956	a73951d8730beba8a769c882801bd767.exe	148
PID 1956 wrote to memory of 1784	1956	a73951d8730beba8a769c882801bd767.exe	85
PID 1956 wrote to memory of 1784	1956	a73951d8730beba8a769c882801bd767.exe	85
PID 1956 wrote to memory of 1784	1956	a73951d8730beba8a769c882801bd767.exe	85
PID 1956 wrote to memory of 1372	1956	a73951d8730beba8a769c882801bd767.exe	86
PID 1956 wrote to memory of 1372	1956	a73951d8730beba8a769c882801bd767.exe	86
PID 1956 wrote to memory of 1372	1956	a73951d8730beba8a769c882801bd767.exe	86
PID 1956 wrote to memory of 3028	1956	a73951d8730beba8a769c882801bd767.exe	87
PID 1956 wrote to memory of 3028	1956	a73951d8730beba8a769c882801bd767.exe	87
PID 1956 wrote to memory of 3028	1956	a73951d8730beba8a769c882801bd767.exe	87
PID 1956 wrote to memory of 1320	1956	a73951d8730beba8a769c882801bd767.exe	88
PID 1956 wrote to memory of 1320	1956	a73951d8730beba8a769c882801bd767.exe	88
PID 1956 wrote to memory of 1320	1956	a73951d8730beba8a769c882801bd767.exe	88
PID 1956 wrote to memory of 3048	1956	a73951d8730beba8a769c882801bd767.exe	155
PID 1956 wrote to memory of 3048	1956	a73951d8730beba8a769c882801bd767.exe	155
PID 1956 wrote to memory of 3048	1956	a73951d8730beba8a769c882801bd767.exe	155
PID 1956 wrote to memory of 884	1956	a73951d8730beba8a769c882801bd767.exe	90
PID 1956 wrote to memory of 884	1956	a73951d8730beba8a769c882801bd767.exe	90
PID 1956 wrote to memory of 884	1956	a73951d8730beba8a769c882801bd767.exe	90
PID 1956 wrote to memory of 304	1956	a73951d8730beba8a769c882801bd767.exe	91
PID 1956 wrote to memory of 304	1956	a73951d8730beba8a769c882801bd767.exe	91
PID 1956 wrote to memory of 304	1956	a73951d8730beba8a769c882801bd767.exe	91
PID 1956 wrote to memory of 2776	1956	a73951d8730beba8a769c882801bd767.exe	92
PID 1956 wrote to memory of 2776	1956	a73951d8730beba8a769c882801bd767.exe	92
PID 1956 wrote to memory of 2776	1956	a73951d8730beba8a769c882801bd767.exe	92
PID 1956 wrote to memory of 1504	1956	a73951d8730beba8a769c882801bd767.exe	130
PID 1956 wrote to memory of 1504	1956	a73951d8730beba8a769c882801bd767.exe	130
PID 1956 wrote to memory of 1504	1956	a73951d8730beba8a769c882801bd767.exe	130
PID 1956 wrote to memory of 2068	1956	a73951d8730beba8a769c882801bd767.exe	94
PID 1956 wrote to memory of 2068	1956	a73951d8730beba8a769c882801bd767.exe	94
PID 1956 wrote to memory of 2068	1956	a73951d8730beba8a769c882801bd767.exe	94
PID 1956 wrote to memory of 2304	1956	a73951d8730beba8a769c882801bd767.exe	143
PID 1956 wrote to memory of 2304	1956	a73951d8730beba8a769c882801bd767.exe	143
PID 1956 wrote to memory of 2304	1956	a73951d8730beba8a769c882801bd767.exe	143
PID 1956 wrote to memory of 2372	1956	a73951d8730beba8a769c882801bd767.exe	97
PID 1956 wrote to memory of 2372	1956	a73951d8730beba8a769c882801bd767.exe	97
PID 1956 wrote to memory of 2372	1956	a73951d8730beba8a769c882801bd767.exe	97
PID 1956 wrote to memory of 3040	1956	a73951d8730beba8a769c882801bd767.exe	98
PID 1956 wrote to memory of 3040	1956	a73951d8730beba8a769c882801bd767.exe	98
PID 1956 wrote to memory of 3040	1956	a73951d8730beba8a769c882801bd767.exe	98
PID 1956 wrote to memory of 1752	1956	a73951d8730beba8a769c882801bd767.exe	100
PID 1956 wrote to memory of 1752	1956	a73951d8730beba8a769c882801bd767.exe	100
PID 1956 wrote to memory of 1752	1956	a73951d8730beba8a769c882801bd767.exe	100
PID 1956 wrote to memory of 1820	1956	a73951d8730beba8a769c882801bd767.exe	114
PID 1956 wrote to memory of 1820	1956	a73951d8730beba8a769c882801bd767.exe	114
PID 1956 wrote to memory of 1820	1956	a73951d8730beba8a769c882801bd767.exe	114
PID 1820 wrote to memory of 2400	1820	a73951d8730beba8a769c882801bd767.exe	139
PID 1820 wrote to memory of 2400	1820	a73951d8730beba8a769c882801bd767.exe	139
PID 1820 wrote to memory of 2400	1820	a73951d8730beba8a769c882801bd767.exe	139
PID 1820 wrote to memory of 1536	1820	a73951d8730beba8a769c882801bd767.exe	140
PID 1820 wrote to memory of 1536	1820	a73951d8730beba8a769c882801bd767.exe	140
PID 1820 wrote to memory of 1536	1820	a73951d8730beba8a769c882801bd767.exe	140
PID 1820 wrote to memory of 1740	1820	a73951d8730beba8a769c882801bd767.exe	141
PID 1820 wrote to memory of 1740	1820	a73951d8730beba8a769c882801bd767.exe	141
PID 1820 wrote to memory of 1740	1820	a73951d8730beba8a769c882801bd767.exe	141
PID 1820 wrote to memory of 2304	1820	a73951d8730beba8a769c882801bd767.exe	143

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a73951d8730beba8a769c882801bd767.exe
"C:\Users\Admin\AppData\Local\Temp\a73951d8730beba8a769c882801bd767.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a73951d8730beba8a769c882801bd767.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\System\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\a73951d8730beba8a769c882801bd767.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\es-ES\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\a73951d8730beba8a769c882801bd767.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Users\Admin\AppData\Local\Temp\a73951d8730beba8a769c882801bd767.exe
  "C:\Users\Admin\AppData\Local\Temp\a73951d8730beba8a769c882801bd767.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a73951d8730beba8a769c882801bd767.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\en-US\a73951d8730beba8a769c882801bd767.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\powershell.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\conhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\conhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\explorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\powershell.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2248
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\powershell.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2444
- - C:\Users\Default\Templates\conhost.exe
    "C:\Users\Default\Templates\conhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83fea550-38bd-414c-8c5c-23348ef1c4f8.vbs"
      4⤵
      PID:320
    - - C:\Users\Default\Templates\conhost.exe
        
        C:\Users\Default\Templates\conhost.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd6c3249-5293-4e49-862b-88dd6bdceb36.vbs"
        6⤵
        
        PID:2336
        
        C:\Users\Default\Templates\conhost.exe
        
        C:\Users\Default\Templates\conhost.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a57cd0f1-bf38-4733-bf7d-5e5c82e71a87.vbs"
        8⤵
        
        PID:1384
        
        C:\Users\Default\Templates\conhost.exe
        
        C:\Users\Default\Templates\conhost.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4a25724-6854-4812-810a-daf57a08b501.vbs"
        10⤵
        
        PID:1192
        
        C:\Users\Default\Templates\conhost.exe
        
        C:\Users\Default\Templates\conhost.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74ce8dbc-66d3-4a94-8dc7-5ec55c74c769.vbs"
        12⤵
        
        PID:2960
        
        C:\Users\Default\Templates\conhost.exe
        
        C:\Users\Default\Templates\conhost.exe
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a379502d-250c-4fc6-ae4a-18b176d51eba.vbs"
        14⤵
        
        PID:2884
        
        C:\Users\Default\Templates\conhost.exe
        
        C:\Users\Default\Templates\conhost.exe
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3eafb1a-0829-4e7c-8619-250494236cc2.vbs"
        16⤵
        
        PID:764
        
        C:\Users\Default\Templates\conhost.exe
        
        C:\Users\Default\Templates\conhost.exe
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62c9ef48-ef79-4dbd-a82c-dfeb2d2d544b.vbs"
        18⤵
        
        PID:2916
        
        C:\Users\Default\Templates\conhost.exe
        
        C:\Users\Default\Templates\conhost.exe
        19⤵
        
        PID:2908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1630896f-9871-47be-af6a-e8709483432e.vbs"
        20⤵
        
        PID:1572
        
        C:\Users\Default\Templates\conhost.exe
        
        C:\Users\Default\Templates\conhost.exe
        21⤵
        
        PID:2660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ca74f63-582e-4960-9111-1e3c5d0ba4eb.vbs"
        22⤵
        
        PID:2524
        
        C:\Users\Default\Templates\conhost.exe
        
        C:\Users\Default\Templates\conhost.exe
        23⤵
        
        PID:3032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\156a7b0d-3113-4d2d-8424-3d5a27031226.vbs"
        22⤵
        
        PID:852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94a6e35d-59bb-4222-bb10-a7463eb6ea9c.vbs"
        20⤵
        
        PID:1268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48aabe74-f20a-4a92-8f3d-67b3ed3df36a.vbs"
        18⤵
        
        PID:2440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\602d032c-360f-4847-95bf-5c8e97251937.vbs"
        16⤵
        
        PID:2732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4ee6f9d-04c4-453c-8beb-1eb251b1bca1.vbs"
        14⤵
        
        PID:2072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cb092df-363c-411f-b267-438021681b53.vbs"
        12⤵
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d28a01aa-a39b-4957-9ca3-e9a6bcbd18ae.vbs"
        10⤵
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72303435-9aa6-4bef-9822-5dba290364ec.vbs"
        8⤵
        
        PID:1872
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bc93273-c9d5-462c-8ee3-3760c0af3ee1.vbs"
        6⤵
        
        PID:2144
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32141679-f64b-4b29-92ae-a202d7cc4245.vbs"
      4⤵
      PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\Idle.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\Idle.exe'" /rl HIGHEST /f
1⤵
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\WmiPrvSE.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\TAPI\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\System\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\csrss.exe'" /rl HIGHEST /f
1⤵
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\System\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\system\OSPPSVC.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\system\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\system\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\dllhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a73951d8730beba8a769c882801bd767a" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\a73951d8730beba8a769c882801bd767.exe'" /f
1⤵
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a73951d8730beba8a769c882801bd767" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\a73951d8730beba8a769c882801bd767.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a73951d8730beba8a769c882801bd767a" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\a73951d8730beba8a769c882801bd767.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\es-ES\lsass.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\es-ES\lsass.exe'" /rl HIGHEST /f
1⤵
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\es-ES\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\PCHEALTH\explorer.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\PCHEALTH\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a73951d8730beba8a769c882801bd767a" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\a73951d8730beba8a769c882801bd767.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a73951d8730beba8a769c882801bd767" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\a73951d8730beba8a769c882801bd767.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a73951d8730beba8a769c882801bd767a" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\a73951d8730beba8a769c882801bd767.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\sppsvc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\System.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a73951d8730beba8a769c882801bd767a" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\en-US\a73951d8730beba8a769c882801bd767.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a73951d8730beba8a769c882801bd767" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\a73951d8730beba8a769c882801bd767.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a73951d8730beba8a769c882801bd767a" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\en-US\a73951d8730beba8a769c882801bd767.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Google\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Templates\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Templates\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Templates\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-465605722-16961183-3398181401650358607-160296088-437231275130769157672165379"
1⤵
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\MSBuild\Microsoft\a73951d8730beba8a769c882801bd767.exe

Filesize
1.6MB

MD5
6201acb4d2ad9385e7d0b9dea36bf62e

SHA1
1c9c436fc60350f378ecdb5665022cb71f4b9aba

SHA256
9be9ad8c3b1587ccb10d5c7f2703029ea8cbde2d214a18f6381f64e0422a38c8

SHA512
cfeae49f5c20fdc461a3a97d7951d65137e1240ed33d80df5420aad1863cb4da10503cab2378c365b1d91aaddc9174228866aef4f62b5ff95f29282f0a9bb707

Download Submit
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe

Filesize
1.6MB

MD5
f4fd78d496c7cc50cdbf63a791a1f194

SHA1
cc26797f365b7088d62f3af8e5cf4d097f08420d

SHA256
d4b27408c8f022b11d05c8e2e2652d2e96ed8e2f39004fa633bf6aa6d95567d3

SHA512
e3e2bfce3a57f5e9636801a73f70f465593f62cc0999aeeb56bdab80c21a3fee3c31a652ff1b6398c74ec0894c37f5511ffe2d07b4c5ef36efe8cc9685bf584c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1630896f-9871-47be-af6a-e8709483432e.vbs

Filesize
714B

MD5
bb49a46cb2c6d759e02e57b672dacc16

SHA1
af2b5c8645c3fa0dbf578d0d7419cecd0f41dbef

SHA256
a677f652ac5762521bf48fa85453ee01f8a74ecf83a2cb55af5e3f45dfce2647

SHA512
6a14c6ff941c58be34823c7fed48e4b17a7e8e142db7d4e0343e3ad2c2e595a3a6d298d87bcf0e69a37c47a1f23a7f00e7ebbcc86a6f4d948db7face42c28ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ca74f63-582e-4960-9111-1e3c5d0ba4eb.vbs

Filesize
714B

MD5
b476794022275cd80459876ae9c34d15

SHA1
a6598037582c22ef1556661b04a67eac637041a1

SHA256
d616fd618a83d6d0509e592524b6a01096c921bc1bdbe3f083bc5b839b272e56

SHA512
45dadf4fd97a4c341c6539f5b59db8a5f4e11b85ec6956a6840da0e34bcf2b9b57c259c8087932d108fca6cd6891646c23f55ea20e727921580da68188b08e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\32141679-f64b-4b29-92ae-a202d7cc4245.vbs

Filesize
490B

MD5
e686d4b53ffaddf7ac17eaafdb4bc7b7

SHA1
c530af27c622d5eae05cc9b388a718f9da8fd8f0

SHA256
e2e6a09e85528e69b110257681914ae41705e373a7116aee40b04eff0824d8bf

SHA512
9156dac4a1fa290cb8c1eb9247e42cde62e68d396e94efc4ddc5bc044f220c75220c71600f6b4fa132563c3095df9d31dac6389112f6583551e95ddb99a1671f

Download Submit
C:\Users\Admin\AppData\Local\Temp\62c9ef48-ef79-4dbd-a82c-dfeb2d2d544b.vbs

Filesize
714B

MD5
371421a398f118b323fd42472b04f3ff

SHA1
9592245e11d2292a19ef97c94b9e9bad4cc41918

SHA256
0c6080ea04df3e68a1eda8d38c44dd86b91fc7dff7cccbd4c6b874931e0dcd82

SHA512
2686709b1a983ddedf53b08bf8185f06584c256989919fa0e625805e96468d37db0b393707c7afa20c59fc05fa4cbd9871e7e109b46a0d491553534cef2a7801

Download Submit
C:\Users\Admin\AppData\Local\Temp\74ce8dbc-66d3-4a94-8dc7-5ec55c74c769.vbs

Filesize
713B

MD5
aad599d6d8915f0489fc6b836c3bcb7a

SHA1
dfaf789d77ac2055926b762709f44e7a49047375

SHA256
088aa7c162fd4fa08cc61015ddfade452554fbdb4aed7d28ed3ffb9cec6ae936

SHA512
12f0d85571504b28f33198b6dea5170d102bac57ca9a90ed690a6520ff9cf53f05c2d44df6dc269f8e8b397250d0cd34136fd64351fa7f48c6bff1db72e0009f

Download Submit
C:\Users\Admin\AppData\Local\Temp\83fea550-38bd-414c-8c5c-23348ef1c4f8.vbs

Filesize
714B

MD5
37cba5fd44d30d9424c0ceb4ced0100b

SHA1
784370e66cfac9d7e12b80bdab14c6891d31b547

SHA256
909aefcda7c4d37ef70307ef87dcf6586e0aa2fb33446a9234642eea10a3d73d

SHA512
064dc13711b399ef75e2695ce1128d2709ad493b4ad86e92eec056371eff631257d417cb7e8246a46d530951fc6f133bf9a0d22ed9aa37680099f75e9138e771

Download Submit
C:\Users\Admin\AppData\Local\Temp\a379502d-250c-4fc6-ae4a-18b176d51eba.vbs

Filesize
714B

MD5
f6489cd144ff197e7ecec28a57fbe3e3

SHA1
1a62593ccd6ccfd73864e06d3d17192e85711f7b

SHA256
6bf27d23536c3f9b2892841fb31a63f7e9d60297428a73b02cfadc830ecde65a

SHA512
e3dcb749eaa21f4f90dbf2d0cd59853c1eed898cdd908a4b7fc01bebc318759852ddd998dd05e170129235c452d02212fbdbaf447341f61211ee9f70723f132c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a57cd0f1-bf38-4733-bf7d-5e5c82e71a87.vbs

Filesize
714B

MD5
c04291af9af40b58f14f13b7edc039ef

SHA1
00879efb4ac13ba0215420afaae7c41a845fa557

SHA256
b6b952d3982325f124aaa04be51d3f8209190c641bdcc2f751e24134087620af

SHA512
5ff745d1d4bfdff35de8d666e102c8080e1eb8225c6e7c652fd9c6b4be6503a0e081e42ea35b3160635115297f6c29ca32c0b6dd3503f9d79b6abece36faefe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4a25724-6854-4812-810a-daf57a08b501.vbs

Filesize
713B

MD5
3b3475f9e62ed03484cd92bd2207be6a

SHA1
d4d915cb5fe2f84be1cf7715a774748dcd50317b

SHA256
b943a840d74bd797f35b34c267db71abfe9426f08d5dfb26e58300022b64fc44

SHA512
fdda77b55c8f3fd302f84fe557263ef806a04eb42b34b59d53fa9d21a090d94cc2064c83e75d2db0a045b68f41ac6005abcbcc1a448355071702cc7ac66e00dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd6c3249-5293-4e49-862b-88dd6bdceb36.vbs

Filesize
714B

MD5
1ebdbe48ac5cdd0544f286e55e0ce20e

SHA1
09bbeec9c049e24466868de12c1e9dcfdb824c32

SHA256
562b57d4c8a9a6e08acede7f8fb2e9b3f577b502fc4f9b24846308e9077871c8

SHA512
97d48687c816f62d4db8ff48c94f867a72c9a65d47f43732bbd87ea2269508bdc745a729975012500970d7b05453aefb923b2007c39c89a32deefef8ddb44af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3eafb1a-0829-4e7c-8619-250494236cc2.vbs

Filesize
714B

MD5
146da1b235c3a2cf00952f52ce611480

SHA1
6be2f76be0b6315d8955266467f624843be09335

SHA256
44f5dab4d67c4bf316bd92e1c03d82bfae4df52e9a2fc759a7b3abc4ba6cf555

SHA512
444a1596975aae0aa7e23774273198f399dca968a9e8f400c3ab1556bbcf5865e64738c17a20b4795b243f18901339b74b25eeb8348b8148cb5977254e412eb8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
74cc4366ccbd8308d80a02e72bb2f622

SHA1
e99f73ed8b4d5c20d6cc65068d73399288d47612

SHA256
e9da9a0bc9ff596c780eafff67e61afeebdd2cf18de9522195f7cb06551704b5

SHA512
4728efbbb233a9d80edb1147305811f4942aefe0bdcf9f04ed8b02919077e34eef001117b76ffb8913089c3fba970a2864ccb7fbf3288ee7a8e0c49646aed40d

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\conhost.exe

Filesize
768KB

MD5
42eccba261b286f3fcfdb9f01a95f884

SHA1
e3758dab2d4f4ee95381631f79f194feccb8dadb

SHA256
36fd036c452633c00f341c9f67223a9d68c44e602260cf0449be0abdcb2e65ee

SHA512
4f627200b52d64438eabcec0b39ed3b6f40dd542df213dd827afefcc9362aaf86407ed69f5b226b7445d5734b18674c5a1bb354b288471fbaa5f8b2d412f593e

Download Submit
C:\Windows\Fonts\dllhost.exe

Filesize
1.6MB

MD5
b7ae29b9ecdec44890d2b3e7e068e2bf

SHA1
ec5cdb229e7496f93489451dba844e0e955867ca

SHA256
cd5d7abc189a8419fa26c1b78ed2d40933bfc3e87a88ddc507a768bd5967d09a

SHA512
c511982059c879effe5c1ea29cdab8edbf6bab27cd531a15b66a17df4c642e0c4adc0a28f837e06bc5e6b1dbc14f7848fb08480da109fac10d9562a81682101a

Download Submit
C:\Windows\Vss\Writers\System\csrss.exe

Filesize
1.6MB

MD5
a73951d8730beba8a769c882801bd767

SHA1
d7a91fcad4c3477b2bb17168404b015249dc9925

SHA256
fd491ef92bb1de6bc677badbca3c26699d3cd713e5803c82757768965be9ded3

SHA512
12f5bb32eba7a028f0ef7dc29d6d75efb5460ce34209c677539daa83cadf1c689961a8a076a7d8acc90479fba8fc526ee1e83f0e19af5d784525425a5e15c6e6

Download Submit
C:\Windows\Vss\Writers\System\csrss.exe

Filesize
1.6MB

MD5
4dad0b4dde1c3c157281d0976705ff2e

SHA1
40ce03e00d0b1f3bd156ae6671e6ceafb9ba6088

SHA256
1e16c8d5eb08813c75dd0a9caac7374e871836f3241217129d4fe77d7275fa79

SHA512
82a08d0f9af584556c95c3e3592658df7f4ee06c96eeb19de056affd4055cb250079f236ed553d4a3d707ee9c642478555b1f1259aa4ada994e56ee287f2d707

Download Submit
memory/1660-390-0x00000000012F0000-0x0000000001492000-memory.dmp

Filesize
1.6MB

Download
memory/1692-242-0x0000000000430000-0x0000000000438000-memory.dmp

Filesize
32KB

Download
memory/1692-241-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/1956-13-0x000000001A870000-0x000000001A878000-memory.dmp

Filesize
32KB

Download
memory/1956-3-0x00000000020A0000-0x00000000020BC000-memory.dmp

Filesize
112KB

Download
memory/1956-208-0x000007FEF52A3000-0x000007FEF52A4000-memory.dmp

Filesize
4KB

Download
memory/1956-5-0x00000000021C0000-0x00000000021D6000-memory.dmp

Filesize
88KB

Download
memory/1956-6-0x0000000000580000-0x0000000000588000-memory.dmp

Filesize
32KB

Download
memory/1956-247-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

Filesize
9.9MB

Download
memory/1956-8-0x00000000022F0000-0x00000000022F8000-memory.dmp

Filesize
32KB

Download
memory/1956-1-0x0000000000040000-0x00000000001E2000-memory.dmp

Filesize
1.6MB

Download
memory/1956-2-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

Filesize
9.9MB

Download
memory/1956-9-0x0000000002300000-0x000000000230C000-memory.dmp

Filesize
48KB

Download
memory/1956-11-0x000000001A850000-0x000000001A85A000-memory.dmp

Filesize
40KB

Download
memory/1956-12-0x000000001A860000-0x000000001A86E000-memory.dmp

Filesize
56KB

Download
memory/1956-0-0x000007FEF52A3000-0x000007FEF52A4000-memory.dmp

Filesize
4KB

Download
memory/1956-14-0x000000001A880000-0x000000001A888000-memory.dmp

Filesize
32KB

Download
memory/1956-15-0x000000001A890000-0x000000001A89A000-memory.dmp

Filesize
40KB

Download
memory/1956-16-0x000000001A8A0000-0x000000001A8AC000-memory.dmp

Filesize
48KB

Download
memory/1956-10-0x000000001A840000-0x000000001A84C000-memory.dmp

Filesize
48KB

Download
memory/1956-7-0x00000000021E0000-0x00000000021F0000-memory.dmp

Filesize
64KB

Download
memory/1956-4-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/1956-233-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-479-0x0000000001350000-0x00000000014F2000-memory.dmp

Filesize
1.6MB

Download
memory/2984-354-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/2984-353-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/3000-467-0x00000000000C0000-0x0000000000262000-memory.dmp

Filesize
1.6MB

Download
memory/3032-502-0x0000000001370000-0x0000000001512000-memory.dmp

Filesize
1.6MB

Download