dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
Size

1.6MB
MD5

c87ae2c7c0c0a77294bdf61219b952f5
SHA1

009d29952e3cec0966402de8b8ffeb264c78a956
SHA256

85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f
SHA512

b7477f968f2356dd08991668b6feb01bb878bad59a6b3857b0a226b1e246852ba0c40214c502e757b01bbd9fc130f9e0cad033a12ada3f1c6f42767b9b813c7c
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	3324	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	3324	schtasks.exe	88

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral14/memory/4468-1-0x00000000008D0000-0x0000000000A72000-memory.dmp	dcrat
behavioral14/files/0x00070000000240f1-26.dat	dcrat
behavioral14/files/0x000600000001dab1-89.dat	dcrat
behavioral14/files/0x000400000001dadb-100.dat	dcrat
behavioral14/files/0x000900000001db40-146.dat	dcrat
behavioral14/files/0x000400000001e974-389.dat	dcrat
behavioral14/files/0x000400000001e974-459.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2228	powershell.exe
2016	powershell.exe
3956	powershell.exe
1192	powershell.exe
2388	powershell.exe
4660	powershell.exe
2692	powershell.exe
412	powershell.exe
432	powershell.exe
4968	powershell.exe
1652	powershell.exe
3232	powershell.exe
4292	powershell.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	lsass.exe

Executes dropped EXE 12 IoCs

pid	Process
5408	lsass.exe
5756	lsass.exe
4420	lsass.exe
2396	lsass.exe
2300	lsass.exe
5428	lsass.exe
5060	lsass.exe
6128	lsass.exe
1796	lsass.exe
3736	lsass.exe
4652	lsass.exe
5424	lsass.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files\dotnet\swidtag\csrss.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files\dotnet\swidtag\886983d96e3d3e	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\dotnet\swidtag\RCXC0E2.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\dotnet\swidtag\csrss.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXB4D1.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lsass.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\f29b7f83f50a4c	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files\7-Zip\Lang\lsass.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files\7-Zip\Lang\6203df4a6bafc7	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCXB2BD.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCXB2BC.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXB53F.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\dotnet\swidtag\RCXC074.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\security\database\csrss.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Windows\security\database\csrss.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Windows\security\database\886983d96e3d3e	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Windows\security\database\RCXC2E7.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Windows\security\database\RCXC2E8.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	lsass.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1160	schtasks.exe
432	schtasks.exe
4552	schtasks.exe
4488	schtasks.exe
2796	schtasks.exe
4952	schtasks.exe
4136	schtasks.exe
2692	schtasks.exe
3584	schtasks.exe
1600	schtasks.exe
2388	schtasks.exe
2056	schtasks.exe
856	schtasks.exe
2140	schtasks.exe
4404	schtasks.exe
1864	schtasks.exe
1868	schtasks.exe
216	schtasks.exe
4480	schtasks.exe
4664	schtasks.exe
4896	schtasks.exe
1064	schtasks.exe
4940	schtasks.exe
2168	schtasks.exe
3596	schtasks.exe
1656	schtasks.exe
1268	schtasks.exe
1896	schtasks.exe
4412	schtasks.exe
2088	schtasks.exe
1008	schtasks.exe
2324	schtasks.exe
1052	schtasks.exe
1500	schtasks.exe
3500	schtasks.exe
3136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
4968	powershell.exe
4968	powershell.exe
2388	powershell.exe
2388	powershell.exe
1192	powershell.exe
1192	powershell.exe
4660	powershell.exe
4660	powershell.exe
4292	powershell.exe
4292	powershell.exe
2016	powershell.exe
2016	powershell.exe
2228	powershell.exe
412	powershell.exe
2228	powershell.exe
412	powershell.exe
1652	powershell.exe
3232	powershell.exe
1652	powershell.exe
3232	powershell.exe
432	powershell.exe
432	powershell.exe
3956	powershell.exe
3956	powershell.exe
2692	powershell.exe
2692	powershell.exe
1192	powershell.exe
3956	powershell.exe
2016	powershell.exe
2692	powershell.exe
4968	powershell.exe
4968	powershell.exe
2388	powershell.exe
2388	powershell.exe
4660	powershell.exe
432	powershell.exe
4292	powershell.exe
1652	powershell.exe
2228	powershell.exe
412	powershell.exe
3232	powershell.exe
5408	lsass.exe
5756	lsass.exe
4420	lsass.exe
4420	lsass.exe
2396	lsass.exe
2300	lsass.exe
5428	lsass.exe
5060	lsass.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	3956	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	3232	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	5408	lsass.exe
Token: SeDebugPrivilege	5756	lsass.exe
Token: SeDebugPrivilege	4420	lsass.exe
Token: SeDebugPrivilege	2396	lsass.exe
Token: SeDebugPrivilege	2300	lsass.exe
Token: SeDebugPrivilege	5428	lsass.exe
Token: SeDebugPrivilege	5060	lsass.exe
Token: SeDebugPrivilege	6128	lsass.exe
Token: SeDebugPrivilege	1796	lsass.exe
Token: SeDebugPrivilege	3736	lsass.exe
Token: SeDebugPrivilege	4652	lsass.exe
Token: SeDebugPrivilege	5424	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 4660	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	129
PID 4468 wrote to memory of 4660	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	129
PID 4468 wrote to memory of 2388	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	130
PID 4468 wrote to memory of 2388	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	130
PID 4468 wrote to memory of 2228	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	131
PID 4468 wrote to memory of 2228	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	131
PID 4468 wrote to memory of 4292	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	133
PID 4468 wrote to memory of 4292	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	133
PID 4468 wrote to memory of 3232	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	134
PID 4468 wrote to memory of 3232	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	134
PID 4468 wrote to memory of 1652	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	136
PID 4468 wrote to memory of 1652	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	136
PID 4468 wrote to memory of 1192	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	137
PID 4468 wrote to memory of 1192	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	137
PID 4468 wrote to memory of 4968	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	139
PID 4468 wrote to memory of 4968	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	139
PID 4468 wrote to memory of 432	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	140
PID 4468 wrote to memory of 432	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	140
PID 4468 wrote to memory of 3956	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	141
PID 4468 wrote to memory of 3956	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	141
PID 4468 wrote to memory of 412	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	143
PID 4468 wrote to memory of 412	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	143
PID 4468 wrote to memory of 2692	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	145
PID 4468 wrote to memory of 2692	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	145
PID 4468 wrote to memory of 2016	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	146
PID 4468 wrote to memory of 2016	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	146
PID 4468 wrote to memory of 1624	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	155
PID 4468 wrote to memory of 1624	4468	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	155
PID 1624 wrote to memory of 3692	1624	cmd.exe	157
PID 1624 wrote to memory of 3692	1624	cmd.exe	157
PID 1624 wrote to memory of 5408	1624	cmd.exe	160
PID 1624 wrote to memory of 5408	1624	cmd.exe	160
PID 5408 wrote to memory of 5580	5408	lsass.exe	161
PID 5408 wrote to memory of 5580	5408	lsass.exe	161
PID 5408 wrote to memory of 5620	5408	lsass.exe	162
PID 5408 wrote to memory of 5620	5408	lsass.exe	162
PID 5580 wrote to memory of 5756	5580	WScript.exe	163
PID 5580 wrote to memory of 5756	5580	WScript.exe	163
PID 5756 wrote to memory of 5896	5756	lsass.exe	164
PID 5756 wrote to memory of 5896	5756	lsass.exe	164
PID 5756 wrote to memory of 5944	5756	lsass.exe	165
PID 5756 wrote to memory of 5944	5756	lsass.exe	165
PID 5896 wrote to memory of 4420	5896	WScript.exe	171
PID 5896 wrote to memory of 4420	5896	WScript.exe	171
PID 4420 wrote to memory of 5232	4420	lsass.exe	172
PID 4420 wrote to memory of 5232	4420	lsass.exe	172
PID 4420 wrote to memory of 3768	4420	lsass.exe	173
PID 4420 wrote to memory of 3768	4420	lsass.exe	173
PID 5232 wrote to memory of 2396	5232	WScript.exe	177
PID 5232 wrote to memory of 2396	5232	WScript.exe	177
PID 2396 wrote to memory of 1120	2396	lsass.exe	178
PID 2396 wrote to memory of 1120	2396	lsass.exe	178
PID 2396 wrote to memory of 3524	2396	lsass.exe	179
PID 2396 wrote to memory of 3524	2396	lsass.exe	179
PID 1120 wrote to memory of 2300	1120	WScript.exe	180
PID 1120 wrote to memory of 2300	1120	WScript.exe	180
PID 2300 wrote to memory of 2128	2300	lsass.exe	181
PID 2300 wrote to memory of 2128	2300	lsass.exe	181
PID 2300 wrote to memory of 3344	2300	lsass.exe	182
PID 2300 wrote to memory of 3344	2300	lsass.exe	182
PID 2128 wrote to memory of 5428	2128	WScript.exe	184
PID 2128 wrote to memory of 5428	2128	WScript.exe	184
PID 5428 wrote to memory of 5776	5428	lsass.exe	185
PID 5428 wrote to memory of 5776	5428	lsass.exe	185

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
"C:\Users\Admin\AppData\Local\Temp\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\3ac54ddf2ad44faa6035cf\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\3ac54ddf2ad44faa6035cf\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\swidtag\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\database\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\3ac54ddf2ad44faa6035cf\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MFwhts6Ouh.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3692
- - C:\0154351536fc379faee1\lsass.exe
    "C:\0154351536fc379faee1\lsass.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5408
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e4e425a-e0c4-44cc-82be-5780526281b5.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5580
    - - C:\0154351536fc379faee1\lsass.exe
        
        C:\0154351536fc379faee1\lsass.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5756
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d2c67fd-b58c-43c5-9570-e643ce5b4b80.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5896
        
        C:\0154351536fc379faee1\lsass.exe
        
        C:\0154351536fc379faee1\lsass.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8220fc67-47a8-48ef-8746-c81e18864ba6.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5232
        
        C:\0154351536fc379faee1\lsass.exe
        
        C:\0154351536fc379faee1\lsass.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3f58864-fc1f-4805-bea1-7c09807eed9b.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\0154351536fc379faee1\lsass.exe
        
        C:\0154351536fc379faee1\lsass.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a87d6f1-47ec-40a6-9083-889f7df7c7bd.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\0154351536fc379faee1\lsass.exe
        
        C:\0154351536fc379faee1\lsass.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bafc7e63-1b4c-4572-9788-426a497d78d7.vbs"
        14⤵
        
        PID:5776
        
        C:\0154351536fc379faee1\lsass.exe
        
        C:\0154351536fc379faee1\lsass.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf22c189-52de-4a60-b3e2-a5b58f4c709d.vbs"
        16⤵
        
        PID:5884
        
        C:\0154351536fc379faee1\lsass.exe
        
        C:\0154351536fc379faee1\lsass.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e3b6ccb-aff0-4a75-940e-ca858f8d13bf.vbs"
        18⤵
        
        PID:2660
        
        C:\0154351536fc379faee1\lsass.exe
        
        C:\0154351536fc379faee1\lsass.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97d8aa47-b5aa-427f-b8c8-ccfb33f1ced0.vbs"
        20⤵
        
        PID:4672
        
        C:\0154351536fc379faee1\lsass.exe
        
        C:\0154351536fc379faee1\lsass.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b46b43b0-3b54-41b4-9377-9a970b5e7d45.vbs"
        22⤵
        
        PID:4420
        
        C:\0154351536fc379faee1\lsass.exe
        
        C:\0154351536fc379faee1\lsass.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80aca8ad-ef20-491a-bf98-91be4efe17fa.vbs"
        24⤵
        
        PID:5204
        
        C:\0154351536fc379faee1\lsass.exe
        
        C:\0154351536fc379faee1\lsass.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06055133-c577-41f6-9120-35f0886b61ba.vbs"
        26⤵
        
        PID:4844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc87b4bc-1266-49b1-a267-6b8762d20c9a.vbs"
        26⤵
        
        PID:3636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e557376-beb7-44fb-9ce2-9db4473239f8.vbs"
        24⤵
        
        PID:2992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\567ad2be-315b-4af1-abb4-bdff1a46a1c1.vbs"
        22⤵
        
        PID:3988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9054b1c3-f892-4b59-a7b7-326cc9381299.vbs"
        20⤵
        
        PID:4540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8520fefd-c0d7-43b5-878c-47603f8797ad.vbs"
        18⤵
        
        PID:5964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b7740fd-bc7a-4ef5-9696-a07c5c0c0e63.vbs"
        16⤵
        
        PID:6012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2068e134-0fc8-4a15-b1d4-9de140071a42.vbs"
        14⤵
        
        PID:5892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d9f73a0-74d6-48a8-912c-2a0d3a14e3a0.vbs"
        12⤵
        
        PID:3344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93e972e6-ebed-4cdf-b7f8-bad0612b2576.vbs"
        10⤵
        
        PID:3524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87a1c5ef-4a85-4910-ba70-ca24f08b5fae.vbs"
        8⤵
        
        PID:3768
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cdd5405-bd17-4b6f-8427-e99ffe220e69.vbs"
        6⤵
        
        PID:5944
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2fa9108-b31f-4787-a189-576390441d8f.vbs"
      4⤵
      PID:5620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\3ac54ddf2ad44faa6035cf\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\3ac54ddf2ad44faa6035cf\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\0154351536fc379faee1\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\0154351536fc379faee1\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\0154351536fc379faee1\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f8" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f8" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\3ac54ddf2ad44faa6035cf\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\3ac54ddf2ad44faa6035cf\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\0154351536fc379faee1\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\0154351536fc379faee1\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\0154351536fc379faee1\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Saved Games\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Saved Games\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\dotnet\swidtag\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\dotnet\swidtag\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\security\database\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\security\database\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\security\database\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\0154351536fc379faee1\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\0154351536fc379faee1\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\0154351536fc379faee1\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\3ac54ddf2ad44faa6035cf\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\3ac54ddf2ad44faa6035cf\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\3ac54ddf2ad44faa6035cf\services.exe

Filesize
1.6MB

MD5
c66de00ef9054c4e5a6dec91440300b6

SHA1
28e0672ef9da2ff9b2263cddba24aefbb7347d31

SHA256
0e00c5db203f64518554bf2e1766cb6a5c97fc99c04891731c1ea80a4fe1f90e

SHA512
330c9bd735d97193f0386796352f75e8af3eb161d8770d1e67856a7df28a2bc43c1aaec1fbd8ab4d7bfd93ceed98a6ecb210ac39439d9016fcee50e27afb23c7

Download Submit
C:\3ac54ddf2ad44faa6035cf\services.exe

Filesize
1.6MB

MD5
c87ae2c7c0c0a77294bdf61219b952f5

SHA1
009d29952e3cec0966402de8b8ffeb264c78a956

SHA256
85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f

SHA512
b7477f968f2356dd08991668b6feb01bb878bad59a6b3857b0a226b1e246852ba0c40214c502e757b01bbd9fc130f9e0cad033a12ada3f1c6f42767b9b813c7c

Download Submit
C:\Program Files\7-Zip\Lang\lsass.exe

Filesize
1.6MB

MD5
928fc754151e07c6115aa9d608bc323e

SHA1
74f6746eeef67b5c3bf6f18129bb6f6fae851150

SHA256
772678f0db5c88ab13950bd2e1db50f28a0db90c0d0ccb04176f4e936c44cb00

SHA512
ba9d9e1bba3481d5aad9d8a9d4d294cfe0384865f9ad2bdb06a18b47daad45beb64be4c16c4b80820456dccc194936b3992d7f8eb87080222b05bb23f8d19d62

Download Submit
C:\Program Files\dotnet\swidtag\csrss.exe

Filesize
1.6MB

MD5
cd474a64d8a331a8753ab74f85508f01

SHA1
30e992487b336d8b3cf7fc32237d6e16244b1fcd

SHA256
98dde9fd626c27f00ca42cdd75c3ab0e04da2edea39771b28c40890839420f82

SHA512
26add5f28ef2bcaabe21a5c889ed47865f53fa37ae77347da7d75756488ed774f1e0b70c2cef243105f232ba46cabf9f9c530ff73ae29c8edac6318b2b95d35a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fb615e25fa5c5d81a46365d6446ed714

SHA1
a57ba54012b1fb1920cfcf276424556d6dc547fc

SHA256
61387deb1626bfef8716a58b204fe05f3df45181550ac38a081c97409c8973fc

SHA512
75961d4e10c7387ca20add4c96b2c4ebb897de417a18b6c6ac9008baa7c0d38823db4797d42e423225c09314ebfe8b000aa9f659f2e992ac8eba8a071407414e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
39c1373f63e39f8ec9851d6fd432edc4

SHA1
b475e322690e57291351f2375cd2fb5e5d5a3ed8

SHA256
eac670219d51d93e35189a5ec3cb914daf212cdca53732cf4eb4be2bf33139d0

SHA512
87e0cf2f8ddadd5e9f7153475f5aa4884b7dc3170127d64bc0aaaf033a302b5f327e8dd1d35e9bf1c8ed499a20d3a700e2e1fba1b0da13cedb12fc75a338f892

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3f0db2be09ea50e93f81f83a58fdc049

SHA1
862883227880dde307538079454109d35f39723e

SHA256
b747c644e6479e6e921d09626c68d2df0d33d2a707f9432e5fc1b138e6c9387d

SHA512
a7f4644e8f4a0dd59f47645ba7afe312c9e714f923019add5cddf6491f3466731abd66c854bdaa497c0f162c1ae08df5c6506e2171ec9d74ae5c9ffcd69f0773

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
56addce8ad0788fa7ed121c8239f965f

SHA1
ac9482a712ad866d8d8ba241489613344883ba32

SHA256
cf8f4a84a53607b45f9dfed75c34776b03777d64ac3c44112ccc5638957557d8

SHA512
ecb98df46c6ccec6e9f401f1c8456b26cf38afe82e2bea885c8dc10619fcbaba9e89432f055b1bdbcce40254b06b1e20e330ea4ac724e4f0c673a5697c548521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f3d606f9a5f1201bfc1f01c54e842c4

SHA1
f1917e50b557b135953ecbe63e1fc1e675b541f1

SHA256
dcc09d3b5b17ef60cb35e4148230306cdcd68d18d18a39fd5fe220c34997a32a

SHA512
d85e1e1b4a552a8cdd21c4195a2ea082d3fcb40907d2a6a0ceb297f32defd1fba17d3b54dc954c26b3b731bc179bee5cfc011de3c667af47cdbe289b30fdfb38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f68785608a60c0961b2926f9c4d4ff87

SHA1
e90357d9a679b851acf30e5e7aa6f76f2e6d3bb4

SHA256
edeed8daa6363551c6ffe770dc95fc9a767da6a020004c61c8e3d81eccb9d673

SHA512
fa369a235b3d4375e7856e39f42b17fb118fadb0b48fbe71074fa47354d0713662b950142ab5083c01cc850f79bbb0abe154eefe0e754b9b76e8d3b330daf652

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e10ceaefa38a8a0c7cf27b2938747eae

SHA1
18dd07de4b7d6f6d0fb7e1feebd78f0a93f6c89e

SHA256
d2f2ece67e3314a38df3789214221bbdd06f9f577470b543f6d094b621fba43b

SHA512
84c811e7d313674fff4c24945d275f2aa88380955679bd3a60c7dbde83a370143f3b1b8a677a8b543a571c9069a9262a3f414ff5aff74a283adb81e6321138ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c88f5f103e9375dc09ed9111f780e6ac

SHA1
f4bfc56f2c79364a5a32ca575329de6d7f648661

SHA256
a159d1dfb8d72e4f3db774b7a7c841cb3fefc1655bf5a705c87ae022b9189ea5

SHA512
31d29b73dd24f1b223b7cfbeca129834f9eac0999bed647784bb933e0dfbb0ad70c003dd70b7cea1049d33d9d189bf80c285be45d4ffd8cf9fa0732be542a4d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c79cf713064165d9921621736789b679

SHA1
4d8b3c69ddab8dd528496de06ce7e6e6c2758389

SHA256
6de25d006efb9912c4460725c3ff494adc8585749971235d743dae6cb568068e

SHA512
22dbec206c054253a245c7eac9cbfa4d62b49a11b02adea88b6dc8e1ee4243d46e8f61efa5374d43260ff686dbd3c769b7e14bbc6d5fb2f8999f258a904a04a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a39de506d9f3cb0eef9451868bf8f3ff

SHA1
183758ff7964ae923989989be46a822e0d4dc37f

SHA256
d982bcb0bdbe495e997ead8d128c2f8f0bb66c41fc5e0142d4fb5bf9193e1416

SHA512
041df31ed5f2668dcf99143cbffcc7891394f33c6229f2459cba2226f07a8fcf31e072db62c6735fdb4b9fbc103998094a735a285db84a69bb7d983ffb96efaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\06055133-c577-41f6-9120-35f0886b61ba.vbs

Filesize
709B

MD5
84ca38046c724f638c8e469a48da484f

SHA1
d4ec2acc43fdb7f275736efd0f425b8cb1a4ce8e

SHA256
bda3f8e422542d2ff82dfd98c5e494a83c3a229e6de8b167f6910dd68167b201

SHA512
25d3b41f95603768060692a19b1c81c9d4a45a702c1cedc59ecbfdf58ff689d9b81c6e0d203b0b43316f4e918d1bd80f6e664d19404c21b6307f8f2d03a56319

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a87d6f1-47ec-40a6-9083-889f7df7c7bd.vbs

Filesize
709B

MD5
478330bf13c5270b3378da8d3db1949b

SHA1
1ee2fc5d5ca9ffe3891fac63fd23e02412851f2e

SHA256
7fc23713e2fc66b986a113394ec5a7b1866041b9b677479e7dd1d4d52cf6ef38

SHA512
543c99fc4f82d0c3a2f766e50e6cf218a4a0475d4e055b308654d1d34d3f7564d01993da208d19556c90e494a8b57a4019bca845a61f2ec74022b2050cb53e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e4e425a-e0c4-44cc-82be-5780526281b5.vbs

Filesize
709B

MD5
8af8ba5baae1cf6f472d906b1a203211

SHA1
a88eb06f8ca39e627ee84db6451e90f1d60454c3

SHA256
4440e58365f3f4b0ab214beddd7c87a1e2884fa5419e4948a41c63d9a793c908

SHA512
2a4299d9e51ff73228e5c40f25c10eb814720b90014473a0dc03d6b61973fc4be4aeeaf33c4f2913987a77126517cb902a995e6a05f1914c9be0f26bc9d8333d

Download Submit
C:\Users\Admin\AppData\Local\Temp\576d75ff4354c398e1c121496938f8af95d52d9a.exe

Filesize
1.6MB

MD5
1648340388950306f39f748507eff75b

SHA1
b04d9dc8528a6b083d538029a8cff69459c0a295

SHA256
d2926667f799cd33a39d167323d3acfcf4e3bd63ca191ffd27ea78c3abf36ad0

SHA512
3a19dcbda79341cd180457aff54f5b8b52bd25380008f892ff599e79f2691e3f15d0bce9582241315fac4ebc256b6058b002a2148b1d69992bb766d7537008c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\576d75ff4354c398e1c121496938f8af95d52d9a.exe

Filesize
1.6MB

MD5
c26dcbda10e6095304bab896f290d1d4

SHA1
5209af2903e52dc4c4ee4b8e4ef1c58850e1efd3

SHA256
66c321fd6fdbc8ec24aff8e10a10789041e38f43c6944116d758c2813b480894

SHA512
877ab96d73ea5b4953ef3843c9866b71b06c9523577f659255af2e1607a7ff472546e1f1db0e0f3c85c729e5d495bb447272425d8f3883ea4bfd96209d6b7489

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d2c67fd-b58c-43c5-9570-e643ce5b4b80.vbs

Filesize
709B

MD5
6da923742fd639b3902f2b0b3deaf7d2

SHA1
9dd3028ac128d32deeadd76778e042207e8fb016

SHA256
cba313eff8f580ea0abd5f0b062cbf00e98be3253801fc7440fb0f7d74f9ac19

SHA512
74b22295a5c912e9422e5ba13def2355ef9bcbc9b6f18c2dd5b49b51c18cf38d0bb574da16c1d878215f07ea6d9048a1d7a5af486be4b4e97f1d83d6f0c1c483

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e3b6ccb-aff0-4a75-940e-ca858f8d13bf.vbs

Filesize
709B

MD5
8807ddd712246dfa950be75c60aa8de9

SHA1
ced173720df58d10c841b82bbc16d95939940768

SHA256
1b00880e369aeccaae00b31f4a79e1fe16f731efdc6621324146e05b2e13134d

SHA512
a66d1e681678b0950517068e36dbfd5164bebbc367e5f72814e8508584607d3293cceeac3702753a98f1ec4cfd516857009ca176dedaf92d376732eda734cef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\80aca8ad-ef20-491a-bf98-91be4efe17fa.vbs

Filesize
709B

MD5
1d7f41aae2f4357ccaffe13bd5f11bf5

SHA1
e470805a38a76eb8c73171e8c21b99dbc590ab0e

SHA256
b0628a5e2ffe7561776e04c5886613123cd5bc8455fa82666c78bc50ed6ee4d3

SHA512
75b0f079dd66cb6adfb57486df21254beb20d469da00c47e42ddcb7322d51110d8ed92e8d380d4a61c64eacfc8b63a546681dd4220ab0ed3ce946d3cf6a7c552

Download Submit
C:\Users\Admin\AppData\Local\Temp\8220fc67-47a8-48ef-8746-c81e18864ba6.vbs

Filesize
709B

MD5
587c9d772957d296b6a5e7a7c544b829

SHA1
8bff45530468c1947afeaa622d7c3b6c169bf22a

SHA256
492ec7a38770849b25c79537407663fafcb0f9034354875a782044ff8a5a6216

SHA512
3d691fd99c521f09ba5d9436e850bde6ae52ba70f764c3460f1b8dc164adc6a8cb029dee86d857de8ed6fcb74e52f5d4a94f24bfabf83185d3d17589de795e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\97d8aa47-b5aa-427f-b8c8-ccfb33f1ced0.vbs

Filesize
709B

MD5
bb23e773a3412b5f7dd8c790772b9e3f

SHA1
2f00149e2928a7e9ef49c7428dfc20ce46f3e9ea

SHA256
69678ade4fac637951ad0bd9fa792cc4223c9fb86fd599c5c1810212b9d2b0d1

SHA512
ec5524589c9c8a664e9f96a7285b7b85a835283ea55ac7115d388bfa7f20b2d72118ba3495774382e8e43ddc5996881d266f4e1441b5cec9154610dfbf05af72

Download Submit
C:\Users\Admin\AppData\Local\Temp\MFwhts6Ouh.bat

Filesize
198B

MD5
b4d3d6532cbf16e68941a6f807c9d872

SHA1
f328051f36f56223f77ee8fb7577291254c22360

SHA256
7f174d60f2d4fd3bc467cf269a431b484c87d2f6c092671deeaed08a3e431232

SHA512
72f5884811fd0f6745923a2c94e075ef28ec884d103a28dbb8c88998a392dbdd1e784264ceab4d63613f535bc6f9bffae8767068e52ace885171405d2c4d84be

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ckvoh3j.y0j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b46b43b0-3b54-41b4-9377-9a970b5e7d45.vbs

Filesize
709B

MD5
afa3d0e4e345223eb54aa995f15c3aa3

SHA1
0289b9c669b2a4cad5c899ad6c8c8a72499a99c5

SHA256
a9f6d0a7cedadf861d921a079d31eddd613f7a3528408066c2365668780c64dc

SHA512
a2eae40ee08669603a17d6b7a98189638485b9c7e5f597db4f22cd18660ec2b236a6518dd18dc2e85ac28044026f84921f8e18230365deee836c74992a26b895

Download Submit
C:\Users\Admin\AppData\Local\Temp\bafc7e63-1b4c-4572-9788-426a497d78d7.vbs

Filesize
709B

MD5
52c05a8d23c0155c9c41fb9c7228a92c

SHA1
c1cc66000048c80fb41c36334992b5557627914c

SHA256
716203e52bdb600f8526d59731f961f3530b5cb9da2f895d95f77e6e9df80e2b

SHA512
0cb5d95b99060506394074353b8596e270662f9ff54121898763071c1d51f061f10df9244d7d1e1a79c0941fa17b8bc9ad98a25615f80e37858abc0866549871

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3f58864-fc1f-4805-bea1-7c09807eed9b.vbs

Filesize
709B

MD5
ee75683216d0c3d89a32881aaf521560

SHA1
9031248abcf48f02498779138bf10c780a702e96

SHA256
427040bdd6c2ffcbdc32b0740d25ab5e52e7019b3eae4afd9aa7fe13259a1f80

SHA512
5f979b9b056184f1aca8e1ed0626fe793c81742056444b04e7a33d8974e5aad3a052051aae30cd3daa9edfb8ddd6e8b0b57016ba1ca418141eded7f6badfd9a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf22c189-52de-4a60-b3e2-a5b58f4c709d.vbs

Filesize
709B

MD5
d559da22ac7bb9ee0eb9ef9c90c5e725

SHA1
791f446dbebfc91964bc8995592214ad0f7b7fae

SHA256
6de889f3fc6e163c78f2091de623df3426947a6022aa99930028aea04d34f61f

SHA512
b7305f9c720457b4812ae0d2e550b9b8daf08f4a8bf70a86c6683a61968e56be5da4e544a798bc1260a1549b01647b6839d7a7981e9705548301b64264c8cf76

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2fa9108-b31f-4787-a189-576390441d8f.vbs

Filesize
485B

MD5
bacbb6a1214c1e7a8cd8e6faff260028

SHA1
37f5539968e87900839490d059b776bbfadb18eb

SHA256
e1d064a1ca042b46197e3487beeb1ec39089941955ac2bb17c53ef132f941d16

SHA512
f7d75564c7e52c7260c3c3680c2f704c68e34cbb24b48c5d3d896438c7c54cf48759ae9bc8b6cbf4c48252d8d12fb8285c6935f6ce10168cce05d4dde5ae0033

Download Submit
memory/1796-443-0x000000001D440000-0x000000001D542000-memory.dmp

Filesize
1.0MB

Download
memory/2396-384-0x000000001CF50000-0x000000001D052000-memory.dmp

Filesize
1.0MB

Download
memory/4468-9-0x0000000002E00000-0x0000000002E08000-memory.dmp

Filesize
32KB

Download
memory/4468-4-0x0000000002E20000-0x0000000002E70000-memory.dmp

Filesize
320KB

Download
memory/4468-14-0x000000001BF40000-0x000000001BF48000-memory.dmp

Filesize
32KB

Download
memory/4468-15-0x000000001BF50000-0x000000001BF58000-memory.dmp

Filesize
32KB

Download
memory/4468-12-0x000000001B760000-0x000000001B76A000-memory.dmp

Filesize
40KB

Download
memory/4468-17-0x000000001BF60000-0x000000001BF6C000-memory.dmp

Filesize
48KB

Download
memory/4468-16-0x000000001C060000-0x000000001C06A000-memory.dmp

Filesize
40KB

Download
memory/4468-0-0x00007FFCC4C73000-0x00007FFCC4C75000-memory.dmp

Filesize
8KB

Download
memory/4468-11-0x000000001B750000-0x000000001B75C000-memory.dmp

Filesize
48KB

Download
memory/4468-229-0x00007FFCC4C70000-0x00007FFCC5731000-memory.dmp

Filesize
10.8MB

Download
memory/4468-10-0x0000000002E10000-0x0000000002E1C000-memory.dmp

Filesize
48KB

Download
memory/4468-13-0x000000001B770000-0x000000001B77E000-memory.dmp

Filesize
56KB

Download
memory/4468-8-0x000000001B740000-0x000000001B750000-memory.dmp

Filesize
64KB

Download
memory/4468-1-0x00000000008D0000-0x0000000000A72000-memory.dmp

Filesize
1.6MB

Download
memory/4468-7-0x0000000002DF0000-0x0000000002DF8000-memory.dmp

Filesize
32KB

Download
memory/4468-2-0x00007FFCC4C70000-0x00007FFCC5731000-memory.dmp

Filesize
10.8MB

Download
memory/4468-5-0x0000000001290000-0x00000000012A0000-memory.dmp

Filesize
64KB

Download
memory/4468-3-0x0000000002C90000-0x0000000002CAC000-memory.dmp

Filesize
112KB

Download
memory/4468-6-0x0000000002DD0000-0x0000000002DE6000-memory.dmp

Filesize
88KB

Download
memory/4468-190-0x00007FFCC4C73000-0x00007FFCC4C75000-memory.dmp

Filesize
8KB

Download
memory/4968-200-0x000001F05CED0000-0x000001F05CEF2000-memory.dmp

Filesize
136KB

Download
memory/5060-419-0x000000001D2D0000-0x000000001D3D2000-memory.dmp

Filesize
1.0MB

Download
memory/5428-407-0x000000001CF10000-0x000000001D012000-memory.dmp

Filesize
1.0MB

Download
memory/6128-431-0x000000001CD70000-0x000000001CE72000-memory.dmp

Filesize
1.0MB

Download