dcrat | 14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32

Analysis

max time kernel
120s
max time network
115s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
Size

1.7MB
MD5

71cf8d606c066e5d43f2bb53c2d22540
SHA1

5e8c5e1efd7142f1a28e64d4736eea679eccd538
SHA256

14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32
SHA512

9688ecad23e7bc7f95df762ff4f140b37cacd31968d244c4db8daf8a1738e5f1811e4d1df63802b4889439dee5c5999f6853864df4010c82300ac1bc09b575e0
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:OTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2236	schtasks.exe	30

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2308-1-0x0000000000900000-0x0000000000AC0000-memory.dmp	dcrat
behavioral1/files/0x000500000001a4d7-27.dat	dcrat
behavioral1/files/0x000400000001cb53-70.dat	dcrat
behavioral1/files/0x00120000000120fe-141.dat	dcrat
behavioral1/files/0x000700000001a4f7-186.dat	dcrat
behavioral1/files/0x000700000001c59b-198.dat	dcrat
behavioral1/files/0x000700000001c794-210.dat	dcrat
behavioral1/files/0x000700000001c875-221.dat	dcrat
behavioral1/memory/800-283-0x0000000000340000-0x0000000000500000-memory.dmp	dcrat
behavioral1/memory/1864-351-0x0000000000A10000-0x0000000000BD0000-memory.dmp	dcrat
behavioral1/memory/1540-375-0x0000000000200000-0x00000000003C0000-memory.dmp	dcrat
behavioral1/memory/2484-388-0x0000000000030000-0x00000000001F0000-memory.dmp	dcrat
behavioral1/memory/2024-401-0x0000000001060000-0x0000000001220000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2484	powershell.exe
2248	powershell.exe
1064	powershell.exe
1216	powershell.exe
1692	powershell.exe
1800	powershell.exe
2456	powershell.exe
2244	powershell.exe
668	powershell.exe
1744	powershell.exe
2124	powershell.exe
1624	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe

Executes dropped EXE 7 IoCs

pid	Process
800	explorer.exe
1864	explorer.exe
2892	explorer.exe
1540	explorer.exe
2484	explorer.exe
2024	explorer.exe
1456	explorer.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\Accessories\56085415360792	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\1610b97d3ab4a7	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\RCXBBA7.tmp	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\RCXC62E.tmp	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\wininit.exe	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\RCXCB12.tmp	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\886983d96e3d3e	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File created	C:\Program Files\Windows NT\Accessories\wininit.exe	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\winlogon.exe	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\RCXCAA3.tmp	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File created	C:\Program Files\DVD Maker\ja-JP\cc11b995f2a76d	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\RCXC62D.tmp	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\csrss.exe	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\RCXC89F.tmp	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\OSPPSVC.exe	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\csrss.exe	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File created	C:\Program Files\DVD Maker\ja-JP\winlogon.exe	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\RCXC8A0.tmp	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\OSPPSVC.exe	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\RCXBBA8.tmp	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Boot\DVD\EFI\en-US\Idle.exe	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File created	C:\Windows\Setup\State\OSPPSVC.exe	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File opened for modification	C:\Windows\Setup\State\RCXCD15.tmp	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File opened for modification	C:\Windows\Setup\State\RCXCD84.tmp	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File opened for modification	C:\Windows\Setup\State\OSPPSVC.exe	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File opened for modification	C:\Windows\Web\Wallpaper\Landscapes\RCXD238.tmp	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File opened for modification	C:\Windows\Web\Wallpaper\Landscapes\RCXD2C5.tmp	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File created	C:\Windows\Setup\State\1610b97d3ab4a7	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File created	C:\Windows\Web\Wallpaper\Landscapes\lsm.exe	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File created	C:\Windows\Web\Wallpaper\Landscapes\101b941d020240	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
File opened for modification	C:\Windows\Web\Wallpaper\Landscapes\lsm.exe	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1452	schtasks.exe
2176	schtasks.exe
2372	schtasks.exe
2644	schtasks.exe
2100	schtasks.exe
1684	schtasks.exe
1152	schtasks.exe
2460	schtasks.exe
2968	schtasks.exe
1456	schtasks.exe
2064	schtasks.exe
1400	schtasks.exe
484	schtasks.exe
2408	schtasks.exe
2900	schtasks.exe
1932	schtasks.exe
1920	schtasks.exe
1916	schtasks.exe
2716	schtasks.exe
1088	schtasks.exe
3028	schtasks.exe
668	schtasks.exe
2040	schtasks.exe
2692	schtasks.exe
848	schtasks.exe
1692	schtasks.exe
2628	schtasks.exe
1084	schtasks.exe
1680	schtasks.exe
1244	schtasks.exe
2780	schtasks.exe
2412	schtasks.exe
788	schtasks.exe
2172	schtasks.exe
1760	schtasks.exe
2728	schtasks.exe
1748	schtasks.exe
1416	schtasks.exe
1860	schtasks.exe
2220	schtasks.exe
1036	schtasks.exe
1672	schtasks.exe
1312	schtasks.exe
2752	schtasks.exe
336	schtasks.exe
2484	schtasks.exe
1660	schtasks.exe
2032	schtasks.exe
888	schtasks.exe
2232	schtasks.exe
2208	schtasks.exe
2804	schtasks.exe
2732	schtasks.exe
1976	schtasks.exe
2096	schtasks.exe
1784	schtasks.exe
884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
2248	powershell.exe
1800	powershell.exe
1216	powershell.exe
2124	powershell.exe
1692	powershell.exe
1744	powershell.exe
2456	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	800	explorer.exe
Token: SeDebugPrivilege	1864	explorer.exe
Token: SeDebugPrivilege	2892	explorer.exe
Token: SeDebugPrivilege	1540	explorer.exe
Token: SeDebugPrivilege	2484	explorer.exe
Token: SeDebugPrivilege	2024	explorer.exe
Token: SeDebugPrivilege	1456	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1692	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	88
PID 2308 wrote to memory of 1692	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	88
PID 2308 wrote to memory of 1692	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	88
PID 2308 wrote to memory of 1800	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	89
PID 2308 wrote to memory of 1800	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	89
PID 2308 wrote to memory of 1800	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	89
PID 2308 wrote to memory of 2456	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	92
PID 2308 wrote to memory of 2456	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	92
PID 2308 wrote to memory of 2456	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	92
PID 2308 wrote to memory of 1744	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	93
PID 2308 wrote to memory of 1744	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	93
PID 2308 wrote to memory of 1744	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	93
PID 2308 wrote to memory of 668	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	94
PID 2308 wrote to memory of 668	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	94
PID 2308 wrote to memory of 668	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	94
PID 2308 wrote to memory of 1216	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	95
PID 2308 wrote to memory of 1216	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	95
PID 2308 wrote to memory of 1216	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	95
PID 2308 wrote to memory of 1064	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	96
PID 2308 wrote to memory of 1064	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	96
PID 2308 wrote to memory of 1064	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	96
PID 2308 wrote to memory of 2248	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	97
PID 2308 wrote to memory of 2248	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	97
PID 2308 wrote to memory of 2248	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	97
PID 2308 wrote to memory of 2484	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	98
PID 2308 wrote to memory of 2484	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	98
PID 2308 wrote to memory of 2484	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	98
PID 2308 wrote to memory of 1624	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	99
PID 2308 wrote to memory of 1624	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	99
PID 2308 wrote to memory of 1624	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	99
PID 2308 wrote to memory of 2244	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	100
PID 2308 wrote to memory of 2244	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	100
PID 2308 wrote to memory of 2244	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	100
PID 2308 wrote to memory of 2124	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	101
PID 2308 wrote to memory of 2124	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	101
PID 2308 wrote to memory of 2124	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	101
PID 2308 wrote to memory of 800	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	112
PID 2308 wrote to memory of 800	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	112
PID 2308 wrote to memory of 800	2308	14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe	112
PID 800 wrote to memory of 1556	800	explorer.exe	113
PID 800 wrote to memory of 1556	800	explorer.exe	113
PID 800 wrote to memory of 1556	800	explorer.exe	113
PID 800 wrote to memory of 1780	800	explorer.exe	114
PID 800 wrote to memory of 1780	800	explorer.exe	114
PID 800 wrote to memory of 1780	800	explorer.exe	114
PID 1556 wrote to memory of 1864	1556	WScript.exe	115
PID 1556 wrote to memory of 1864	1556	WScript.exe	115
PID 1556 wrote to memory of 1864	1556	WScript.exe	115
PID 1864 wrote to memory of 2688	1864	explorer.exe	116
PID 1864 wrote to memory of 2688	1864	explorer.exe	116
PID 1864 wrote to memory of 2688	1864	explorer.exe	116
PID 1864 wrote to memory of 1956	1864	explorer.exe	117
PID 1864 wrote to memory of 1956	1864	explorer.exe	117
PID 1864 wrote to memory of 1956	1864	explorer.exe	117
PID 2688 wrote to memory of 2892	2688	WScript.exe	118
PID 2688 wrote to memory of 2892	2688	WScript.exe	118
PID 2688 wrote to memory of 2892	2688	WScript.exe	118
PID 2892 wrote to memory of 2100	2892	explorer.exe	119
PID 2892 wrote to memory of 2100	2892	explorer.exe	119
PID 2892 wrote to memory of 2100	2892	explorer.exe	119
PID 2892 wrote to memory of 2948	2892	explorer.exe	120
PID 2892 wrote to memory of 2948	2892	explorer.exe	120
PID 2892 wrote to memory of 2948	2892	explorer.exe	120
PID 2100 wrote to memory of 1540	2100	WScript.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe
"C:\Users\Admin\AppData\Local\Temp\14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32N.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe
  "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:800
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\225e83fe-b44f-405a-913e-0368a42da538.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe
      C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1864
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7f4eb46-faae-4cca-a46d-a67ac668ae8d.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\425c72ea-6bb2-4fa0-a917-7ef4dbd87c5d.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c3c2ec3-9aac-445d-badc-4976e1bc59b8.vbs"
        9⤵
        
        PID:2028
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\babb8307-86b7-4a94-8baf-5324cb6ef131.vbs"
        11⤵
        
        PID:580
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5270f2e-9964-457e-b4fb-99ab1c8bd5f4.vbs"
        13⤵
        
        PID:2588
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\107605b0-e846-4fa2-b39d-c5cdef6c1451.vbs"
        13⤵
        
        PID:2724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf71ce13-301c-4211-90e9-ae47f05bf61d.vbs"
        11⤵
        
        PID:1080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a47088f8-0508-42f0-a64a-31faeba208ca.vbs"
        9⤵
        
        PID:2988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63ded625-0f59-407b-8de4-0d5c02c73458.vbs"
        7⤵
        
        PID:2948
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34deb6b4-670c-404c-91ea-8d09c1e0624b.vbs"
        5⤵
        
        PID:1956
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01b5866e-7a6b-4961-8829-871c7c85ee11.vbs"
    3⤵
    PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\Sample Pictures\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\Sample Pictures\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Music\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Music\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Music\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\ja-JP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Windows\Setup\State\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Setup\State\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\Setup\State\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\Wallpaper\Landscapes\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Landscapes\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\Wallpaper\Landscapes\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Default\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Default\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe

Filesize
1.7MB

MD5
71cf8d606c066e5d43f2bb53c2d22540

SHA1
5e8c5e1efd7142f1a28e64d4736eea679eccd538

SHA256
14b01b9ea914a3a36f8ffcf62bb1c6cbb2f88c39434f5d1de2fde84b38511b32

SHA512
9688ecad23e7bc7f95df762ff4f140b37cacd31968d244c4db8daf8a1738e5f1811e4d1df63802b4889439dee5c5999f6853864df4010c82300ac1bc09b575e0

Download Submit
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe

Filesize
1.7MB

MD5
9fa8e84e9d8c840c933dad6bdb020db1

SHA1
533d536a1a2b0f5aa53a37b14ed71624bae96b73

SHA256
9b0ffd9b9cd6066782309d861b1a80b9864550592f9f2296754c7fc8abc57691

SHA512
ccba1f5b92aa8d37c5a906c8a301ea4f852d55a6cba638b64b7952bff7624b61b24577f4820d474aca6d912ecfd9e69ed6eb01742e98378ba647defa605f36bb

Download Submit
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe

Filesize
1.7MB

MD5
ddd6662d4294fac84ccc87ed751be82c

SHA1
8688104c25ebd41f7f4bb3d0aa01d046d291adeb

SHA256
018814c291ead94833b10107a95f087b1c441f7c7ed21e17ede561514a96f792

SHA512
44b18d1c3025ee96326a4b020a4122cbd31d66f43f271af1c6e76956aa7527ce7e99749bc6b10424a97220832151f5d87f676607ac7f1a7901bd6582e5472296

Download Submit
C:\Users\Admin\AppData\Local\Temp\01b5866e-7a6b-4961-8829-871c7c85ee11.vbs

Filesize
513B

MD5
5a2d9060f5a15386c426e6993fc49436

SHA1
c05290a896bdc8b23f815e183995649e3df7e3ae

SHA256
19dea94d72e21189ade088fcefc998f6065a3b7f370f579a9dd51b682ae64ecf

SHA512
1a2c4a093ed2fde0abfd03eab3bdd519f208681d83408207f3cfc96ac83c5eec4a008a13e9b11840e5770d8a1d8b38cbee6100daa83367e36646b04294d6f1a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\225e83fe-b44f-405a-913e-0368a42da538.vbs

Filesize
736B

MD5
7074f9e53c1207cb1a2f871e248f9ed6

SHA1
ee2cd35e046bf0c233a0a8edd44d6d20ab826ed0

SHA256
99393a4664bd22045badee5b2336699b12bd80328096808f1cbdb7de6bda23ec

SHA512
839fb130fb174644e6f89ab26976c95bb97e36c19b0e6280d59565611ee39e6f38997222f0ccfaceabd0b6323b4116217ee3ad3b42eeffeb174394fa3793837f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c3c2ec3-9aac-445d-badc-4976e1bc59b8.vbs

Filesize
737B

MD5
87d80801a87e867e6ca77a40705de7af

SHA1
ef01643c64c572a6321421e22d54a064c891afd1

SHA256
550589d8fb20b353c0d6560a09b834b09beaf0e3aacfd083009d4ce9ea339a9b

SHA512
38b1bb9fc8a2eaf378e78da34a963d8c0ba77cd94a36f0c381b385c781df6d99a7c6db73c236e63406acd1775724c5194e1e6f468e6bd1957cb21934d7f460d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\425c72ea-6bb2-4fa0-a917-7ef4dbd87c5d.vbs

Filesize
737B

MD5
0845d831573f250814a1316496b64432

SHA1
8a41f9da20b7b4af5dcd69c741c434c0ad8b6118

SHA256
b77165bb97336fd09b4201754ff3f31353ca5163846ec2dbd32c3b6d26757cc8

SHA512
eebe63431bd119219af95ec3d13e7d3dcbcf1f62f1f67e8e18974a33b07b786e63de1b8273cb8ee044a5e6fb357a8da8ec801e3d6ec99da95a1979eb3c8e6c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\babb8307-86b7-4a94-8baf-5324cb6ef131.vbs

Filesize
737B

MD5
23acadd6e1e657566829edf36d102fe1

SHA1
6eb4312c27390b004ca6c6682397e4ce8eee53fd

SHA256
e07a5be38acd3bbaa3d3a729fc105106ab735b99a23bd488ca3c7d7d904e66df

SHA512
fa8b9d3c229b7f2c2501c725dcaac7bd79598e2d0ceadb7c2217cfed0e792b86f1805d5f2a51bf0753449a705bbd7e8f4f5204f9f1d43ab43f7adc55555709e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5270f2e-9964-457e-b4fb-99ab1c8bd5f4.vbs

Filesize
737B

MD5
dc8eb512c53ddf91fc457ae63c172282

SHA1
3560915c7a30bdd1c6f98ffad5afb5013111d8af

SHA256
eb32c3f1d72ff53270e8192b8b02ef13f4496afeca89b28f9212876dfc43142f

SHA512
2ddcec2293b358c7008a3302282aa54affa51eae3b6e4b58ab226b0bb88809700e5b57bbca00e5d88a03dcb3d6ba8b70f717d6afbac432682944375c47bf3503

Download Submit
C:\Users\Admin\AppData\Local\Temp\f7f4eb46-faae-4cca-a46d-a67ac668ae8d.vbs

Filesize
737B

MD5
84cb5341c792c997f6c6e8c72f1080a8

SHA1
a1a4414e7653ac583b461860bd5a344ab89b1f05

SHA256
e6fff870c20a764ddf9af346071e862da4665086293c10d5253fe3bee49a3128

SHA512
01b31ac2cd873e38b3116aeb04d666337b0278fbf47fe67a6bf27f41f8019b12ae9c4f706b86622d92c4b7dc8f46c211765483a9c8947106773328f5b455bb18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ac70c5995f3249ae5b64a117ffc9e59a

SHA1
b22eaed97044a6fda7ac82083803612a909d3031

SHA256
c0ebaa4905422d54053e4423e231942614e5560ca22e2ec135bf85a58c51bb30

SHA512
8c8b3422046ae8ee012988845ac7c18a00c183e5d43bef09e8cbe353bde201d63e5ed9c59d96e096f65b0620e508800cca4032e25fd374b1a8fcecf35a5a8d86

Download Submit
C:\Users\Default\Music\services.exe

Filesize
1.7MB

MD5
fadd3d9ede038d7360ce7a1a5a3d223b

SHA1
40dbb645ec93f1b5a4cec9ad6c57856a9fefb181

SHA256
a0c494026d7789aca12b3fcc9791672a1cbb222c43129a6ac856d1a2c6e746ab

SHA512
2f232f40981774d572494a53462b0e86c3c4e7c500e28a761be38834318c0f06364cc56163d0ac138ad387d47aa0c4c1dbfd71b90da72bd0ba7cc878b7c976b6

Download Submit
C:\Users\Default\winlogon.exe

Filesize
1.7MB

MD5
b0ea9dd70d6b960abe169f400c2c9ea3

SHA1
eb65525d8f43ad22b7dcee5ae21e53857f0eaec9

SHA256
46a97f611098f411808e7b0025f8550164c16ba04aadf7445a627209e8498d3a

SHA512
db94481d66887e59efc376e25081192fff0fe5c0f5d3941cef069d6dcf57ff73b68cad7b47c93dd23bac494fedc9ee08a91862e7a61eba8953206ec1ce120fee

Download Submit
C:\Windows\Setup\State\OSPPSVC.exe

Filesize
1.7MB

MD5
b2fc76a88c43c62a0b809e4634258ff1

SHA1
31d49d92858e00ae3208b8e96f826ec534a60fc0

SHA256
e854329ca41e7e1ec26828ca2729fe198104f71611f12fb9274778f3a97106f3

SHA512
96749fa034cdc4d2cd648153dae4b724038b8cb1bb40ad0e20fbb9158d5d241db5bafd1b8af7a375f205900fcda9219969677fd08139428f6bc185764de380d0

Download Submit
C:\Windows\Web\Wallpaper\Landscapes\lsm.exe

Filesize
1.7MB

MD5
472b9e20d356e68351ce4700563b993a

SHA1
54e9b5864ff6a4ec8660bcf2d5d80214bf9316cd

SHA256
10e3011bdd6ab8966308c7e50f697317173db6a5b7e605a8768ac07be619f7ab

SHA512
eef32ff9af403e35e2503b41700c71493c604802950a433f40a075ffef3913c2faec20dd5dcc27c7c8e0db36f23cd77742637915ec8c4086710c2bacab61e81f

Download Submit
memory/800-283-0x0000000000340000-0x0000000000500000-memory.dmp

Filesize
1.8MB

Download
memory/1456-413-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/1540-375-0x0000000000200000-0x00000000003C0000-memory.dmp

Filesize
1.8MB

Download
memory/1540-376-0x00000000001F0000-0x0000000000202000-memory.dmp

Filesize
72KB

Download
memory/1864-351-0x0000000000A10000-0x0000000000BD0000-memory.dmp

Filesize
1.8MB

Download
memory/2024-401-0x0000000001060000-0x0000000001220000-memory.dmp

Filesize
1.8MB

Download
memory/2248-284-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2248-288-0x00000000023B0000-0x00000000023B8000-memory.dmp

Filesize
32KB

Download
memory/2308-14-0x0000000002290000-0x000000000229E000-memory.dmp

Filesize
56KB

Download
memory/2308-9-0x00000000008F0000-0x00000000008F8000-memory.dmp

Filesize
32KB

Download
memory/2308-189-0x000007FEF5763000-0x000007FEF5764000-memory.dmp

Filesize
4KB

Download
memory/2308-18-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/2308-224-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/2308-17-0x00000000022C0000-0x00000000022CC000-memory.dmp

Filesize
48KB

Download
memory/2308-16-0x00000000022B0000-0x00000000022BC000-memory.dmp

Filesize
48KB

Download
memory/2308-15-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/2308-13-0x00000000022D0000-0x00000000022DA000-memory.dmp

Filesize
40KB

Download
memory/2308-315-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/2308-0-0x000007FEF5763000-0x000007FEF5764000-memory.dmp

Filesize
4KB

Download
memory/2308-12-0x00000000020F0000-0x00000000020FC000-memory.dmp

Filesize
48KB

Download
memory/2308-11-0x00000000020C0000-0x00000000020D2000-memory.dmp

Filesize
72KB

Download
memory/2308-201-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/2308-1-0x0000000000900000-0x0000000000AC0000-memory.dmp

Filesize
1.8MB

Download
memory/2308-8-0x00000000008E0000-0x00000000008EC000-memory.dmp

Filesize
48KB

Download
memory/2308-7-0x00000000008D0000-0x00000000008E0000-memory.dmp

Filesize
64KB

Download
memory/2308-6-0x00000000008B0000-0x00000000008C6000-memory.dmp

Filesize
88KB

Download
memory/2308-5-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/2308-2-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/2308-3-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/2308-4-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/2484-389-0x0000000002040000-0x0000000002052000-memory.dmp

Filesize
72KB

Download
memory/2484-388-0x0000000000030000-0x00000000001F0000-memory.dmp

Filesize
1.8MB

Download
memory/2892-363-0x0000000000770000-0x0000000000782000-memory.dmp

Filesize
72KB

Download