dcrat | 2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
Size

1.7MB
MD5

b2b9f784a9e98c98a8ddd644eb168fa6
SHA1

9e8c68675777a2718322ae626a5187d95e9d5210
SHA256

2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c
SHA512

d17d6ab45e162319bd30511019f7befa54e8aa245497d7bbc868043f851fbddbc5fb4aeb20f93aadc3e690c4a6b301ff763055513e5eed6e78f087610360f681
SSDEEP

49152:/+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvD:STHUxUoh1IF9gl2M

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	356	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2740	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2740	schtasks.exe	30

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2364-1-0x0000000000CD0000-0x0000000000E90000-memory.dmp	dcrat
behavioral1/files/0x0005000000019284-27.dat	dcrat
behavioral1/files/0x0006000000019356-82.dat	dcrat
behavioral1/files/0x0010000000019284-198.dat	dcrat
behavioral1/files/0x000a000000019630-278.dat	dcrat
behavioral1/files/0x000c00000001936b-349.dat	dcrat
behavioral1/memory/1668-351-0x0000000001080000-0x0000000001240000-memory.dmp	dcrat
behavioral1/memory/1784-417-0x00000000001B0000-0x0000000000370000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1872	powershell.exe
2780	powershell.exe
1688	powershell.exe
2004	powershell.exe
2140	powershell.exe
1496	powershell.exe
1404	powershell.exe
824	powershell.exe
876	powershell.exe
2464	powershell.exe
1716	powershell.exe
2448	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe

Executes dropped EXE 7 IoCs

pid	Process
1668	lsm.exe
2216	lsm.exe
2712	lsm.exe
1056	lsm.exe
2724	lsm.exe
1732	lsm.exe
1784	lsm.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Services\1610b97d3ab4a7	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\5940a34987c991	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files (x86)\Google\CrashReports\spoolsv.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\dllhost.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX25C6.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCX3B3E.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files\Common Files\Services\OSPPSVC.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\dllhost.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files (x86)\Google\CrashReports\f3b6ecef712a24	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files\Common Files\Services\RCX1A46.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files\Common Files\Services\RCX1A67.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\RCX2354.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files (x86)\Google\Temp\csrss.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files (x86)\Google\Temp\886983d96e3d3e	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCX20E2.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\RCX2353.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX25C5.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCX3B3D.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files\Common Files\Services\OSPPSVC.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\taskhost.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\b75386f1303e64	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCX20E1.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\csrss.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\taskhost.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\spoolsv.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Globalization\Sorting\RCX1CD9.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\RCX36C6.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\RCX36C7.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Windows\rescache\rc0006\wininit.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Windows\Downloaded Program Files\7a0fd90576e088	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Windows\SoftwareDistribution\DataStore\Logs\taskhost.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Windows\Globalization\Sorting\RCX1C6A.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Windows\Globalization\Sorting\audiodg.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCX1EDC.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCX1EDD.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Windows\security\database\RCX2C41.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Windows\Globalization\Sorting\42af1c969fbb7b	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Windows\security\database\csrss.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Windows\SoftwareDistribution\DataStore\Logs\b75386f1303e64	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Windows\security\database\RCX2C42.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Windows\Downloaded Program Files\explorer.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Windows\security\database\csrss.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Windows\security\database\886983d96e3d3e	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Windows\Downloaded Program Files\explorer.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\taskhost.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Windows\Globalization\Sorting\audiodg.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
292	schtasks.exe
1804	schtasks.exe
872	schtasks.exe
1320	schtasks.exe
2456	schtasks.exe
2616	schtasks.exe
1460	schtasks.exe
2208	schtasks.exe
1952	schtasks.exe
1264	schtasks.exe
2788	schtasks.exe
1716	schtasks.exe
1856	schtasks.exe
2644	schtasks.exe
332	schtasks.exe
2380	schtasks.exe
2356	schtasks.exe
2368	schtasks.exe
2080	schtasks.exe
1768	schtasks.exe
1524	schtasks.exe
2724	schtasks.exe
1616	schtasks.exe
1276	schtasks.exe
992	schtasks.exe
1964	schtasks.exe
444	schtasks.exe
2948	schtasks.exe
2920	schtasks.exe
1404	schtasks.exe
2128	schtasks.exe
2600	schtasks.exe
2056	schtasks.exe
3044	schtasks.exe
356	schtasks.exe
1740	schtasks.exe
2504	schtasks.exe
2060	schtasks.exe
572	schtasks.exe
1852	schtasks.exe
328	schtasks.exe
1572	schtasks.exe
2572	schtasks.exe
3008	schtasks.exe
2200	schtasks.exe
2140	schtasks.exe
2528	schtasks.exe
1960	schtasks.exe
772	schtasks.exe
1332	schtasks.exe
3056	schtasks.exe
1512	schtasks.exe
1056	schtasks.exe
940	schtasks.exe
1144	schtasks.exe
1748	schtasks.exe
1532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2780	powershell.exe
1716	powershell.exe
1872	powershell.exe
2464	powershell.exe
2448	powershell.exe
2140	powershell.exe
1496	powershell.exe
876	powershell.exe
1404	powershell.exe
824	powershell.exe
1688	powershell.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1668	lsm.exe
Token: SeDebugPrivilege	2216	lsm.exe
Token: SeDebugPrivilege	2712	lsm.exe
Token: SeDebugPrivilege	1056	lsm.exe
Token: SeDebugPrivilege	2724	lsm.exe
Token: SeDebugPrivilege	1732	lsm.exe
Token: SeDebugPrivilege	1784	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2464	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	88
PID 2364 wrote to memory of 2464	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	88
PID 2364 wrote to memory of 2464	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	88
PID 2364 wrote to memory of 1716	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	89
PID 2364 wrote to memory of 1716	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	89
PID 2364 wrote to memory of 1716	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	89
PID 2364 wrote to memory of 876	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	90
PID 2364 wrote to memory of 876	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	90
PID 2364 wrote to memory of 876	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	90
PID 2364 wrote to memory of 2140	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	92
PID 2364 wrote to memory of 2140	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	92
PID 2364 wrote to memory of 2140	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	92
PID 2364 wrote to memory of 2004	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	93
PID 2364 wrote to memory of 2004	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	93
PID 2364 wrote to memory of 2004	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	93
PID 2364 wrote to memory of 1688	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	95
PID 2364 wrote to memory of 1688	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	95
PID 2364 wrote to memory of 1688	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	95
PID 2364 wrote to memory of 2448	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	96
PID 2364 wrote to memory of 2448	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	96
PID 2364 wrote to memory of 2448	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	96
PID 2364 wrote to memory of 2780	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	98
PID 2364 wrote to memory of 2780	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	98
PID 2364 wrote to memory of 2780	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	98
PID 2364 wrote to memory of 1872	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	99
PID 2364 wrote to memory of 1872	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	99
PID 2364 wrote to memory of 1872	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	99
PID 2364 wrote to memory of 824	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	100
PID 2364 wrote to memory of 824	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	100
PID 2364 wrote to memory of 824	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	100
PID 2364 wrote to memory of 1404	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	101
PID 2364 wrote to memory of 1404	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	101
PID 2364 wrote to memory of 1404	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	101
PID 2364 wrote to memory of 1496	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	102
PID 2364 wrote to memory of 1496	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	102
PID 2364 wrote to memory of 1496	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	102
PID 2364 wrote to memory of 2804	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	112
PID 2364 wrote to memory of 2804	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	112
PID 2364 wrote to memory of 2804	2364	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	112
PID 2804 wrote to memory of 2724	2804	cmd.exe	114
PID 2804 wrote to memory of 2724	2804	cmd.exe	114
PID 2804 wrote to memory of 2724	2804	cmd.exe	114
PID 2804 wrote to memory of 1668	2804	cmd.exe	115
PID 2804 wrote to memory of 1668	2804	cmd.exe	115
PID 2804 wrote to memory of 1668	2804	cmd.exe	115
PID 1668 wrote to memory of 1636	1668	lsm.exe	116
PID 1668 wrote to memory of 1636	1668	lsm.exe	116
PID 1668 wrote to memory of 1636	1668	lsm.exe	116
PID 1668 wrote to memory of 2328	1668	lsm.exe	117
PID 1668 wrote to memory of 2328	1668	lsm.exe	117
PID 1668 wrote to memory of 2328	1668	lsm.exe	117
PID 1636 wrote to memory of 2216	1636	WScript.exe	118
PID 1636 wrote to memory of 2216	1636	WScript.exe	118
PID 1636 wrote to memory of 2216	1636	WScript.exe	118
PID 2216 wrote to memory of 744	2216	lsm.exe	119
PID 2216 wrote to memory of 744	2216	lsm.exe	119
PID 2216 wrote to memory of 744	2216	lsm.exe	119
PID 2216 wrote to memory of 2428	2216	lsm.exe	120
PID 2216 wrote to memory of 2428	2216	lsm.exe	120
PID 2216 wrote to memory of 2428	2216	lsm.exe	120
PID 744 wrote to memory of 2712	744	WScript.exe	121
PID 744 wrote to memory of 2712	744	WScript.exe	121
PID 744 wrote to memory of 2712	744	WScript.exe	121
PID 2712 wrote to memory of 2732	2712	lsm.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
"C:\Users\Admin\AppData\Local\Temp\2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9FX11cFJzR.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2724
- - C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe
    "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ad5a401-71aa-4f01-83b6-5f78b22be447.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1636
    - - C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2216
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9998934-d804-45c6-a305-c2001cba55b3.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a7570b0-6b7b-4dcc-83cc-cec54872c0d0.vbs"
        8⤵
        
        PID:2732
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29d75d31-ab60-4e47-99c2-8387c6839fa6.vbs"
        10⤵
        
        PID:2652
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9170fc3a-9099-43e7-8575-d0cb43a19ea3.vbs"
        12⤵
        
        PID:2824
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd80cc07-3c31-42da-9c24-b50861f7396f.vbs"
        14⤵
        
        PID:2320
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81eae573-22c1-437a-91cd-3bb4d85e7ec0.vbs"
        16⤵
        
        PID:876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53b68615-0c9c-4846-949d-d2704c1516d0.vbs"
        16⤵
        
        PID:572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ddc272f-3c10-44c9-a899-4704eb7df7a0.vbs"
        14⤵
        
        PID:2984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d487bb4d-90d2-4e76-8cfb-eb70bd3ca69d.vbs"
        12⤵
        
        PID:1956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6e04839-f139-43b8-bb81-c86f8ce77984.vbs"
        10⤵
        
        PID:1480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a154c3e4-0ca9-4e1a-81d7-9e57ea8f4cd0.vbs"
        8⤵
        
        PID:3060
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca2f8b4d-2dd2-4734-9b92-d16220eb9f0b.vbs"
        6⤵
        
        PID:2428
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99510632-8802-4b93-a905-84381763c84e.vbs"
      4⤵
      PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Services\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Services\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\Globalization\Sorting\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Globalization\Sorting\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\Globalization\Sorting\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Temp\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Temp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\security\database\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\security\database\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\security\database\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\SoftwareDistribution\DataStore\Logs\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\CrashReports\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\CrashReports\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe

Filesize
1.7MB

MD5
72cb277e1913e5e5b20651f1f9f1af40

SHA1
11d7a90ee561e39807428267387ea6c6c434ee24

SHA256
0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81

SHA512
0838d7441404feae5e0fdb62153a1179e8fd8381aca61e49cc70adcfa657c2aedce031f1de34142ff52e48b9f016709f4cc8ccb2d8b949fc621c0a6402bd253d

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\RCX414B.tmp

Filesize
1.7MB

MD5
8cdb9cbd685789f253336fd1fbba9af4

SHA1
0b9c83c1861ce13afa4aafe9a89e04a4e705ab84

SHA256
8344477843a486b13d0f9dabe008a4e12790e35f73ef2c2339d0b83757d32915

SHA512
9cf4399fc239e3c6639301e86fbfeb398796a64f9e97a5939d7e66fe073ce96e414e6e516b64ef27632906238a924e6396bd668408593f960ff7ca8ec2c8150b

Download Submit
C:\Program Files\Windows Photo Viewer\ja-JP\dllhost.exe

Filesize
1.7MB

MD5
b2b9f784a9e98c98a8ddd644eb168fa6

SHA1
9e8c68675777a2718322ae626a5187d95e9d5210

SHA256
2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c

SHA512
d17d6ab45e162319bd30511019f7befa54e8aa245497d7bbc868043f851fbddbc5fb4aeb20f93aadc3e690c4a6b301ff763055513e5eed6e78f087610360f681

Download Submit
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe

Filesize
1.7MB

MD5
29661d26c64b815f430031c8cfa24bda

SHA1
4e89fbb75d2757fa1b3d6c535e1279c1d893c141

SHA256
c276478dbbd74b44e4f6efbca40d3de90d752bcc9284c255d9a5b3bb274e1a08

SHA512
4e809ed1c4293af555b605f1ca5662984f1e1785a0c858755e14275324b1efc8d253118a244fe9541c26496a0b3a8e455ef7a77a2346829fa5c4ab336a6f8e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ad5a401-71aa-4f01-83b6-5f78b22be447.vbs

Filesize
746B

MD5
ebce9e166235916e0078fea1684bd547

SHA1
9f2b42572502e03bad82d56e39c9aabe7f501fad

SHA256
073412ab73fc15c0b61fd879f61e4c4eafc1155d9c573d531667802052b6363a

SHA512
19a90880435c5eacc27a91b9ff12def343b3a3981a3be7618a421e03a6b6bb2b4ca454ea90f064db5c9016c0c4bfec0a5310abf87763907c5a9a7d7e7204a720

Download Submit
C:\Users\Admin\AppData\Local\Temp\29d75d31-ab60-4e47-99c2-8387c6839fa6.vbs

Filesize
746B

MD5
a1aae8f6bdac55f6231c4916ae87d089

SHA1
264f55f08020956d61539368866fa2826e0cc71d

SHA256
43e8e687e5a554618d7b48558a3999f6283f856d2bca61705e21359c9bc0c895

SHA512
058e00fbf68e802adc2335da7a2b13b47cecd2fec080f8ab417489a0599db52ea1aceb548ac1ca11d3b5eeb8f3905a22dccdf7f2ea9b2714fd2fc750aa89c346

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a7570b0-6b7b-4dcc-83cc-cec54872c0d0.vbs

Filesize
746B

MD5
13dbeab1b7b7677262ee99af3bf7e6e0

SHA1
8064eecee4558133b954e57b220140f5d429dcbe

SHA256
ac32ed6f77e87e5943f7deed74ee2549bda1dc6dc3ff99da7a7e08200a137556

SHA512
bdd54758cfeb25864e0ad8777bc7ec7ea25eddc3702eb868afe8711cedc05b2a28b8438210c572d95a8628b2c0a8b1b4f9188824b9309eec07fdb79797ee27d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\81eae573-22c1-437a-91cd-3bb4d85e7ec0.vbs

Filesize
746B

MD5
3ea3d81817a0a3f86728dd5d0b17db5c

SHA1
e085460dcc3bfeede817e9f6e3945010064abed5

SHA256
cc39afd76b283e74591efab70de06ce6eb02609696ca4f92a5f341e99ec2d6e5

SHA512
c27cb1f6551b3c29614344b3efca793a9f7edea7cc6b79d06079b09497b1f627a8ea1558bcfc60d7216bc61a64cb40cdda0b82afe7e2fc56a954f4d0982161b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9170fc3a-9099-43e7-8575-d0cb43a19ea3.vbs

Filesize
746B

MD5
db119fc6b8ffb5a1f3e7f4b6190f6f49

SHA1
c4339845dcb9262fe75cf6cf16b92ccffb8b9034

SHA256
1975fdad23d0b6a2e933bc81fe55f1d1d75337587ebcac4595239877c113f432

SHA512
fccf9b16d46bb91343da59cd795a6cb175867037f7d92671d464ab95b56db0f6389a52568a646876191da52d0680f95b162cb7be3b7e961069d21a87d2ca5cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\99510632-8802-4b93-a905-84381763c84e.vbs

Filesize
522B

MD5
9201540fa2c2cbd19afc938622831448

SHA1
0522568134da8a0ae29342d6ef70189712fdbe79

SHA256
3e452d50af66a438b4e28670fb0ea7d3dade641d4db2cb50706da6add7f72c25

SHA512
e255f937e98b3dcd41801c8f49b3c1253c43dac709fc06d70f38bdeda50c298708867c8e5c393640c24988328aa5a932c95b11a27a22e77dd93c254acbd3c139

Download Submit
C:\Users\Admin\AppData\Local\Temp\9FX11cFJzR.bat

Filesize
235B

MD5
3d7a05e6b8fe01a718cbf22eedb4fa67

SHA1
fc1b1ef2185213bd2f5f1663d2f3eb95759b5b0a

SHA256
0b33d7646ef0a0304630849372dd5cde0cac73fee6789cc6db08a9d4f2f7e6e9

SHA512
e48fb752ad3d7708a49fa528e8d2c91990b228fa6e48810a963e2cfe8a7fcee27c24950c7be3345890f4d1446108819a6849afb89d440e7db5ea6da64b5f9043

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9998934-d804-45c6-a305-c2001cba55b3.vbs

Filesize
746B

MD5
e6c7cf82e822d4a2acbca0e81a0d282b

SHA1
601cf2025bdfc2ac0b6df0220f43b8c11d61966f

SHA256
00c4de3a83bc35ef661a618feaef1d46a541397eac7bae149039060dc3adf163

SHA512
cd05c31608b17dc39cf1be29a76b09e92d1eb311ce5d27cd9880052155021fead7d5c773f0c86b9b47fe45c1ed0e49224a910473bbef15fd78b563bb84b832c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd80cc07-3c31-42da-9c24-b50861f7396f.vbs

Filesize
746B

MD5
53a4d524462685a4fa9ae7b1118507ed

SHA1
ff9f069a8b97582cea4dcff9b161d6942044bf4e

SHA256
c1e9e2a134d0aa077944d0ac20edf3632f0f4348a681bb2237672eae16d4532d

SHA512
3f415c91973697700f2808f45151ae85e660fdef9a2015573ed1747c0b4da665c1ed58919530f5b65a6d1cf124d792daccfafb6fe340c19f676b273e78a950c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8859aabfc75d9731866a3419ad9f6385

SHA1
e385f9ea16708c70a76007bea60e1d33f5aee693

SHA256
dfa87f0496e01924f31e4ba8d9bc072e6f01e665c1dd5bf19573a5882c96703a

SHA512
7a266a30af293635d6f8860ca18e77b2935100255d301f87ff4d588faee56a950515e00564e7fd4f29250ad509f969adb9c63b0a422e416390ba6b7ffe79725f

Download Submit
C:\Windows\Globalization\Sorting\audiodg.exe

Filesize
1.7MB

MD5
fb96d3688cb83274a58538350cfe3881

SHA1
c27d516958ad0e997af3a21bb69330ea23d32361

SHA256
d4d6024392fe75517bc483225ec4279b522cc7923b9abe6781f815d643435030

SHA512
9d454305d53b956abb79eb43f985c2bd54c240ff05eefae13ef84dc4851796713f258c5807159af8132f2e91359edec8650b239e408f29f8c34ae649193274c2

Download Submit
memory/1668-351-0x0000000001080000-0x0000000001240000-memory.dmp

Filesize
1.8MB

Download
memory/1784-417-0x00000000001B0000-0x0000000000370000-memory.dmp

Filesize
1.8MB

Download
memory/2364-9-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/2364-6-0x00000000022A0000-0x00000000022B6000-memory.dmp

Filesize
88KB

Download
memory/2364-17-0x0000000002370000-0x000000000237C000-memory.dmp

Filesize
48KB

Download
memory/2364-0-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

Filesize
4KB

Download
memory/2364-12-0x0000000002320000-0x000000000232C000-memory.dmp

Filesize
48KB

Download
memory/2364-4-0x0000000000CC0000-0x0000000000CC8000-memory.dmp

Filesize
32KB

Download
memory/2364-16-0x0000000002360000-0x000000000236C000-memory.dmp

Filesize
48KB

Download
memory/2364-2-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/2364-301-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/2364-15-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/2364-5-0x0000000002290000-0x00000000022A0000-memory.dmp

Filesize
64KB

Download
memory/2364-3-0x0000000000CA0000-0x0000000000CBC000-memory.dmp

Filesize
112KB

Download
memory/2364-14-0x0000000002330000-0x000000000233E000-memory.dmp

Filesize
56KB

Download
memory/2364-1-0x0000000000CD0000-0x0000000000E90000-memory.dmp

Filesize
1.8MB

Download
memory/2364-226-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/2364-13-0x0000000002340000-0x000000000234A000-memory.dmp

Filesize
40KB

Download
memory/2364-201-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

Filesize
4KB

Download
memory/2364-11-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/2364-20-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/2364-8-0x00000000022D0000-0x00000000022DC000-memory.dmp

Filesize
48KB

Download
memory/2364-7-0x00000000022C0000-0x00000000022D0000-memory.dmp

Filesize
64KB

Download
memory/2364-238-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/2780-332-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2780-312-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download