dcrat | 2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
Size

1.7MB
MD5

b2b9f784a9e98c98a8ddd644eb168fa6
SHA1

9e8c68675777a2718322ae626a5187d95e9d5210
SHA256

2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c
SHA512

d17d6ab45e162319bd30511019f7befa54e8aa245497d7bbc868043f851fbddbc5fb4aeb20f93aadc3e690c4a6b301ff763055513e5eed6e78f087610360f681
SSDEEP

49152:/+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvD:STHUxUoh1IF9gl2M

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	4972	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	4972	schtasks.exe	82

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2388-1-0x0000000000E90000-0x0000000001050000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b97-30.dat	dcrat
behavioral2/files/0x000200000001e764-111.dat	dcrat
behavioral2/files/0x000d000000023b99-155.dat	dcrat
behavioral2/files/0x0011000000023bbf-194.dat	dcrat
behavioral2/files/0x000b000000023c00-389.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
760	powershell.exe
2344	powershell.exe
2532	powershell.exe
3188	powershell.exe
2908	powershell.exe
2184	powershell.exe
2672	powershell.exe
2276	powershell.exe
4648	powershell.exe
4988	powershell.exe
456	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 7 IoCs

pid	Process
3544	csrss.exe
3272	csrss.exe
4328	csrss.exe
4988	csrss.exe
1744	csrss.exe
2808	csrss.exe
4976	csrss.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\LogFiles\SAM\RCXAE14.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Windows\SysWOW64\LogFiles\SAM\fontdrvhost.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Windows\SysWOW64\LogFiles\SAM\fontdrvhost.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Windows\SysWOW64\LogFiles\SAM\5b884080fd4f94	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Windows\SysWOW64\LogFiles\SAM\RCXAE13.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe

Drops file in Program Files directory 41 IoCs

description	ioc	Process
File created	C:\Program Files\Crashpad\attachments\e1ef82546f0b02	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files\Windows Mail\RCXB724.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCXB92A.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files\Java\wininit.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\56085415360792	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files\Windows Mail\services.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXA6DA.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\MusNotification.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\dwm.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files\Uninstall Information\MusNotification.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files\Uninstall Information\aa97147c4c782d	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files\Windows Mail\c5b4cb5e9653cc	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXA437.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files\Uninstall Information\MusNotification.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\aa97147c4c782d	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\RCX9CB0.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files\Java\RCX9F61.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files\Java\wininit.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files\Java\56085415360792	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXA448.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXA65C.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files\Crashpad\attachments\RCXA90E.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\MusNotification.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files\Crashpad\attachments\SppExtComObj.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\sihost.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\66fc9ff0ee96c2	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\RCX9CAF.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files\Crashpad\attachments\RCXA90D.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files\Crashpad\attachments\SppExtComObj.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCXB4B1.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCXB929.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\sihost.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files\Windows Mail\RCXB6B6.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files\Windows Mail\services.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files\Java\RCX9FA0.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCXB4A1.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\886983d96e3d3e	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Panther\actionqueue\services.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Windows\Panther\actionqueue\c5b4cb5e9653cc	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Windows\Panther\actionqueue\RCXB018.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Windows\Panther\actionqueue\RCXB087.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Windows\Panther\actionqueue\services.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1892	schtasks.exe
1744	schtasks.exe
1152	schtasks.exe
3036	schtasks.exe
1668	schtasks.exe
2276	schtasks.exe
2124	schtasks.exe
264	schtasks.exe
2996	schtasks.exe
1424	schtasks.exe
3472	schtasks.exe
4988	schtasks.exe
2344	schtasks.exe
2416	schtasks.exe
2328	schtasks.exe
4928	schtasks.exe
116	schtasks.exe
956	schtasks.exe
4960	schtasks.exe
812	schtasks.exe
3908	schtasks.exe
3540	schtasks.exe
3312	schtasks.exe
5040	schtasks.exe
1132	schtasks.exe
4324	schtasks.exe
924	schtasks.exe
1568	schtasks.exe
3332	schtasks.exe
4752	schtasks.exe
2848	schtasks.exe
1160	schtasks.exe
2292	schtasks.exe
1884	schtasks.exe
2392	schtasks.exe
3764	schtasks.exe
4004	schtasks.exe
2988	schtasks.exe
2268	schtasks.exe
1268	schtasks.exe
980	schtasks.exe
2696	schtasks.exe
1400	schtasks.exe
3820	schtasks.exe
3644	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2532	powershell.exe
2532	powershell.exe
456	powershell.exe
456	powershell.exe
4648	powershell.exe
4648	powershell.exe
4988	powershell.exe
4988	powershell.exe
2344	powershell.exe
2344	powershell.exe
2908	powershell.exe
2908	powershell.exe
3188	powershell.exe
3188	powershell.exe
2672	powershell.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	456	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	4988	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	3544	csrss.exe
Token: SeDebugPrivilege	3272	csrss.exe
Token: SeDebugPrivilege	4328	csrss.exe
Token: SeDebugPrivilege	4988	csrss.exe
Token: SeDebugPrivilege	1744	csrss.exe
Token: SeDebugPrivilege	2808	csrss.exe
Token: SeDebugPrivilege	4976	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2532	2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	132
PID 2388 wrote to memory of 2532	2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	132
PID 2388 wrote to memory of 3188	2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	133
PID 2388 wrote to memory of 3188	2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	133
PID 2388 wrote to memory of 2276	2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	134
PID 2388 wrote to memory of 2276	2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	134
PID 2388 wrote to memory of 4648	2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	135
PID 2388 wrote to memory of 4648	2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	135
PID 2388 wrote to memory of 4988	2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	136
PID 2388 wrote to memory of 4988	2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	136
PID 2388 wrote to memory of 2908	2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	137
PID 2388 wrote to memory of 2908	2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	137
PID 2388 wrote to memory of 456	2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	138
PID 2388 wrote to memory of 456	2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	138
PID 2388 wrote to memory of 2184	2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	139
PID 2388 wrote to memory of 2184	2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	139
PID 2388 wrote to memory of 760	2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	140
PID 2388 wrote to memory of 760	2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	140
PID 2388 wrote to memory of 2672	2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	141
PID 2388 wrote to memory of 2672	2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	141
PID 2388 wrote to memory of 2344	2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	142
PID 2388 wrote to memory of 2344	2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	142
PID 2388 wrote to memory of 3544	2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	154
PID 2388 wrote to memory of 3544	2388	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	154
PID 3544 wrote to memory of 404	3544	csrss.exe	157
PID 3544 wrote to memory of 404	3544	csrss.exe	157
PID 3544 wrote to memory of 1732	3544	csrss.exe	158
PID 3544 wrote to memory of 1732	3544	csrss.exe	158
PID 404 wrote to memory of 3272	404	WScript.exe	159
PID 404 wrote to memory of 3272	404	WScript.exe	159
PID 3272 wrote to memory of 2908	3272	csrss.exe	160
PID 3272 wrote to memory of 2908	3272	csrss.exe	160
PID 3272 wrote to memory of 1688	3272	csrss.exe	161
PID 3272 wrote to memory of 1688	3272	csrss.exe	161
PID 2908 wrote to memory of 4328	2908	WScript.exe	164
PID 2908 wrote to memory of 4328	2908	WScript.exe	164
PID 4328 wrote to memory of 1372	4328	csrss.exe	165
PID 4328 wrote to memory of 1372	4328	csrss.exe	165
PID 4328 wrote to memory of 60	4328	csrss.exe	166
PID 4328 wrote to memory of 60	4328	csrss.exe	166
PID 1372 wrote to memory of 4988	1372	WScript.exe	167
PID 1372 wrote to memory of 4988	1372	WScript.exe	167
PID 4988 wrote to memory of 2412	4988	csrss.exe	168
PID 4988 wrote to memory of 2412	4988	csrss.exe	168
PID 4988 wrote to memory of 3968	4988	csrss.exe	169
PID 4988 wrote to memory of 3968	4988	csrss.exe	169
PID 2412 wrote to memory of 1744	2412	WScript.exe	170
PID 2412 wrote to memory of 1744	2412	WScript.exe	170
PID 1744 wrote to memory of 3500	1744	csrss.exe	171
PID 1744 wrote to memory of 3500	1744	csrss.exe	171
PID 1744 wrote to memory of 436	1744	csrss.exe	172
PID 1744 wrote to memory of 436	1744	csrss.exe	172
PID 3500 wrote to memory of 2808	3500	WScript.exe	173
PID 3500 wrote to memory of 2808	3500	WScript.exe	173
PID 2808 wrote to memory of 3116	2808	csrss.exe	174
PID 2808 wrote to memory of 3116	2808	csrss.exe	174
PID 2808 wrote to memory of 2884	2808	csrss.exe	175
PID 2808 wrote to memory of 2884	2808	csrss.exe	175
PID 3116 wrote to memory of 4976	3116	WScript.exe	176
PID 3116 wrote to memory of 4976	3116	WScript.exe	176
PID 4976 wrote to memory of 4392	4976	csrss.exe	177
PID 4976 wrote to memory of 4392	4976	csrss.exe	177
PID 4976 wrote to memory of 872	4976	csrss.exe	178
PID 4976 wrote to memory of 872	4976	csrss.exe	178

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
"C:\Users\Admin\AppData\Local\Temp\2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe
  "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3544
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d187645-4129-4889-89b5-4ab3c616a072.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:404
  - - C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe
      "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3272
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5683848-1ecd-41de-9af0-db2ce285c1b2.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2908
      - C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dce5e61b-347a-4caa-9bdb-a59a262deae4.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e542230-6a64-4ffd-accb-79154b3fa78e.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f986c3a-7369-44fa-b362-ee171b9fb4c1.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1c54a2a-f6ad-4826-9870-cd051527846a.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8aabf6cf-d74e-43bc-84d4-b65f9c45c4e4.vbs"
        15⤵
        
        PID:4392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\989b00b2-35a8-450a-b422-e5f6ce85a7b0.vbs"
        15⤵
        
        PID:872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b22b300-82b9-41c4-93b8-0b762a88ab5e.vbs"
        13⤵
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e5faa2d-7756-41a2-9dbf-46f7ab147366.vbs"
        11⤵
        
        PID:436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6957c821-19ee-4835-a632-fc85b1121c19.vbs"
        9⤵
        
        PID:3968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dca9b1ba-788a-4279-9bb0-d0e4af957cb4.vbs"
        7⤵
        
        PID:60
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b0506d0-9627-41de-8bd6-1ba28b8f70c3.vbs"
        5⤵
        
        PID:1688
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28879e71-8160-4e5c-9654-a56e513a9bb8.vbs"
    3⤵
    PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\plugins\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\plugins\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Java\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Crashpad\attachments\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Crashpad\attachments\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\SysWOW64\LogFiles\SAM\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\SysWOW64\LogFiles\SAM\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\SysWOW64\LogFiles\SAM\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\Panther\actionqueue\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Panther\actionqueue\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe

Filesize
1.7MB

MD5
320723b1d05ca86fc4f80befcc5caa01

SHA1
4c7a6e76d53a965d11b4f6be28cded441778427e

SHA256
ace5bef2ad3b0c34ec03406472dfb9482d8ee5cff0c54b2fcf30fdb6300bb779

SHA512
32ccb6de0aa217f739ca1022f688b9a5e4adc07e40fde734b069c9760c53554f27e09dfb23addd8cdd67e7d7aab687ff9ce17e4cc2c15ed57114c5a713e9c6a4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\wininit.exe

Filesize
1.7MB

MD5
b2b9f784a9e98c98a8ddd644eb168fa6

SHA1
9e8c68675777a2718322ae626a5187d95e9d5210

SHA256
2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c

SHA512
d17d6ab45e162319bd30511019f7befa54e8aa245497d7bbc868043f851fbddbc5fb4aeb20f93aadc3e690c4a6b301ff763055513e5eed6e78f087610360f681

Download Submit
C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe

Filesize
1.7MB

MD5
72cb277e1913e5e5b20651f1f9f1af40

SHA1
11d7a90ee561e39807428267387ea6c6c434ee24

SHA256
0cee43ba49baad4a7b1ec2c93a9de06f3d6c197d3ba63ef5a6fd98c04205aa81

SHA512
0838d7441404feae5e0fdb62153a1179e8fd8381aca61e49cc70adcfa657c2aedce031f1de34142ff52e48b9f016709f4cc8ccb2d8b949fc621c0a6402bd253d

Download Submit
C:\Program Files\Windows Mail\services.exe

Filesize
1.7MB

MD5
d7e77e4072b12c9ddaeb62eb27e66067

SHA1
0749f23f6fd5433bd18474449ffd484d25c9ca32

SHA256
982ff7c6e767ccf44fba349593e433801022ce31ff7b349d605ba58c41d9529a

SHA512
e10b40d5c74224e14dc4bf3126f827212a789364e9b2527e39fa8887ac7d3e6e60d90eed62e6382db597dcbc7f55dd8d29b6d56316a7f896a153f5dcac92b8c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\28879e71-8160-4e5c-9654-a56e513a9bb8.vbs

Filesize
515B

MD5
aa13cc448b324bf316b479c08d84b6e8

SHA1
53d4224ea8b2177cf902ba8de5777ee18e260367

SHA256
cb7d099e570fd7a8a374d1b537b7b21e9cfbb374e62163e0518aedbf761756a3

SHA512
5d1700015aa6026c3549c806839cafd16cbd6a5f28e92105df1f9500ea54c52dfa1e8574995d50cf9c232f64d3c4b3d9768f1a9462fa4554b6b988e424737de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f986c3a-7369-44fa-b362-ee171b9fb4c1.vbs

Filesize
739B

MD5
32595fd5003aaa4239bad57efc07fca0

SHA1
26201a0c9a71ffce7f94273e378d8290ce7f9cf8

SHA256
907e4b220499fba5d1496b7b70cb7c975d0d6911f02f8c7c78048ddf9f109094

SHA512
adcb7429fed82707f59f5e0ec3aeee4a0f238f045a52ed74ac47a112f02f86084aee6d9931b12db4f37c1a1d04f9e76088d41d429f41290c762fd24954ec1d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8aabf6cf-d74e-43bc-84d4-b65f9c45c4e4.vbs

Filesize
739B

MD5
ad4de2fae856e71bd6ee3e9b06af29de

SHA1
6e429348e509fc5034f0134e09437117a3d4c344

SHA256
5c096f10f7197459adfcedcc5c32fc84f97c9d227f92b5ee659f6af57aeba48b

SHA512
d95afeb198707e7f29a7cfdd5efbcd8275ffeb1438616b4baf1ad65b33aa6ac948d1a17ceaa371001bfe6b57e01ff3869238a17f7cf6ec726bc5fa740bd3a49a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d187645-4129-4889-89b5-4ab3c616a072.vbs

Filesize
739B

MD5
fce0ddba59d8b7a2f05c968368c4cdda

SHA1
e87ee8666bd89189bbb736d302e221158bab971d

SHA256
42b559080a4b0f72b9703a1da0d65c2afb59e426aab05efe7fc35866f4181962

SHA512
7b1e52d5fb90c5121ee36726aeb5708c389b6ae237c2429784c9e81392b047ad92f2afbaa8d0a0b38d5d2605a2de1d2217a44fa4a462a2517c1785f88c456fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e542230-6a64-4ffd-accb-79154b3fa78e.vbs

Filesize
739B

MD5
beac5f17921907af8365ecd7be925c08

SHA1
cdc7829e0b7224ab26410229f0c4faff5afaeecd

SHA256
07eaaa18c7b4ddb77aa09719230f47225e6cfeed424d5be90569537aefe2f991

SHA512
9fc87d2f3522dd6d3ae63393861a995ac2667888bea8ff91272a7ded18c6b7c9d751ad705fd4474095fd8b77253cf4966c9a9ec3d66360b6ba2bc11c7e223c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b5hnrcej.ukg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1c54a2a-f6ad-4826-9870-cd051527846a.vbs

Filesize
739B

MD5
1455b1ed6e6580cb41997eb7b529e746

SHA1
b130cc537b99d0623ee5b6b73f1eeaa1a58830ea

SHA256
3081bf7df8042b8dec7e23af7720f6de00fb3530f26128bfdbdef2f5abf2c778

SHA512
f0ab0c1008eee59be7faeb1f1655fbe6b58eb38d7a8a260af5f878ad7f2cb333f8910e39991c5633613c1135f013c08d2db56b960ee38a54b15401963c96aa20

Download Submit
C:\Users\Admin\AppData\Local\Temp\dce5e61b-347a-4caa-9bdb-a59a262deae4.vbs

Filesize
739B

MD5
f59075d0452a7d9c3f8344004b16f651

SHA1
0196a2afa8e47eedd0f90cef00326347fb6eab03

SHA256
bb826fdca93c977e28e0bd425576aa7e7ab22fe58a64f541015fbbfc7dda8b4b

SHA512
c882d892b4c20425823bb766c7b8741159943e14640ed25cd5c1e564a57af7f44a449ba1872bb0a83b8df91e8510d4bc1cc7179e8782e505056e31a9917ff0be

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5683848-1ecd-41de-9af0-db2ce285c1b2.vbs

Filesize
739B

MD5
3f46891095de957ce27e2f58ce76f43c

SHA1
ff619ebb905b0dc4a68a8a7664a933ae5850c21a

SHA256
c7fb24a4603097d003add8520387e1020ba217e49c23d824b40b6927bc97448d

SHA512
ad32f5f37d2de6cd1a6c5302baa25d78788ea9f20f28613e37565920b36c846fc83f449c640f86da793c57ec555d900d323bf24c9a76a1562bb7537ad5e6b11a

Download Submit
C:\Windows\Panther\actionqueue\services.exe

Filesize
1.7MB

MD5
68368a7f9a2b843700c404a7193afa84

SHA1
8597bcd4fe7e7a70d7993ad28b87bcfce6483136

SHA256
67ddb6b840e6051ca5b2db3134fe408dbdd5644be4927d48b6f832a0a35b556a

SHA512
415057c007e3b98f35e504e47d524a2f0ae8a7aef0eb3c20cda9c1673175ca86cb3787dacd3108d442d212172f53d4a3d2e7fb8881bcffc21ef25d8a4cf224c0

Download Submit
memory/2388-18-0x000000001BC90000-0x000000001BC9C000-memory.dmp

Filesize
48KB

Download
memory/2388-3-0x00000000019A0000-0x00000000019BC000-memory.dmp

Filesize
112KB

Download
memory/2388-19-0x000000001BCA0000-0x000000001BCAC000-memory.dmp

Filesize
48KB

Download
memory/2388-148-0x00007FF828243000-0x00007FF828245000-memory.dmp

Filesize
8KB

Download
memory/2388-0-0x00007FF828243000-0x00007FF828245000-memory.dmp

Filesize
8KB

Download
memory/2388-160-0x00007FF828240000-0x00007FF828D01000-memory.dmp

Filesize
10.8MB

Download
memory/2388-169-0x00007FF828240000-0x00007FF828D01000-memory.dmp

Filesize
10.8MB

Download
memory/2388-15-0x000000001BC60000-0x000000001BC6A000-memory.dmp

Filesize
40KB

Download
memory/2388-208-0x00007FF828240000-0x00007FF828D01000-memory.dmp

Filesize
10.8MB

Download
memory/2388-16-0x000000001BC70000-0x000000001BC7E000-memory.dmp

Filesize
56KB

Download
memory/2388-392-0x00007FF828240000-0x00007FF828D01000-memory.dmp

Filesize
10.8MB

Download
memory/2388-17-0x000000001BC80000-0x000000001BC88000-memory.dmp

Filesize
32KB

Download
memory/2388-1-0x0000000000E90000-0x0000000001050000-memory.dmp

Filesize
1.8MB

Download
memory/2388-22-0x00007FF828240000-0x00007FF828D01000-memory.dmp

Filesize
10.8MB

Download
memory/2388-10-0x000000001BBB0000-0x000000001BBB8000-memory.dmp

Filesize
32KB

Download
memory/2388-14-0x000000001BC40000-0x000000001BC4C000-memory.dmp

Filesize
48KB

Download
memory/2388-13-0x000000001C990000-0x000000001CEB8000-memory.dmp

Filesize
5.2MB

Download
memory/2388-12-0x000000001BBC0000-0x000000001BBD2000-memory.dmp

Filesize
72KB

Download
memory/2388-23-0x00007FF828240000-0x00007FF828D01000-memory.dmp

Filesize
10.8MB

Download
memory/2388-9-0x000000001BBA0000-0x000000001BBAC000-memory.dmp

Filesize
48KB

Download
memory/2388-4-0x000000001BBF0000-0x000000001BC40000-memory.dmp

Filesize
320KB

Download
memory/2388-5-0x00000000019C0000-0x00000000019C8000-memory.dmp

Filesize
32KB

Download
memory/2388-7-0x0000000003290000-0x00000000032A6000-memory.dmp

Filesize
88KB

Download
memory/2388-8-0x00000000032B0000-0x00000000032C0000-memory.dmp

Filesize
64KB

Download
memory/2388-6-0x0000000003280000-0x0000000003290000-memory.dmp

Filesize
64KB

Download
memory/2388-2-0x00007FF828240000-0x00007FF828D01000-memory.dmp

Filesize
10.8MB

Download
memory/2532-286-0x0000016A1FC40000-0x0000016A1FC62000-memory.dmp

Filesize
136KB

Download
memory/3544-393-0x000000001C3F0000-0x000000001C402000-memory.dmp

Filesize
72KB

Download