dcrat | 8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
Size

1.7MB
MD5

6c26f99f8cc5c28eedd98e866861d80d
SHA1

44d8cc809e4617152a9d8d2f0ff45991407d3ca4
SHA256

8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b
SHA512

d460bd742c0044711dd64d656977d924fc67e5580277a5649b931dd07d1de8951f408a711091037e8b08a81c391bccc1a8388745455180791af6c2b66c1a2359
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2704	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2704	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2704	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2704	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2704	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2704	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2704	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2704	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2704	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2704	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2704	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2704	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2704	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2704	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2704	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2704	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2704	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2704	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2704	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2704	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2704	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2704	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2704	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2704	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2704	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2704	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2704	schtasks.exe	30

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2676-1-0x00000000002E0000-0x00000000004A0000-memory.dmp	dcrat
behavioral1/files/0x0005000000019520-27.dat	dcrat
behavioral1/files/0x000b00000001927a-97.dat	dcrat
behavioral1/files/0x0008000000019520-120.dat	dcrat
behavioral1/memory/928-212-0x0000000000AD0000-0x0000000000C90000-memory.dmp	dcrat
behavioral1/memory/1604-223-0x0000000000BB0000-0x0000000000D70000-memory.dmp	dcrat
behavioral1/memory/3016-236-0x0000000000F90000-0x0000000001150000-memory.dmp	dcrat
behavioral1/memory/764-248-0x0000000001340000-0x0000000001500000-memory.dmp	dcrat
behavioral1/memory/2676-260-0x0000000000020000-0x00000000001E0000-memory.dmp	dcrat
behavioral1/memory/2720-272-0x00000000013E0000-0x00000000015A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2660	powershell.exe
2976	powershell.exe
2652	powershell.exe
1548	powershell.exe
2140	powershell.exe
1928	powershell.exe
2932	powershell.exe
1920	powershell.exe
1968	powershell.exe
1936	powershell.exe
2272	powershell.exe
1068	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe

Executes dropped EXE 10 IoCs

pid	Process
928	lsm.exe
1604	lsm.exe
3016	lsm.exe
764	lsm.exe
2676	lsm.exe
2720	lsm.exe
2004	lsm.exe
2260	lsm.exe
2192	lsm.exe
2700	lsm.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\101b941d020240	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\RCX3768.tmp	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\RCX3767.tmp	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\RCX396C.tmp	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\RCX396D.tmp	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\OSPPSVC.exe	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
File created	C:\Program Files\Windows Media Player\ja-JP\OSPPSVC.exe	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
File created	C:\Program Files\Windows Media Player\ja-JP\1610b97d3ab4a7	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2748	schtasks.exe
2152	schtasks.exe
880	schtasks.exe
2236	schtasks.exe
1240	schtasks.exe
1584	schtasks.exe
2068	schtasks.exe
2640	schtasks.exe
2772	schtasks.exe
1964	schtasks.exe
1944	schtasks.exe
1532	schtasks.exe
2664	schtasks.exe
2332	schtasks.exe
580	schtasks.exe
2016	schtasks.exe
1696	schtasks.exe
2512	schtasks.exe
2568	schtasks.exe
2492	schtasks.exe
2316	schtasks.exe
2588	schtasks.exe
2964	schtasks.exe
2432	schtasks.exe
1052	schtasks.exe
2528	schtasks.exe
2312	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
1068	powershell.exe
2272	powershell.exe
2140	powershell.exe
1968	powershell.exe
1548	powershell.exe
1936	powershell.exe
2652	powershell.exe
2660	powershell.exe
1928	powershell.exe
2976	powershell.exe
1920	powershell.exe
2932	powershell.exe
928	lsm.exe
928	lsm.exe
928	lsm.exe
928	lsm.exe
928	lsm.exe
928	lsm.exe
928	lsm.exe
928	lsm.exe
928	lsm.exe
928	lsm.exe
928	lsm.exe
928	lsm.exe
928	lsm.exe
928	lsm.exe
928	lsm.exe
928	lsm.exe
928	lsm.exe
928	lsm.exe
928	lsm.exe
928	lsm.exe
928	lsm.exe
928	lsm.exe
928	lsm.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	928	lsm.exe
Token: SeDebugPrivilege	1604	lsm.exe
Token: SeDebugPrivilege	3016	lsm.exe
Token: SeDebugPrivilege	764	lsm.exe
Token: SeDebugPrivilege	2676	lsm.exe
Token: SeDebugPrivilege	2720	lsm.exe
Token: SeDebugPrivilege	2004	lsm.exe
Token: SeDebugPrivilege	2260	lsm.exe
Token: SeDebugPrivilege	2192	lsm.exe
Token: SeDebugPrivilege	2700	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2140	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	58
PID 2676 wrote to memory of 2140	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	58
PID 2676 wrote to memory of 2140	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	58
PID 2676 wrote to memory of 1548	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	59
PID 2676 wrote to memory of 1548	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	59
PID 2676 wrote to memory of 1548	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	59
PID 2676 wrote to memory of 1068	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	60
PID 2676 wrote to memory of 1068	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	60
PID 2676 wrote to memory of 1068	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	60
PID 2676 wrote to memory of 2272	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	62
PID 2676 wrote to memory of 2272	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	62
PID 2676 wrote to memory of 2272	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	62
PID 2676 wrote to memory of 1936	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	64
PID 2676 wrote to memory of 1936	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	64
PID 2676 wrote to memory of 1936	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	64
PID 2676 wrote to memory of 1968	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	67
PID 2676 wrote to memory of 1968	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	67
PID 2676 wrote to memory of 1968	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	67
PID 2676 wrote to memory of 1920	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	69
PID 2676 wrote to memory of 1920	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	69
PID 2676 wrote to memory of 1920	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	69
PID 2676 wrote to memory of 1928	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	71
PID 2676 wrote to memory of 1928	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	71
PID 2676 wrote to memory of 1928	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	71
PID 2676 wrote to memory of 2660	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	73
PID 2676 wrote to memory of 2660	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	73
PID 2676 wrote to memory of 2660	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	73
PID 2676 wrote to memory of 2932	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	74
PID 2676 wrote to memory of 2932	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	74
PID 2676 wrote to memory of 2932	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	74
PID 2676 wrote to memory of 2976	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	75
PID 2676 wrote to memory of 2976	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	75
PID 2676 wrote to memory of 2976	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	75
PID 2676 wrote to memory of 2652	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	76
PID 2676 wrote to memory of 2652	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	76
PID 2676 wrote to memory of 2652	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	76
PID 2676 wrote to memory of 2916	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	82
PID 2676 wrote to memory of 2916	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	82
PID 2676 wrote to memory of 2916	2676	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	82
PID 2916 wrote to memory of 880	2916	cmd.exe	84
PID 2916 wrote to memory of 880	2916	cmd.exe	84
PID 2916 wrote to memory of 880	2916	cmd.exe	84
PID 2916 wrote to memory of 928	2916	cmd.exe	85
PID 2916 wrote to memory of 928	2916	cmd.exe	85
PID 2916 wrote to memory of 928	2916	cmd.exe	85
PID 928 wrote to memory of 788	928	lsm.exe	86
PID 928 wrote to memory of 788	928	lsm.exe	86
PID 928 wrote to memory of 788	928	lsm.exe	86
PID 928 wrote to memory of 2472	928	lsm.exe	87
PID 928 wrote to memory of 2472	928	lsm.exe	87
PID 928 wrote to memory of 2472	928	lsm.exe	87
PID 788 wrote to memory of 1604	788	WScript.exe	88
PID 788 wrote to memory of 1604	788	WScript.exe	88
PID 788 wrote to memory of 1604	788	WScript.exe	88
PID 1604 wrote to memory of 1020	1604	lsm.exe	89
PID 1604 wrote to memory of 1020	1604	lsm.exe	89
PID 1604 wrote to memory of 1020	1604	lsm.exe	89
PID 1604 wrote to memory of 2308	1604	lsm.exe	90
PID 1604 wrote to memory of 2308	1604	lsm.exe	90
PID 1604 wrote to memory of 2308	1604	lsm.exe	90
PID 1020 wrote to memory of 3016	1020	WScript.exe	91
PID 1020 wrote to memory of 3016	1020	WScript.exe	91
PID 1020 wrote to memory of 3016	1020	WScript.exe	91
PID 3016 wrote to memory of 2272	3016	lsm.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
"C:\Users\Admin\AppData\Local\Temp\8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n0SniZDXo0.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:880
- - C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe
    "C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:928
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7b01d1d-e7c2-4bbe-89b0-a89d432e13d4.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:788
    - - C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1604
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c39dfbc-4386-4d12-b628-8f2f0e634019.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a88e365-d848-4a19-953d-3637b150e31f.vbs"
        8⤵
        
        PID:2272
        
        C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b62519a4-b52a-4c16-8def-fdfe37275759.vbs"
        10⤵
        
        PID:2552
        
        C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1762db2d-826f-49b0-9b10-921acd6ad196.vbs"
        12⤵
        
        PID:1640
        
        C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec4bcf63-eef9-4f46-9629-b4c20251b299.vbs"
        14⤵
        
        PID:2332
        
        C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfbd624f-09bd-4511-8ae4-4aff3c38be21.vbs"
        16⤵
        
        PID:2588
        
        C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0c5bf6a-222b-4a04-b64e-0739ece15cff.vbs"
        18⤵
        
        PID:2836
        
        C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e132e4f-afb0-4b44-a047-08241dc109f5.vbs"
        20⤵
        
        PID:2932
        
        C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a806aeb-4f38-43a2-9f71-9f9efdbf8946.vbs"
        22⤵
        
        PID:2244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a7566ea-9b4a-4f6d-9962-cb4522a3cbd0.vbs"
        22⤵
        
        PID:2716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a3d8140-570f-432b-a04a-35c5a6368994.vbs"
        20⤵
        
        PID:2668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b4192ec-6bbd-4096-8284-55c468d4e82f.vbs"
        18⤵
        
        PID:880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e2fe022-d9f2-4fad-a559-0a254f8e7412.vbs"
        16⤵
        
        PID:3020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c4f25ef-54b4-4880-a0d8-fb4a8d1dc806.vbs"
        14⤵
        
        PID:788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0f19854-bf3a-44d1-b9fe-97b51d3c3e55.vbs"
        12⤵
        
        PID:1132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2cb59504-52b6-4039-998b-a158eeb70cb3.vbs"
        10⤵
        
        PID:1060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7327be10-469c-4754-bad2-24529ae20ac0.vbs"
        8⤵
        
        PID:2340
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6e680bc-504a-4f71-87b0-e1f719073bae.vbs"
        6⤵
        
        PID:2308
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\151d618f-8fd7-4a93-9033-373b146afd9a.vbs"
      4⤵
      PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\ja-JP\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe

Filesize
1.7MB

MD5
63c1a627de1d7006ff3eccd093191ca3

SHA1
8ccc833dfaa2fb78bceac0592bd5826669dc2692

SHA256
2a10927edebfab51b46006398a1a2db3090fd49b6872b1ab27b5c317d7bb50b1

SHA512
55124832f7c9fc2e751fcd6abd24724e65013c93e7b3856e8c971cb2c737990ce1e3d8c9ca6d0d24fac895d14d6eaf8a5579d2bdaf06a1f8e1c0ed39d39d639f

Download Submit
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe

Filesize
1.7MB

MD5
6c26f99f8cc5c28eedd98e866861d80d

SHA1
44d8cc809e4617152a9d8d2f0ff45991407d3ca4

SHA256
8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b

SHA512
d460bd742c0044711dd64d656977d924fc67e5580277a5649b931dd07d1de8951f408a711091037e8b08a81c391bccc1a8388745455180791af6c2b66c1a2359

Download Submit
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe

Filesize
1.7MB

MD5
10222a0adce8fc6e6999f13dfa025dc9

SHA1
6c6a4014c48f936b20010d8e9ae8550440f0de0c

SHA256
5cfb592d6ed8fc7da8554a2ef3d8cca1836734b619a27bd15cdc134d6675e1d9

SHA512
4ea176abcbce12eea803b85af66265417645ea162ec645e582b11adfffa134fa0f047bbfc7305cb6c96372eabeaa14feb9f808e2d2c8ba37a2615895c6972fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a806aeb-4f38-43a2-9f71-9f9efdbf8946.vbs

Filesize
729B

MD5
94c88ddc7f507cd09ca958607a4d23ef

SHA1
d90d9587cc7b5024c0c4cb48668ff42c663c13c8

SHA256
86e0cbaa46aea2e772a96ed0f1e220dc405f89301cc325600067836446fc05c9

SHA512
da07520ef7eddf010ffbe680f444b523dd399d263ff840798e0eba533a130751f284f028037ad87e96cc0a7b324c99dc701dd05185bb8a5f3011071dc224cb72

Download Submit
C:\Users\Admin\AppData\Local\Temp\151d618f-8fd7-4a93-9033-373b146afd9a.vbs

Filesize
505B

MD5
87de53039d761c633f0bd2b0e848ff2c

SHA1
fd63bac611bd8d83c81c8604550b92bcf5e8be40

SHA256
9fc7de25d64e4f627a4cde2fc5e4809fb19acca400e342c458420091188b55e0

SHA512
fb89361be9427d336084e5b39e503b4280f61b702380ea6140afb5bb2eab4dcdc2e271b392d30173a2b768657806a262213e90428ae3711e2affc6da6d7b308c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1762db2d-826f-49b0-9b10-921acd6ad196.vbs

Filesize
729B

MD5
bfac98b8df6627279bbe6595dd9d5569

SHA1
19db065e75afdca1c261617b47b1e218a41faa1e

SHA256
8fb87f8b741415d0de51d3f9af317d21849137dcf3d9da7c80e714fee66dd9e9

SHA512
e2e3967a14a027f786a28a0a094f548581dc3ee5097600f4e82948c9759100df1e531caf75723f9c1eba03b5c5dba808f329237a037dfeb84f88c401e54adc11

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e132e4f-afb0-4b44-a047-08241dc109f5.vbs

Filesize
729B

MD5
d56961bae11913e4bcaf3b741caadb48

SHA1
00869a95291000faed3862fb292af25a57a59ed8

SHA256
a8c6fe7949060bf600c97a4cea4210dd1adc5d31b0ed4bc72fe15164f9688833

SHA512
b7390e0f58a2364e8f0e858344036983118319583d7a5964874410475aca311f8d692bcf37427b915858cc9a2bc819e32f6284a3b807c6d5646fa2cdceab27cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a88e365-d848-4a19-953d-3637b150e31f.vbs

Filesize
729B

MD5
149f57956237a4076a717c8be19e5fcb

SHA1
734e57527f6d2191e4e01fae45ca66a8c8bb3d8c

SHA256
67758d3d9ce5aa9911e27a13df784902ce9fc57fe3dfa6fc9ade2895c9bcd391

SHA512
a859c1717eaeac3ddc65bd97b91479e0c72f1976ab1fb26c698db4c9caecfb52fd6004e3460c5aae1f8a21986dccb0298b292a8db272601ab651bd993625f138

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c39dfbc-4386-4d12-b628-8f2f0e634019.vbs

Filesize
729B

MD5
da4bfcec29bbae5e786a6a9f4a14d996

SHA1
08ae4bfd96d784fb9b78d59ba7099af6bfb868b6

SHA256
fbc7e1153b31f5198302f1b519c4286b89df326776680a3e326381e6f76ebcd5

SHA512
99488115ad5a022329c0bd562dc92bc7c3cb21048d8ecc004e7c08aa130ea7e06447d08130af5a6afc2681f4e7ad543267d25676b315bcaba4044e458b78ccfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\b62519a4-b52a-4c16-8def-fdfe37275759.vbs

Filesize
728B

MD5
dfc555adf8357809acb9f075b39b5e62

SHA1
ae70f37f4083220a05df99963db1ccaf79dc0449

SHA256
5f60ce0c3169d417be866770d6299daf114b3c303b58b35c61f4fb225df99864

SHA512
1fb6160b82f3b9362be029d327c60d90035c4f72e4afa3f8929fc8c1ce8601b23cec1c1901385b8278c87d6d2d74ddf4d0c50805582bb6540b350ed64af304ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfbd624f-09bd-4511-8ae4-4aff3c38be21.vbs

Filesize
729B

MD5
80c37a6d2af6aaf67b725c5089691d56

SHA1
f71b118b59aafefef499591d09a0563800c5dd38

SHA256
1ca5ce1b261b89941464ec7c3f79592fca91954b8c39110a40ad175b09c134e1

SHA512
cf49d8e08445c0c8fa7a7385ded7b6716cf023f50d8a7eeea3ec1b85f36a0d6ed2e4c77b88182e3184bd9241c10cfe0b1d09532c9b986c6631f8a0b0b468a1a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7b01d1d-e7c2-4bbe-89b0-a89d432e13d4.vbs

Filesize
728B

MD5
bc152af2b3e85252dbae2a3a0af5a5e7

SHA1
61c2deafb4286174833844f8275846507efcb911

SHA256
39da03eee041ef7353b3c6b523d61c694bdc850bc4c5f0501b98a2cb5ad95d06

SHA512
fffffcb0f95c718cd7396e5f143b6f8694bf7e97963a715af21dc4a86d97066aaa3e362850f11222801999c39ba052cea5a6a55ff045ad043edffc3ce4b6e00d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec4bcf63-eef9-4f46-9629-b4c20251b299.vbs

Filesize
729B

MD5
68def97c00a6d8846bfa72da69a7e2b1

SHA1
174f696f1369fc52d1599eb08516ef4df75e81ef

SHA256
5b07bb35df8f43c931d3bac747e9f5fe05a3c55a47fe384ffac4a57cbe864b84

SHA512
34145051b0e05db5b3ac9f402b6c32326f7459e5a0f46147248c663ddfd61c6c4770fab0a9e62b737d27adf10bd8378265f749cf6c6f9e7e43afdc7b29f2a9ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0c5bf6a-222b-4a04-b64e-0739ece15cff.vbs

Filesize
729B

MD5
65b8e513dccf8f1cd6b1cbe70c3940c8

SHA1
12d5ff26051a3446ef235ccb664c478ff5eaffcb

SHA256
b25823e7a7d521ee9475819024a46078b277604fe7b32aba19b0c9c441053ed2

SHA512
ba399e3c256ea12563474f03dddbfde255c601303fd5eeb494716b07357138e01c88a25e9dba8cbd5ed6d6252736131600d71a39d177724b8010cf5d438a06ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\n0SniZDXo0.bat

Filesize
218B

MD5
506eda889f42a31fd69350dcb18254bd

SHA1
1722dda44bf9387e950c7524ccf7605b8ef2379b

SHA256
b6a8473de6e85296018d89188fe40569001174996d799a9a13e837796165d7b6

SHA512
2f13f44123eccce88dbfc1f18611f89846fea60f4bfc252019fbb9a41b69b42f409561d313f78ecec89b62641df8fb8536a87e5e56070627acc26a235d1e76ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a0fe1608bc70a5c08ff31e0f5d6d6120

SHA1
33ab90525fbd6da74838f0176b5bd5153c0ce3cd

SHA256
f67d62cf5d80ab654f59e47ac85e907a8df5a6ffd974d10a00d566e5e66f2267

SHA512
ce9e04f84b65cba7c2d8e9491fbf92189a0cae7d1bfb8158e07d6a2aa392db371f52ddf2fc73ead5524467686b21c6a0f62b9c2d5129a17f1db246b9c583065d

Download Submit
memory/764-248-0x0000000001340000-0x0000000001500000-memory.dmp

Filesize
1.8MB

Download
memory/928-212-0x0000000000AD0000-0x0000000000C90000-memory.dmp

Filesize
1.8MB

Download
memory/1068-172-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/1604-223-0x0000000000BB0000-0x0000000000D70000-memory.dmp

Filesize
1.8MB

Download
memory/1604-224-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/2272-174-0x0000000001FB0000-0x0000000001FB8000-memory.dmp

Filesize
32KB

Download
memory/2676-7-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/2676-18-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2676-9-0x0000000002140000-0x0000000002148000-memory.dmp

Filesize
32KB

Download
memory/2676-17-0x00000000023D0000-0x00000000023DC000-memory.dmp

Filesize
48KB

Download
memory/2676-15-0x00000000023B0000-0x00000000023B8000-memory.dmp

Filesize
32KB

Download
memory/2676-16-0x00000000023C0000-0x00000000023CC000-memory.dmp

Filesize
48KB

Download
memory/2676-13-0x0000000002390000-0x000000000239A000-memory.dmp

Filesize
40KB

Download
memory/2676-14-0x00000000023A0000-0x00000000023AE000-memory.dmp

Filesize
56KB

Download
memory/2676-8-0x0000000002030000-0x000000000203C000-memory.dmp

Filesize
48KB

Download
memory/2676-11-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/2676-1-0x00000000002E0000-0x00000000004A0000-memory.dmp

Filesize
1.8MB

Download
memory/2676-152-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2676-12-0x0000000002180000-0x000000000218C000-memory.dmp

Filesize
48KB

Download
memory/2676-6-0x0000000000660000-0x0000000000676000-memory.dmp

Filesize
88KB

Download
memory/2676-260-0x0000000000020000-0x00000000001E0000-memory.dmp

Filesize
1.8MB

Download
memory/2676-0-0x000007FEF62E3000-0x000007FEF62E4000-memory.dmp

Filesize
4KB

Download
memory/2676-2-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2676-4-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/2676-5-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/2676-3-0x00000000005A0000-0x00000000005BC000-memory.dmp

Filesize
112KB

Download
memory/2720-272-0x00000000013E0000-0x00000000015A0000-memory.dmp

Filesize
1.8MB

Download
memory/3016-236-0x0000000000F90000-0x0000000001150000-memory.dmp

Filesize
1.8MB

Download