dcrat | 05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
Size

1.7MB
MD5

2bbbc1024834e5eb4880e044608e8c9c
SHA1

d45b4eccb435a91acff766f0a61bb33cf43c9b2e
SHA256

05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080
SHA512

e275f0a84ce60d5b5c446d77728a3f04679df3b22f7440b4db81e9aed5234b9f0b89d130bf2ca622d69d57148ef78e20089ec0bf6fd5c8d5151228588c9e30c9
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:OTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2692	schtasks.exe	30

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/3028-1-0x0000000000FB0000-0x0000000001170000-memory.dmp	dcrat
behavioral1/files/0x0006000000016009-27.dat	dcrat
behavioral1/files/0x0009000000015c0d-116.dat	dcrat
behavioral1/files/0x000b000000015ce1-125.dat	dcrat
behavioral1/files/0x0009000000016009-148.dat	dcrat
behavioral1/files/0x000900000001659b-170.dat	dcrat
behavioral1/files/0x0008000000016d0d-182.dat	dcrat
behavioral1/files/0x000a000000016de8-241.dat	dcrat
behavioral1/files/0x0009000000017403-252.dat	dcrat
behavioral1/memory/1140-332-0x00000000013A0000-0x0000000001560000-memory.dmp	dcrat
behavioral1/memory/2400-360-0x0000000000070000-0x0000000000230000-memory.dmp	dcrat
behavioral1/memory/832-372-0x00000000000E0000-0x00000000002A0000-memory.dmp	dcrat
behavioral1/memory/1532-385-0x0000000000220000-0x00000000003E0000-memory.dmp	dcrat
behavioral1/memory/1632-397-0x0000000000FF0000-0x00000000011B0000-memory.dmp	dcrat
behavioral1/memory/2168-409-0x00000000012F0000-0x00000000014B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1552	powershell.exe
1536	powershell.exe
2884	powershell.exe
1588	powershell.exe
2768	powershell.exe
2204	powershell.exe
1560	powershell.exe
2280	powershell.exe
2876	powershell.exe
2452	powershell.exe
328	powershell.exe
2744	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe

Executes dropped EXE 10 IoCs

pid	Process
1140	dwm.exe
2400	dwm.exe
832	dwm.exe
1532	dwm.exe
1632	dwm.exe
2168	dwm.exe
2456	dwm.exe
2060	dwm.exe
2452	dwm.exe
1520	dwm.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\it-IT\dwm.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\6cb0b6c459d5d3	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\dllhost.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\RCXA741.tmp	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\dllhost.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\ja-JP\RCX9FEA.tmp	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\ja-JP\RCX9FEB.tmp	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\5940a34987c991	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\RCX9856.tmp	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\dwm.exe	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\101b941d020240	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\RCX97E8.tmp	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\RCXA740.tmp	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1704	schtasks.exe
1752	schtasks.exe
2872	schtasks.exe
1832	schtasks.exe
2420	schtasks.exe
1636	schtasks.exe
2888	schtasks.exe
1996	schtasks.exe
2320	schtasks.exe
1808	schtasks.exe
2016	schtasks.exe
1828	schtasks.exe
1724	schtasks.exe
2148	schtasks.exe
1228	schtasks.exe
2744	schtasks.exe
1152	schtasks.exe
1572	schtasks.exe
1044	schtasks.exe
1804	schtasks.exe
1940	schtasks.exe
2596	schtasks.exe
1628	schtasks.exe
2732	schtasks.exe
1772	schtasks.exe
1968	schtasks.exe
2500	schtasks.exe
1264	schtasks.exe
984	schtasks.exe
2564	schtasks.exe
3012	schtasks.exe
1524	schtasks.exe
2844	schtasks.exe
2672	schtasks.exe
2980	schtasks.exe
2172	schtasks.exe
2536	schtasks.exe
2576	schtasks.exe
2808	schtasks.exe
2864	schtasks.exe
2452	schtasks.exe
1476	schtasks.exe
1664	schtasks.exe
2176	schtasks.exe
1668	schtasks.exe
1816	schtasks.exe
980	schtasks.exe
1620	schtasks.exe
1520	schtasks.exe
700	schtasks.exe
1500	schtasks.exe
1516	schtasks.exe
2308	schtasks.exe
2020	schtasks.exe
2720	schtasks.exe
1300	schtasks.exe
564	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
2884	powershell.exe
1536	powershell.exe
1552	powershell.exe
1588	powershell.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	328	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	1140	dwm.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2400	dwm.exe
Token: SeDebugPrivilege	832	dwm.exe
Token: SeDebugPrivilege	1532	dwm.exe
Token: SeDebugPrivilege	1632	dwm.exe
Token: SeDebugPrivilege	2168	dwm.exe
Token: SeDebugPrivilege	2456	dwm.exe
Token: SeDebugPrivilege	2060	dwm.exe
Token: SeDebugPrivilege	2452	dwm.exe
Token: SeDebugPrivilege	1520	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 1588	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	89
PID 3028 wrote to memory of 1588	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	89
PID 3028 wrote to memory of 1588	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	89
PID 3028 wrote to memory of 2876	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	90
PID 3028 wrote to memory of 2876	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	90
PID 3028 wrote to memory of 2876	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	90
PID 3028 wrote to memory of 2884	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	91
PID 3028 wrote to memory of 2884	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	91
PID 3028 wrote to memory of 2884	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	91
PID 3028 wrote to memory of 1536	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	93
PID 3028 wrote to memory of 1536	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	93
PID 3028 wrote to memory of 1536	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	93
PID 3028 wrote to memory of 2280	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	95
PID 3028 wrote to memory of 2280	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	95
PID 3028 wrote to memory of 2280	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	95
PID 3028 wrote to memory of 1560	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	96
PID 3028 wrote to memory of 1560	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	96
PID 3028 wrote to memory of 1560	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	96
PID 3028 wrote to memory of 1552	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	97
PID 3028 wrote to memory of 1552	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	97
PID 3028 wrote to memory of 1552	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	97
PID 3028 wrote to memory of 2744	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	98
PID 3028 wrote to memory of 2744	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	98
PID 3028 wrote to memory of 2744	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	98
PID 3028 wrote to memory of 328	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	99
PID 3028 wrote to memory of 328	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	99
PID 3028 wrote to memory of 328	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	99
PID 3028 wrote to memory of 2204	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	100
PID 3028 wrote to memory of 2204	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	100
PID 3028 wrote to memory of 2204	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	100
PID 3028 wrote to memory of 2452	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	101
PID 3028 wrote to memory of 2452	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	101
PID 3028 wrote to memory of 2452	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	101
PID 3028 wrote to memory of 2768	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	102
PID 3028 wrote to memory of 2768	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	102
PID 3028 wrote to memory of 2768	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	102
PID 3028 wrote to memory of 1140	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	113
PID 3028 wrote to memory of 1140	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	113
PID 3028 wrote to memory of 1140	3028	05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe	113
PID 1140 wrote to memory of 1752	1140	dwm.exe	115
PID 1140 wrote to memory of 1752	1140	dwm.exe	115
PID 1140 wrote to memory of 1752	1140	dwm.exe	115
PID 1140 wrote to memory of 2924	1140	dwm.exe	116
PID 1140 wrote to memory of 2924	1140	dwm.exe	116
PID 1140 wrote to memory of 2924	1140	dwm.exe	116
PID 1752 wrote to memory of 2400	1752	WScript.exe	118
PID 1752 wrote to memory of 2400	1752	WScript.exe	118
PID 1752 wrote to memory of 2400	1752	WScript.exe	118
PID 2400 wrote to memory of 2892	2400	dwm.exe	119
PID 2400 wrote to memory of 2892	2400	dwm.exe	119
PID 2400 wrote to memory of 2892	2400	dwm.exe	119
PID 2400 wrote to memory of 1792	2400	dwm.exe	120
PID 2400 wrote to memory of 1792	2400	dwm.exe	120
PID 2400 wrote to memory of 1792	2400	dwm.exe	120
PID 2892 wrote to memory of 832	2892	WScript.exe	121
PID 2892 wrote to memory of 832	2892	WScript.exe	121
PID 2892 wrote to memory of 832	2892	WScript.exe	121
PID 832 wrote to memory of 556	832	dwm.exe	122
PID 832 wrote to memory of 556	832	dwm.exe	122
PID 832 wrote to memory of 556	832	dwm.exe	122
PID 832 wrote to memory of 2360	832	dwm.exe	123
PID 832 wrote to memory of 2360	832	dwm.exe	123
PID 832 wrote to memory of 2360	832	dwm.exe	123
PID 556 wrote to memory of 1532	556	WScript.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe
"C:\Users\Admin\AppData\Local\Temp\05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Program Files\Windows Photo Viewer\it-IT\dwm.exe
  "C:\Program Files\Windows Photo Viewer\it-IT\dwm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae3318d6-ddfb-45a7-b272-2cfb27f5b5fa.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Program Files\Windows Photo Viewer\it-IT\dwm.exe
      "C:\Program Files\Windows Photo Viewer\it-IT\dwm.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2400
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e774e34-5524-4a28-b772-a954f29adb07.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2892
      - C:\Program Files\Windows Photo Viewer\it-IT\dwm.exe
        
        "C:\Program Files\Windows Photo Viewer\it-IT\dwm.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f34c95da-58d3-4874-84eb-477f812eff6b.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Program Files\Windows Photo Viewer\it-IT\dwm.exe
        
        "C:\Program Files\Windows Photo Viewer\it-IT\dwm.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08565ccb-dbe9-4a78-a6ee-48bf97df4f16.vbs"
        9⤵
        
        PID:2764
        
        C:\Program Files\Windows Photo Viewer\it-IT\dwm.exe
        
        "C:\Program Files\Windows Photo Viewer\it-IT\dwm.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4e4c5b2-c7dc-459e-91e8-77eba8b678c7.vbs"
        11⤵
        
        PID:1868
        
        C:\Program Files\Windows Photo Viewer\it-IT\dwm.exe
        
        "C:\Program Files\Windows Photo Viewer\it-IT\dwm.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a36171be-a3f9-4d37-8e9d-541d69743d39.vbs"
        13⤵
        
        PID:1752
        
        C:\Program Files\Windows Photo Viewer\it-IT\dwm.exe
        
        "C:\Program Files\Windows Photo Viewer\it-IT\dwm.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49d80b1d-c40f-4b40-ab04-6e6201d7fc36.vbs"
        15⤵
        
        PID:564
        
        C:\Program Files\Windows Photo Viewer\it-IT\dwm.exe
        
        "C:\Program Files\Windows Photo Viewer\it-IT\dwm.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbc54a90-1e79-41cf-b24e-ad9ad3d2323b.vbs"
        17⤵
        
        PID:624
        
        C:\Program Files\Windows Photo Viewer\it-IT\dwm.exe
        
        "C:\Program Files\Windows Photo Viewer\it-IT\dwm.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25c35582-acfd-40a3-ae58-dbcb6fa97848.vbs"
        19⤵
        
        PID:2880
        
        C:\Program Files\Windows Photo Viewer\it-IT\dwm.exe
        
        "C:\Program Files\Windows Photo Viewer\it-IT\dwm.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8865c9cb-928c-460b-81fa-b57285b80c23.vbs"
        21⤵
        
        PID:1728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c849a6d0-d43a-4307-b4a9-0c902029d4f9.vbs"
        21⤵
        
        PID:756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e00db49-5bec-4d7b-824f-9b5c55b48ffa.vbs"
        19⤵
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df2f97d8-a5ad-4e57-8c48-2e9c5c731ef8.vbs"
        17⤵
        
        PID:1612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ddcf574-9719-459e-82bd-88e3d731b5fd.vbs"
        15⤵
        
        PID:2052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d037923-afc7-4b64-b873-5037a824c302.vbs"
        13⤵
        
        PID:2580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcf0324c-9569-4e24-8980-391d82528acf.vbs"
        11⤵
        
        PID:2624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3887b7ea-faf6-4e7f-b5cb-efe9099d08a0.vbs"
        9⤵
        
        PID:1564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3f788d3-9dc1-44eb-9a49-9f2df42edf85.vbs"
        7⤵
        
        PID:2360
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c1b9cc3-5f5f-49e7-a7bc-f5ee1abeaf63.vbs"
        5⤵
        
        PID:1792
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dab4f9f3-cd52-4a6d-9064-6dd65691a37a.vbs"
    3⤵
    PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d490800" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d490800" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Local Settings\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Local Settings\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Desktop\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\explorer.exe

Filesize
1.7MB

MD5
a3677ebd8fabbf3efe4fdc1c9570ffd6

SHA1
b51dcff117ba6ac34d1d69cd584321b2d6b7c48d

SHA256
8ed8ed8ed3aa88da8a643700de62b2bab6b3df0be73b5f3371c65a198b1bb12f

SHA512
4afde8ebbdd961fc0780dabac757b69ac7dd4f7700d4a2263ed2bfd35af5ff4788160cb152fae9854c58b8dafd0ade2cc7114eafc3de930953535641948b9d51

Download Submit
C:\MSOCache\All Users\sppsvc.exe

Filesize
1.7MB

MD5
33bf0818a274d594503cc614b283334a

SHA1
c1638bce3a2876a588d7ef50ea4dd5ad4d40dc6c

SHA256
db9b405a7397f68b7e02d2076921c0074d4853d221941ffea5433e673809fca5

SHA512
bb35a4f6c9570b7da0b419a178210275ea09c8a2184c516e484649f84116494df8e67d508f8ba3261b48b2ead6ce00fdc4c11ba170ba260669bdf282b0e2cab5

Download Submit
C:\Program Files\Windows Photo Viewer\it-IT\dwm.exe

Filesize
1.7MB

MD5
1859128589fc64cdfaff886485437077

SHA1
9f015e64e1f5ddfeb2e0e3f5888b789ecfaf485c

SHA256
2a0d3a35acf12888bd121fd8587ee5e9f04297cebeedb2b397db8ce734b974a5

SHA512
1b61f2ff0d0ca39775ef9a5625b5b5697c449a9d9c45d620d2dc076254a9dfc50606994f77db9025c78714252aec218da5416a24a3a8317656a43a36a4ccebad

Download Submit
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe

Filesize
1.7MB

MD5
2bbbc1024834e5eb4880e044608e8c9c

SHA1
d45b4eccb435a91acff766f0a61bb33cf43c9b2e

SHA256
05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080

SHA512
e275f0a84ce60d5b5c446d77728a3f04679df3b22f7440b4db81e9aed5234b9f0b89d130bf2ca622d69d57148ef78e20089ec0bf6fd5c8d5151228588c9e30c9

Download Submit
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\05cf7e0a51503c938efdaddec12578aacdfe10f1fd3012e2a0e4f8b437d49080.exe

Filesize
1.7MB

MD5
de8dfe9d36860b96d1f53d08956cca27

SHA1
8f116bfcea5b762f39783001851771f6c99959d1

SHA256
bc7e3b344e680f29d14777e11a02776f293e122d1e5cf5d4351725418769a9eb

SHA512
70f9904e0775846de78e87231d03d83cbc24860dfacd18ebd59529c1fe15a7ff3416f5f5380190d6cf9315ebfab92d9105caa9c1314c4f66ab63763c3531898b

Download Submit
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe

Filesize
1.7MB

MD5
ee76995534500881f30017be2782c1d6

SHA1
8f46e4e557b8c0501f02551f1f2a222c1182a653

SHA256
8b59a8983f45266493988691c7be2475b0e1500815bf13d9504995655b385cc0

SHA512
135cba1920da2bda75ca01540f219dbbb206fac90eb1f5916d6a24724782c985fadf7a8bb938d07eeac1a8d32b9466d0579dc2450651934f3b8c01a8f2df3ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\08565ccb-dbe9-4a78-a6ee-48bf97df4f16.vbs

Filesize
727B

MD5
1105f0fc202bdee4535766f85e24f819

SHA1
f3278c5f5660c635c9e2d3a2f1a740a3f299c81a

SHA256
da13586182a0e5a0337954b212c77a3f77ed8cf581e1812859c7a9d178239bee

SHA512
41297b6d967d5c939309a2fa6fe30bd86a69a215fb9bff59faf2c7727ba9de831b35b9c6c2e61e072a715bffa2889b9702587cc5a12c10e8e1fab86fa17f20f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e774e34-5524-4a28-b772-a954f29adb07.vbs

Filesize
727B

MD5
bd01a506c26db057dfb52cd4c776a118

SHA1
6d55e6293c5e21f50ee97af1ec8ea51b54d3403c

SHA256
83c7e46463da26e3b381ed9c87913809f838fcbd26a4a67b07c191db199ca0f3

SHA512
7af030e29bb09ca8edc486fdcb4785411ec71e78ce53a37c95b8b23f556743d0015ca904eae278bda6249181e251dc66da6e910ce8c15515dd21f425da65b99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\25c35582-acfd-40a3-ae58-dbcb6fa97848.vbs

Filesize
727B

MD5
e50d351463b229b2c9ffb5c31a508f74

SHA1
137fa68b850950fc931413e82ec01dd51e64388a

SHA256
62af833b964e965c6042bdfe770ac6a5e40a4a4062d830d851d35031b9bc6571

SHA512
f39f2542ba33d7665000ae6f09613c238a5e16cb71c2ee10891ceda415dd7f9859e6240bc0f73d0cfda61524a5413e007a9d2df7b5bd26e9d9f1d158b89d86a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\49d80b1d-c40f-4b40-ab04-6e6201d7fc36.vbs

Filesize
727B

MD5
4453d9c40c4f986377a6e346d26f2d9b

SHA1
bf9c080f8506e181d4380b264e43d56d0029d1ea

SHA256
c9c166e082d9faee5ee991f409ab96324a0145d44938b1092965f295da13b780

SHA512
85bc8a35357315779b364df4f9937785f88890b873c2d6b7987cd0e1c68442d1f3138c4d7ae224135ec78de9347da36906cd6f9c49af1e889965f9f2252aff37

Download Submit
C:\Users\Admin\AppData\Local\Temp\8865c9cb-928c-460b-81fa-b57285b80c23.vbs

Filesize
727B

MD5
022e68b6b6459d2c26e88b1eb8487fb0

SHA1
436f5fef0cd7a8a8e4f387dae7310307fa982ec4

SHA256
48be8428f2f0c7ee95781d8784bcb0d4a47c267da286c8581bd149969773687e

SHA512
cb039ed390e61d4c458b800df87108489df074eddcc5a6cc2ef8d152483de351554f3b7929855de9922cacce7702f35ce30e26a6980e15f08d95af5a17686964

Download Submit
C:\Users\Admin\AppData\Local\Temp\a36171be-a3f9-4d37-8e9d-541d69743d39.vbs

Filesize
727B

MD5
e64829571efabaaf6bf7228983fd4fd6

SHA1
92d3536a26aac5e74f24b2b28e4f0c2ecfcd6db9

SHA256
7f2024257a60a3de447a9ee0027d483746e69c20a37e5918c9a493ee294dad41

SHA512
4a27ba5acf3be2a51afdc51ff34ff9c6f5707fa56ffc22280110a29674cc1bfc398a62c5a27b6c0ca8625a0b7b208f1a75d0ec83f0f2e70a44f08742ca217bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae3318d6-ddfb-45a7-b272-2cfb27f5b5fa.vbs

Filesize
727B

MD5
14b08bc3d91a0c7605f7538b4d715b99

SHA1
ac33b32f234c34a6730e8974def7ac8b078160a4

SHA256
1007ad9da7ba5b264388dca8a6809a1824da1a19ec304b9360cf6f7eb7cecd3c

SHA512
920792603204b6660ee25321c4b6bc318ad39f59865db1d3fa738fb8bf0359ab9be3f712645c44f4cedecf897319f21604c4e6a44bf49ccdf2138665a6a2ec8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dab4f9f3-cd52-4a6d-9064-6dd65691a37a.vbs

Filesize
503B

MD5
416078400477be658dedea0961af747d

SHA1
2a5f50285ec066749e11a2dcdc4e60c5463047f0

SHA256
de22b28a7c6529d1a1c9fb7f71f5327ef0797061caed33443a4ae6e30c522202

SHA512
141a3fc9240e2378b6bae94f0cac09d0c6251327833ebd34b9783dfde23e2080c659b7acaa081d7852f95c153c73093dad4849fdf6fbcdd9945ffec389880a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dbc54a90-1e79-41cf-b24e-ad9ad3d2323b.vbs

Filesize
727B

MD5
0a73d07fb2308489a7076f3b278a6e40

SHA1
9f2f8e4511a0a345f4e0e898e8a233f245114da2

SHA256
aeb3e96a974590d7d216c17f58c2eda6b489d09f051d448cd8c5d492f53cf24c

SHA512
e7467c39247eaaf21ce0f282951d81df2919074f3dc404eb392ae9eeb8b7d60b1662fba11937d9a97679c41486b632b87510e4a99a36055f8e5c1dc3f0c09f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\f34c95da-58d3-4874-84eb-477f812eff6b.vbs

Filesize
726B

MD5
16e0783721033e02e9268aaf679067b5

SHA1
cb1e973c97ab7434392fd19891d32d0710d5dc1a

SHA256
7db5f5336b2079fda11d38f4fa1b7979679493076dc255147b78afc6d5199d88

SHA512
086f3014e6647c1854e3edd64953eaf24b423ef848e41a6b9aedd124f43ac4837f06ef25f9e3e25923b241edf3312ac8b4f022c2a4273f8fdc64919900ea2e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4e4c5b2-c7dc-459e-91e8-77eba8b678c7.vbs

Filesize
727B

MD5
221d0bd4c9157ae407b725093380bfd3

SHA1
4003b19342ef6df0b949b0e1c3cddcb9a1550035

SHA256
88260bbdaa37dccac6d67d38109a0b65f34fb92920fb412aba947edaa46d123b

SHA512
1d3156e4d9b3dbb239eb0bcffcda99e592bfd053b2c3a83281992ed3d6d9b988d4a42826659a95e04fdb00058a6152111cb7bb2c7d2d8133e81b89b4cf7da009

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ab367a5c5f0557df8be09f8a66bf5d0d

SHA1
c7331e7c007854ef4c07aa06d10da6b4e578c918

SHA256
fd28058d6f264eec30728b6dbccf17b1e15dfc224fe8385e26580ddd82b27ddd

SHA512
cb10007ba69e2f790352e269a5390bd442df10b9a7b3cebd1c42358603ca8902dfdd9702d51f00e7643150655e3936fecf1bade47116968d5aa8f9cde5e9cd77

Download Submit
C:\Users\Default\AppData\Local\sppsvc.exe

Filesize
1.7MB

MD5
569a20f1aed239b2f8dbcc9121c8f7ab

SHA1
dfc773b8fd8d8ae641854c6d8bd75a16b3f0b8f8

SHA256
cf7a392db8ae4c89e67edf0d79f565dbb56916e7df48d2f47f2697e2c48eae88

SHA512
0031693548fd51e3773f29babe51e4f537c4cfe12aa045cbb42dc36f5825c6c27a954112ef186682c97cd2a8c876c2fb2f9be679fc5d89142040fdb42918d5b3

Download Submit
C:\Users\Default\lsm.exe

Filesize
1.7MB

MD5
9a3bea0e40866f7edce039101b054e47

SHA1
f401a62913e320912cb5ff9cc81510a13a8ecb12

SHA256
cf9d7f69865c87e062a692f57e02c270b69e519d9c9ee5068ca8225fb4d1d440

SHA512
5856b03704a3c0cababd841502b355186e61b100a2433f50c939f2889ea6e70ce267d1aecaed83bb330997d902b348e844dc587fe47ce8976c0c1323282d7c6e

Download Submit
memory/832-372-0x00000000000E0000-0x00000000002A0000-memory.dmp

Filesize
1.8MB

Download
memory/832-373-0x00000000006A0000-0x00000000006B2000-memory.dmp

Filesize
72KB

Download
memory/1140-349-0x0000000000C00000-0x0000000000C12000-memory.dmp

Filesize
72KB

Download
memory/1140-332-0x00000000013A0000-0x0000000001560000-memory.dmp

Filesize
1.8MB

Download
memory/1532-385-0x0000000000220000-0x00000000003E0000-memory.dmp

Filesize
1.8MB

Download
memory/1560-319-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/1632-397-0x0000000000FF0000-0x00000000011B0000-memory.dmp

Filesize
1.8MB

Download
memory/2168-409-0x00000000012F0000-0x00000000014B0000-memory.dmp

Filesize
1.8MB

Download
memory/2400-360-0x0000000000070000-0x0000000000230000-memory.dmp

Filesize
1.8MB

Download
memory/2884-325-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/3028-13-0x0000000000F60000-0x0000000000F6A000-memory.dmp

Filesize
40KB

Download
memory/3028-220-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-196-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-339-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-173-0x000007FEF5BB3000-0x000007FEF5BB4000-memory.dmp

Filesize
4KB

Download
memory/3028-20-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-17-0x0000000000F90000-0x0000000000F9C000-memory.dmp

Filesize
48KB

Download
memory/3028-15-0x0000000000F70000-0x0000000000F78000-memory.dmp

Filesize
32KB

Download
memory/3028-16-0x0000000000F80000-0x0000000000F8C000-memory.dmp

Filesize
48KB

Download
memory/3028-0-0x000007FEF5BB3000-0x000007FEF5BB4000-memory.dmp

Filesize
4KB

Download
memory/3028-14-0x0000000000F50000-0x0000000000F5E000-memory.dmp

Filesize
56KB

Download
memory/3028-12-0x0000000000F40000-0x0000000000F4C000-memory.dmp

Filesize
48KB

Download
memory/3028-11-0x0000000000D90000-0x0000000000DA2000-memory.dmp

Filesize
72KB

Download
memory/3028-9-0x0000000000D80000-0x0000000000D88000-memory.dmp

Filesize
32KB

Download
memory/3028-8-0x0000000000C70000-0x0000000000C7C000-memory.dmp

Filesize
48KB

Download
memory/3028-7-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/3028-6-0x0000000000C50000-0x0000000000C66000-memory.dmp

Filesize
88KB

Download
memory/3028-5-0x0000000000510000-0x0000000000520000-memory.dmp

Filesize
64KB

Download
memory/3028-4-0x0000000000160000-0x0000000000168000-memory.dmp

Filesize
32KB

Download
memory/3028-3-0x00000000004F0000-0x000000000050C000-memory.dmp

Filesize
112KB

Download
memory/3028-2-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/3028-1-0x0000000000FB0000-0x0000000001170000-memory.dmp

Filesize
1.8MB

Download