dcrat | 95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
Size

1.7MB
MD5

68a655281c115869e423c1d7f5bea01d
SHA1

8193dcbfd44ca6bad7dd4c5824f9e0d4495220c2
SHA256

95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d
SHA512

c72d216bc5172e259226c624023aaf869cfdbebb29b2aa8421a15363f9c3c29acedb3436dbb829afce50aa13935f06c6baf40b3523c912ded39fb82f9b21c1db
SSDEEP

49152:D+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvS:uTHUxUoh1IF9gl2d

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2804	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2804	schtasks.exe	31

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2332-1-0x0000000000C00000-0x0000000000DC0000-memory.dmp	dcrat
behavioral1/files/0x0005000000019371-27.dat	dcrat
behavioral1/files/0x0008000000016c7c-89.dat	dcrat
behavioral1/files/0x000b000000019371-145.dat	dcrat
behavioral1/files/0x000800000001948d-170.dat	dcrat
behavioral1/files/0x00070000000195cc-181.dat	dcrat
behavioral1/files/0x00070000000195e0-193.dat	dcrat
behavioral1/files/0x000c000000019931-254.dat	dcrat
behavioral1/memory/1036-270-0x00000000002A0000-0x0000000000460000-memory.dmp	dcrat
behavioral1/files/0x000500000001a495-268.dat	dcrat
behavioral1/memory/1196-338-0x0000000000B70000-0x0000000000D30000-memory.dmp	dcrat
behavioral1/memory/276-350-0x0000000000C90000-0x0000000000E50000-memory.dmp	dcrat
behavioral1/memory/1708-362-0x00000000001C0000-0x0000000000380000-memory.dmp	dcrat
behavioral1/memory/2348-374-0x00000000011D0000-0x0000000001390000-memory.dmp	dcrat
behavioral1/memory/1948-409-0x0000000001290000-0x0000000001450000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3000	powershell.exe
2284	powershell.exe
2148	powershell.exe
1472	powershell.exe
804	powershell.exe
860	powershell.exe
2624	powershell.exe
2352	powershell.exe
1092	powershell.exe
1060	powershell.exe
900	powershell.exe
2420	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe

Executes dropped EXE 9 IoCs

pid	Process
1036	spoolsv.exe
1196	spoolsv.exe
276	spoolsv.exe
1708	spoolsv.exe
2348	spoolsv.exe
2088	spoolsv.exe
2076	spoolsv.exe
1948	spoolsv.exe
1472	spoolsv.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\RCX1CCE.tmp	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\RCX63F.tmp	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\es-ES\RCXCBB.tmp	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCX1336.tmp	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCX1ACB.tmp	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\audiodg.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\69ddcba757bf72	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\cc11b995f2a76d	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Program Files (x86)\Google\Temp\42af1c969fbb7b	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\6cb0b6c459d5d3	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\RCX844.tmp	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\es-ES\services.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCX1A5C.tmp	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCX11C.tmp	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\RCX5D1.tmp	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\RCX843.tmp	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\f3b6ecef712a24	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Program Files\Windows NT\TableTextService\es-ES\services.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\1610b97d3ab4a7	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\OSPPSVC.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Program Files (x86)\Google\Temp\audiodg.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\spoolsv.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCX1335.tmp	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\es-ES\RCXCBA.tmp	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\RCX1CCF.tmp	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Program Files\Windows NT\TableTextService\es-ES\c5b4cb5e9653cc	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\OSPPSVC.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCX11D.tmp	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\spoolsv.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\TAPI\RCX22DD.tmp	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Windows\TAPI\RCX22DE.tmp	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File opened for modification	C:\Windows\TAPI\csrss.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Windows\TAPI\csrss.exe	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
File created	C:\Windows\TAPI\886983d96e3d3e	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2556	schtasks.exe
1300	schtasks.exe
2856	schtasks.exe
1608	schtasks.exe
1000	schtasks.exe
2672	schtasks.exe
2824	schtasks.exe
2692	schtasks.exe
2400	schtasks.exe
1808	schtasks.exe
2448	schtasks.exe
888	schtasks.exe
876	schtasks.exe
2068	schtasks.exe
2948	schtasks.exe
2164	schtasks.exe
1528	schtasks.exe
2028	schtasks.exe
2624	schtasks.exe
1096	schtasks.exe
1912	schtasks.exe
2436	schtasks.exe
748	schtasks.exe
1532	schtasks.exe
1544	schtasks.exe
1712	schtasks.exe
1716	schtasks.exe
2072	schtasks.exe
1568	schtasks.exe
2740	schtasks.exe
2564	schtasks.exe
1092	schtasks.exe
2612	schtasks.exe
908	schtasks.exe
408	schtasks.exe
2720	schtasks.exe
3004	schtasks.exe
772	schtasks.exe
2032	schtasks.exe
1676	schtasks.exe
2044	schtasks.exe
2364	schtasks.exe
548	schtasks.exe
1636	schtasks.exe
2236	schtasks.exe
1436	schtasks.exe
632	schtasks.exe
1672	schtasks.exe
2148	schtasks.exe
2512	schtasks.exe
2504	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
2148	powershell.exe
3000	powershell.exe
804	powershell.exe
1092	powershell.exe
900	powershell.exe
1060	powershell.exe
2420	powershell.exe
860	powershell.exe
1472	powershell.exe
2284	powershell.exe
2624	powershell.exe
2352	powershell.exe
1036	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	804	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	1036	spoolsv.exe
Token: SeDebugPrivilege	1196	spoolsv.exe
Token: SeDebugPrivilege	276	spoolsv.exe
Token: SeDebugPrivilege	1708	spoolsv.exe
Token: SeDebugPrivilege	2348	spoolsv.exe
Token: SeDebugPrivilege	2088	spoolsv.exe
Token: SeDebugPrivilege	2076	spoolsv.exe
Token: SeDebugPrivilege	1948	spoolsv.exe
Token: SeDebugPrivilege	1472	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 3000	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	83
PID 2332 wrote to memory of 3000	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	83
PID 2332 wrote to memory of 3000	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	83
PID 2332 wrote to memory of 2624	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	84
PID 2332 wrote to memory of 2624	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	84
PID 2332 wrote to memory of 2624	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	84
PID 2332 wrote to memory of 2352	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	85
PID 2332 wrote to memory of 2352	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	85
PID 2332 wrote to memory of 2352	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	85
PID 2332 wrote to memory of 2284	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	86
PID 2332 wrote to memory of 2284	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	86
PID 2332 wrote to memory of 2284	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	86
PID 2332 wrote to memory of 1092	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	87
PID 2332 wrote to memory of 1092	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	87
PID 2332 wrote to memory of 1092	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	87
PID 2332 wrote to memory of 1060	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	88
PID 2332 wrote to memory of 1060	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	88
PID 2332 wrote to memory of 1060	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	88
PID 2332 wrote to memory of 900	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	89
PID 2332 wrote to memory of 900	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	89
PID 2332 wrote to memory of 900	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	89
PID 2332 wrote to memory of 2420	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	90
PID 2332 wrote to memory of 2420	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	90
PID 2332 wrote to memory of 2420	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	90
PID 2332 wrote to memory of 2148	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	91
PID 2332 wrote to memory of 2148	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	91
PID 2332 wrote to memory of 2148	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	91
PID 2332 wrote to memory of 1472	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	92
PID 2332 wrote to memory of 1472	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	92
PID 2332 wrote to memory of 1472	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	92
PID 2332 wrote to memory of 804	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	93
PID 2332 wrote to memory of 804	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	93
PID 2332 wrote to memory of 804	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	93
PID 2332 wrote to memory of 860	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	94
PID 2332 wrote to memory of 860	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	94
PID 2332 wrote to memory of 860	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	94
PID 2332 wrote to memory of 1036	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	107
PID 2332 wrote to memory of 1036	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	107
PID 2332 wrote to memory of 1036	2332	95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe	107
PID 1036 wrote to memory of 2104	1036	spoolsv.exe	108
PID 1036 wrote to memory of 2104	1036	spoolsv.exe	108
PID 1036 wrote to memory of 2104	1036	spoolsv.exe	108
PID 1036 wrote to memory of 700	1036	spoolsv.exe	109
PID 1036 wrote to memory of 700	1036	spoolsv.exe	109
PID 1036 wrote to memory of 700	1036	spoolsv.exe	109
PID 2104 wrote to memory of 1196	2104	WScript.exe	110
PID 2104 wrote to memory of 1196	2104	WScript.exe	110
PID 2104 wrote to memory of 1196	2104	WScript.exe	110
PID 1196 wrote to memory of 2684	1196	spoolsv.exe	111
PID 1196 wrote to memory of 2684	1196	spoolsv.exe	111
PID 1196 wrote to memory of 2684	1196	spoolsv.exe	111
PID 1196 wrote to memory of 2580	1196	spoolsv.exe	112
PID 1196 wrote to memory of 2580	1196	spoolsv.exe	112
PID 1196 wrote to memory of 2580	1196	spoolsv.exe	112
PID 2684 wrote to memory of 276	2684	WScript.exe	113
PID 2684 wrote to memory of 276	2684	WScript.exe	113
PID 2684 wrote to memory of 276	2684	WScript.exe	113
PID 276 wrote to memory of 2512	276	spoolsv.exe	114
PID 276 wrote to memory of 2512	276	spoolsv.exe	114
PID 276 wrote to memory of 2512	276	spoolsv.exe	114
PID 276 wrote to memory of 748	276	spoolsv.exe	115
PID 276 wrote to memory of 748	276	spoolsv.exe	115
PID 276 wrote to memory of 748	276	spoolsv.exe	115
PID 2512 wrote to memory of 1708	2512	WScript.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe
"C:\Users\Admin\AppData\Local\Temp\95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:860
- C:\Users\Default User\spoolsv.exe
  "C:\Users\Default User\spoolsv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bebd8b35-8fb6-453f-81d3-f1d45cdc89d9.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Users\Default User\spoolsv.exe
      "C:\Users\Default User\spoolsv.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1196
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\452496f7-ddec-4168-8c51-bbd1b06b8f8a.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2684
      - C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db9af517-da39-4f7c-9b24-e6fb69db660d.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3a024e8-55a2-4f35-bf26-a82190b16d23.vbs"
        9⤵
        
        PID:2284
        
        C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56cdcadf-8433-4e0c-ac8b-4af19f64c662.vbs"
        11⤵
        
        PID:1968
        
        C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cca6561-cc9b-42b1-ac7c-a9a50ba2769f.vbs"
        13⤵
        
        PID:3036
        
        C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19def96a-5d4a-4df9-981a-f18f5f525859.vbs"
        15⤵
        
        PID:2740
        
        C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a23e616f-714a-450f-ac8f-cbf1408c932c.vbs"
        17⤵
        
        PID:768
        
        C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f21ab9bd-65a7-4a6a-81a6-bcbe17fecea1.vbs"
        19⤵
        
        PID:1156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fe888aa-b44b-4d04-ad92-76ea9ee072dd.vbs"
        19⤵
        
        PID:2332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff542867-afdd-4c9e-b623-2f878dc8b0e0.vbs"
        17⤵
        
        PID:1068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04303533-948d-4e5a-84c7-042be31c3bf3.vbs"
        15⤵
        
        PID:1852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7904c595-cde3-444e-8121-506167bb8ee5.vbs"
        13⤵
        
        PID:3024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\638acd77-5bd0-411e-839b-0bc5990a36ec.vbs"
        11⤵
        
        PID:352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d850bf77-bc3d-4099-b963-cc37f501a026.vbs"
        9⤵
        
        PID:2468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d337104-4d75-47fb-814d-212a3af1b6db.vbs"
        7⤵
        
        PID:748
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d012fe52-12fd-4df4-b226-634a344f084e.vbs"
        5⤵
        
        PID:2580
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0829e904-0838-4eb6-bcb4-d9a10c58b8a5.vbs"
    3⤵
    PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\Network Sharing\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\Network Sharing\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft Help\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft Help\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\TAPI\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\OSPPSVC.exe

Filesize
1.7MB

MD5
68a655281c115869e423c1d7f5bea01d

SHA1
8193dcbfd44ca6bad7dd4c5824f9e0d4495220c2

SHA256
95e53d41dd242a3f707ffc7ea0b0a831ed85b9294192e039f0b255d5b65e732d

SHA512
c72d216bc5172e259226c624023aaf869cfdbebb29b2aa8421a15363f9c3c29acedb3436dbb829afce50aa13935f06c6baf40b3523c912ded39fb82f9b21c1db

Download Submit
C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe

Filesize
1.7MB

MD5
767508131c74ac9281a716e40ebee8e7

SHA1
c89e900ee1e6caee52df1e5230da6752331c3820

SHA256
bc40c29020fc5aeaa4496773856ccd271130e9c2268667d29d07116782679490

SHA512
3da056d5f6c799de64147aad33ff82ddb47c6fabf3bbbdd33ceb956d771eed258ecba104e78f5155b183807ce0da7766827505362e819fd7d9f1059f50537807

Download Submit
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\OSPPSVC.exe

Filesize
1.7MB

MD5
81656842aa1eac9af9d34a2811fe4460

SHA1
a0e460226b365c9eb72d59f530bb03b8307b032a

SHA256
0b22366f923357c826e92f3dd43b4fafab7014e5b9ac52f268b04f777c864003

SHA512
3d029bf503fe0254133c4221b88c7f11e9bdb71fd5a65c0d1186853100386675dc29b627e33892ca3b4cd8b11e79ba5f08ca5e2d81c6e460eccb16af89bd99e0

Download Submit
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe

Filesize
1.7MB

MD5
7fac821fea589087d62939f0dc59f8a1

SHA1
9676a99781a873eb023e091d3a428c8885512f89

SHA256
7136df8ecb04672f37d43a9bfa9c93fd3d0a842830cd6671286d6896a402027d

SHA512
15553e2e09d27497d8350cde97c05b03257e6d2ee37f1fdfa29017eab9fe7493fbc9ed8af9d00bb4297c80299a8ed9a667bc7413c248d8ed6239d8ddef766a8d

Download Submit
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe

Filesize
1.7MB

MD5
8389bf6bb624c16df3e362b3eed0df23

SHA1
6986b98a5046a7abfbd03ffedc8811bb385b94de

SHA256
f128c2d261e2eea98242d4408166998f438ef6e64a2eefc7fca591567273bc36

SHA512
3fa32b5414e4ee5a35b64d7c78b766dfddbf707dfe0030d5c161303d4b96b57b24e273f3ec6abc0575b84b45be97d1397979e80155720a5bcf8976860ffe6862

Download Submit
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe

Filesize
1.7MB

MD5
7d64b237a25e797ac33476f9aa8743fc

SHA1
3cd7e3c64e23c11c894faec5ce7626045300a6ea

SHA256
d3a5ef183e1a7fc4b0b34b3b160d3a7d6b14b2222b21380d1dd45ab275c17b6c

SHA512
3487abe6d4945a637edae4edaaf440c72ef76c46ddca52d7defc30559b54d3bd610748e5f3aa423f9096c7904ff0504e3e292dc0c3fee0ed2bb7107f7ef10cd8

Download Submit
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe

Filesize
1.7MB

MD5
e4e3b73108fbe84e7b697d88c7aa6452

SHA1
d36042f4f8a73f1f64baff44c0d2635850f45dfd

SHA256
8f2ef6f0a7da950bfa57ee879bb69d352d019bb0da8a1956a88459f088d4f41b

SHA512
1952d36b7b1442855e2debac9fcba533fa6c1cda44389f9ee13ac7db3bb1d70bbd7cf3669bc4f1b4de1257a833ec023a0423e3648fb66549dfc7e48702966963

Download Submit
C:\Users\Admin\AppData\Local\Temp\0829e904-0838-4eb6-bcb4-d9a10c58b8a5.vbs

Filesize
485B

MD5
bd1038c389bf62aa685c6c9fa333d021

SHA1
8e727b481a882790de1506140d9cd159364a5357

SHA256
b440649148aae21f2dd7f6f54057f23f0a4b68f6a0f46b4756bfaa5844b21699

SHA512
b26fdce8731a569347f0eb8d446a232014b3db01ac9f6fb46a0bdc30989479e3116e67a885678e52c8e61ec7b213aee5accdd8db2835f190f59c10f52cad6972

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cca6561-cc9b-42b1-ac7c-a9a50ba2769f.vbs

Filesize
709B

MD5
5a5c2a72228a4256340bd23d113949fc

SHA1
44a34b329f49afdd15ed04d4f2ef03bc40536788

SHA256
34489eb65a42d23add1e800083aa121ee482bca3069fa36e6b68cc4567c6600b

SHA512
0fd1f8fab396b347832855854ea9925e5750ac400b72796df07dfc7d9bc8a35fc8ba42e6e4d113d02b895364e938b56db5f9cdd190cac2670505dbddef27cbd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\19def96a-5d4a-4df9-981a-f18f5f525859.vbs

Filesize
709B

MD5
eeafd95fef80a8adda9fb5a96179bf28

SHA1
9cb4ad8b7668359d76d7a919984a2949c7e1e528

SHA256
b4e34806e927f33c0a97e242b5432e7fbbb8270c9210a4775fa8a31d2cbcc1a0

SHA512
772d9b943ceefeb09f4fc9c8dacf494bb436ec4faf4a6305c112f980fb174968a36cbf9a33439fbab23195fdcd18ad2b8ae868172908e194b38c6f45f31012a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\452496f7-ddec-4168-8c51-bbd1b06b8f8a.vbs

Filesize
709B

MD5
b734d3a8be88fbb97422db4d92232939

SHA1
dcd6fb5c9addcddaa6ec27abca25ec6f76efe8e8

SHA256
f03eb167132d25ea42632c3c3eb6f60bab9ef3fc773570d08672833e56811a60

SHA512
0c9301d671930bfeef42ca5c01e3df1dad158d07bb56b5f1962e5057d769b8256d423058c79f10cb99bd4967e3410aeb2c1de697083fd3ef5090e547a01eeda9

Download Submit
C:\Users\Admin\AppData\Local\Temp\56cdcadf-8433-4e0c-ac8b-4af19f64c662.vbs

Filesize
709B

MD5
d9fa35e401a6c047b3da303ea07080d9

SHA1
d4d1c4cc080ac9fbc5f3f087e5d30e6c151af708

SHA256
05c7d96717febc9bffd067accec3ed3d9a89985bc8fd8667d958918f91a77e74

SHA512
1eadf7fa54050646bf4fd9366dea8d3d8fdca3b31ae62546549fc3fa15402b2dfe561425bb061eb5fb204f7bf6f856167606006599b4051288a6d2c9dac8cac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a23e616f-714a-450f-ac8f-cbf1408c932c.vbs

Filesize
709B

MD5
ff8d6d25504652ce839e519627db69b4

SHA1
551b486cabf54569fb6d9c6512353ea6af5bc47f

SHA256
3f9f52ce76f4e9c981fa664e837d0b2d97f1057dfb0f57df3d458a65b11e2529

SHA512
375cec09264f7245086b4a9d78275821be4c6e46642a3d80a97a308041320118bb32d4635f50e8a45523af8517b1dd4ffddcc7289ed31b11f9ee6c5a595d405a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bebd8b35-8fb6-453f-81d3-f1d45cdc89d9.vbs

Filesize
709B

MD5
ff682332359dfbce5d06a6fc0a6a7c61

SHA1
8e204e56c8d9c215616f23c7c0b193845060a0dc

SHA256
fd7defa8dc4ec9bdcf16713662c65b583b1e30160fa0175e206b6a6b0dcb4a51

SHA512
eb2949186c046adefa096d7c363699406d455d9e23d51e0a5cf46d460b60cf7aaab2c871f795fc68712e3130f8edb485b5e1ff15b99dc2a95153f4a454ba98bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3a024e8-55a2-4f35-bf26-a82190b16d23.vbs

Filesize
709B

MD5
bcf5fb58c09391834afd5bec129727f2

SHA1
a8b23a458a427d057b2171997a94799f7ae7c177

SHA256
6a5f692f4bdac5f13eed294aa144a650610b2535fcc739e2992359295f8b861b

SHA512
36e980e70a16938bc1b8d1f9e097eae2fe75f08364dfe1275cbd8d778ba5314c1fc277f21d86f2a4c4c9299a8c16e7138e7c908099083ed46738b47f45c71ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\db9af517-da39-4f7c-9b24-e6fb69db660d.vbs

Filesize
708B

MD5
99fa04363fa558b1826c0afd367dafb7

SHA1
e27687460793e2c3f4579e9c6b259c323e4a9f03

SHA256
0aa8a193d67423237cbb92f83e07d2f40c595356d8af805f7aa3baeff626739d

SHA512
99f6a4d6bc7fe6a2f640bcbf80755b98ca73faddd1d50d81d354c97a385dff449952e5b2c3d3e028697fe04be3b662e6bdb73b518121c37cde44bfab1df07baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\f21ab9bd-65a7-4a6a-81a6-bcbe17fecea1.vbs

Filesize
709B

MD5
7f20834ff939f4765fcd0afe92a49f76

SHA1
efaf60bd80f234886f5e201a55b7bfdcd9178661

SHA256
6b09830e4d72b853d974c05ceede5e071b7e830ff07e0e461ab3411352140e3d

SHA512
49757d492cf507dd72b67619caf77e1cab8cf1fa5bf7277e2e5cc6e9ac96f0a721a601064251271ae7102e123e86284b99efdc04c213459c82b0ec631130a9ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8bce3495849a537c9c3b48cc1e9a9296

SHA1
a9ed929b6804d3723b273ab41ff0a134bce9d7b6

SHA256
26a41109e67d34d52b0159d78eb4432ebc400cbc8aaa68910fe14ba87e380719

SHA512
2c7e4a7683d098a027399df5b0200a363ad51f4fb37e4807fc3d38e8cbb5296172d699f07bfa561a28ba19da9a853c2a9b419b07c776768d6a05830c487789f5

Download Submit
C:\Users\Default\spoolsv.exe

Filesize
1.7MB

MD5
9bc6e385c3ed07d8041688367cd4c950

SHA1
f33c82f203ce08807d5f4429e6f4c858ec8b8dc6

SHA256
33caab6b7bafb73cfbce6985958218a9cbba607227265077489621521e8555bc

SHA512
57d183506d509d587a998e9a2069f3c0c8ef5cdeb31f8a8fbbfa280c120f5e373f9ff213081fea07f8fa1c55d2d95353cf7a78979703df5eb3a5602126b4e2ad

Download Submit
memory/276-350-0x0000000000C90000-0x0000000000E50000-memory.dmp

Filesize
1.8MB

Download
memory/1036-270-0x00000000002A0000-0x0000000000460000-memory.dmp

Filesize
1.8MB

Download
memory/1196-338-0x0000000000B70000-0x0000000000D30000-memory.dmp

Filesize
1.8MB

Download
memory/1708-362-0x00000000001C0000-0x0000000000380000-memory.dmp

Filesize
1.8MB

Download
memory/1948-409-0x0000000001290000-0x0000000001450000-memory.dmp

Filesize
1.8MB

Download
memory/2088-386-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2148-276-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2332-14-0x0000000000AC0000-0x0000000000ACE000-memory.dmp

Filesize
56KB

Download
memory/2332-0-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmp

Filesize
4KB

Download
memory/2332-208-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2332-184-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmp

Filesize
4KB

Download
memory/2332-20-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2332-17-0x0000000000B80000-0x0000000000B8C000-memory.dmp

Filesize
48KB

Download
memory/2332-1-0x0000000000C00000-0x0000000000DC0000-memory.dmp

Filesize
1.8MB

Download
memory/2332-277-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2332-15-0x0000000000B60000-0x0000000000B68000-memory.dmp

Filesize
32KB

Download
memory/2332-16-0x0000000000B70000-0x0000000000B7C000-memory.dmp

Filesize
48KB

Download
memory/2332-13-0x0000000000B50000-0x0000000000B5A000-memory.dmp

Filesize
40KB

Download
memory/2332-2-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2332-12-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

Filesize
48KB

Download
memory/2332-11-0x0000000000A80000-0x0000000000A92000-memory.dmp

Filesize
72KB

Download
memory/2332-9-0x0000000000A70000-0x0000000000A78000-memory.dmp

Filesize
32KB

Download
memory/2332-8-0x00000000007A0000-0x00000000007AC000-memory.dmp

Filesize
48KB

Download
memory/2332-233-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2332-6-0x0000000000A50000-0x0000000000A66000-memory.dmp

Filesize
88KB

Download
memory/2332-7-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/2332-4-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/2332-5-0x0000000000570000-0x0000000000580000-memory.dmp

Filesize
64KB

Download
memory/2332-3-0x00000000002C0000-0x00000000002DC000-memory.dmp

Filesize
112KB

Download
memory/2348-374-0x00000000011D0000-0x0000000001390000-memory.dmp

Filesize
1.8MB

Download
memory/3000-292-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download