dcrat | 434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/12/2024, 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
Size

1.7MB
MD5

88bc360785b47c484011f5eaf67735a2
SHA1

1e868cecddcd99d570efa98d7966a5284d36b2c7
SHA256

434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa
SHA512

c52eae6960c1e499d569a35c961676897738ee844fb557bb46aa6e94f301b3b9305093d5389f3a1d70191c69e4591ce1a12a3e7581f5fe0813b388ca2d5d3509
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2176	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2176	schtasks.exe	30

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2364-1-0x0000000000BD0000-0x0000000000D90000-memory.dmp	dcrat
behavioral1/files/0x00050000000195ca-27.dat	dcrat
behavioral1/files/0x0006000000019cfc-84.dat	dcrat
behavioral1/files/0x000a000000017355-105.dat	dcrat
behavioral1/files/0x00090000000195e0-162.dat	dcrat
behavioral1/memory/1908-283-0x0000000001260000-0x0000000001420000-memory.dmp	dcrat
behavioral1/memory/2340-295-0x0000000000120000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/3020-308-0x0000000000E90000-0x0000000001050000-memory.dmp	dcrat
behavioral1/memory/1812-333-0x00000000012F0000-0x00000000014B0000-memory.dmp	dcrat
behavioral1/memory/2504-345-0x0000000000020000-0x00000000001E0000-memory.dmp	dcrat
behavioral1/memory/1628-357-0x00000000008C0000-0x0000000000A80000-memory.dmp	dcrat
behavioral1/memory/844-369-0x0000000000C40000-0x0000000000E00000-memory.dmp	dcrat
behavioral1/memory/2232-381-0x0000000001160000-0x0000000001320000-memory.dmp	dcrat
behavioral1/memory/1468-405-0x0000000001210000-0x00000000013D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2184	powershell.exe
2332	powershell.exe
1880	powershell.exe
276	powershell.exe
2344	powershell.exe
2132	powershell.exe
2396	powershell.exe
2400	powershell.exe
548	powershell.exe
2120	powershell.exe
2252	powershell.exe
1096	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe

Executes dropped EXE 11 IoCs

pid	Process
1908	csrss.exe
2340	csrss.exe
3020	csrss.exe
884	csrss.exe
1812	csrss.exe
2504	csrss.exe
1628	csrss.exe
844	csrss.exe
2232	csrss.exe
684	csrss.exe
1468	csrss.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\winlogon.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\taskhost.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dllhost.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\b75386f1303e64	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\6cb0b6c459d5d3	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\5940a34987c991	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\cc11b995f2a76d	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCX77D4.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\RCX7EBC.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\taskhost.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\RCX7561.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX6367.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX6368.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\RCX7562.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCX7766.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\RCX7EBD.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dllhost.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\winlogon.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\it-IT\RCX79D8.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Windows\it-IT\RCX79D9.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Windows\it-IT\WmiPrvSE.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCX6E79.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Windows\Downloaded Program Files\6203df4a6bafc7	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Windows\it-IT\WmiPrvSE.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Windows\it-IT\24dbde2999530e	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCX6E78.tmp	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File opened for modification	C:\Windows\Downloaded Program Files\lsass.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
File created	C:\Windows\Downloaded Program Files\lsass.exe	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2552	schtasks.exe
2344	schtasks.exe
2180	schtasks.exe
768	schtasks.exe
2292	schtasks.exe
2276	schtasks.exe
2520	schtasks.exe
2116	schtasks.exe
1816	schtasks.exe
2372	schtasks.exe
1244	schtasks.exe
1224	schtasks.exe
2092	schtasks.exe
2688	schtasks.exe
2624	schtasks.exe
1956	schtasks.exe
2012	schtasks.exe
2352	schtasks.exe
2816	schtasks.exe
796	schtasks.exe
1604	schtasks.exe
2912	schtasks.exe
264	schtasks.exe
1468	schtasks.exe
2740	schtasks.exe
1552	schtasks.exe
3012	schtasks.exe
1512	schtasks.exe
2148	schtasks.exe
2000	schtasks.exe
2084	schtasks.exe
2960	schtasks.exe
1540	schtasks.exe
1096	schtasks.exe
2592	schtasks.exe
556	schtasks.exe
1768	schtasks.exe
1704	schtasks.exe
1592	schtasks.exe
3068	schtasks.exe
2476	schtasks.exe
844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
276	powershell.exe
548	powershell.exe
2400	powershell.exe
2396	powershell.exe
2344	powershell.exe
1880	powershell.exe
2184	powershell.exe
2332	powershell.exe
1096	powershell.exe
2120	powershell.exe
2252	powershell.exe
2132	powershell.exe
1908	csrss.exe
1908	csrss.exe
1908	csrss.exe
1908	csrss.exe
1908	csrss.exe
1908	csrss.exe
1908	csrss.exe
1908	csrss.exe
1908	csrss.exe
1908	csrss.exe
1908	csrss.exe
1908	csrss.exe
1908	csrss.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
Token: SeDebugPrivilege	276	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	1908	csrss.exe
Token: SeDebugPrivilege	2340	csrss.exe
Token: SeDebugPrivilege	3020	csrss.exe
Token: SeDebugPrivilege	884	csrss.exe
Token: SeDebugPrivilege	1812	csrss.exe
Token: SeDebugPrivilege	2504	csrss.exe
Token: SeDebugPrivilege	1628	csrss.exe
Token: SeDebugPrivilege	844	csrss.exe
Token: SeDebugPrivilege	2232	csrss.exe
Token: SeDebugPrivilege	684	csrss.exe
Token: SeDebugPrivilege	1468	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2332	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	73
PID 2364 wrote to memory of 2332	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	73
PID 2364 wrote to memory of 2332	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	73
PID 2364 wrote to memory of 2400	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	74
PID 2364 wrote to memory of 2400	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	74
PID 2364 wrote to memory of 2400	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	74
PID 2364 wrote to memory of 1880	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	75
PID 2364 wrote to memory of 1880	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	75
PID 2364 wrote to memory of 1880	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	75
PID 2364 wrote to memory of 548	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	76
PID 2364 wrote to memory of 548	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	76
PID 2364 wrote to memory of 548	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	76
PID 2364 wrote to memory of 2120	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	77
PID 2364 wrote to memory of 2120	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	77
PID 2364 wrote to memory of 2120	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	77
PID 2364 wrote to memory of 276	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	78
PID 2364 wrote to memory of 276	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	78
PID 2364 wrote to memory of 276	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	78
PID 2364 wrote to memory of 2344	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	79
PID 2364 wrote to memory of 2344	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	79
PID 2364 wrote to memory of 2344	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	79
PID 2364 wrote to memory of 2132	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	80
PID 2364 wrote to memory of 2132	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	80
PID 2364 wrote to memory of 2132	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	80
PID 2364 wrote to memory of 2252	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	81
PID 2364 wrote to memory of 2252	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	81
PID 2364 wrote to memory of 2252	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	81
PID 2364 wrote to memory of 1096	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	82
PID 2364 wrote to memory of 1096	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	82
PID 2364 wrote to memory of 1096	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	82
PID 2364 wrote to memory of 2396	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	83
PID 2364 wrote to memory of 2396	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	83
PID 2364 wrote to memory of 2396	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	83
PID 2364 wrote to memory of 2184	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	84
PID 2364 wrote to memory of 2184	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	84
PID 2364 wrote to memory of 2184	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	84
PID 2364 wrote to memory of 2028	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	97
PID 2364 wrote to memory of 2028	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	97
PID 2364 wrote to memory of 2028	2364	434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe	97
PID 2028 wrote to memory of 1936	2028	cmd.exe	99
PID 2028 wrote to memory of 1936	2028	cmd.exe	99
PID 2028 wrote to memory of 1936	2028	cmd.exe	99
PID 2028 wrote to memory of 1908	2028	cmd.exe	100
PID 2028 wrote to memory of 1908	2028	cmd.exe	100
PID 2028 wrote to memory of 1908	2028	cmd.exe	100
PID 1908 wrote to memory of 2556	1908	csrss.exe	101
PID 1908 wrote to memory of 2556	1908	csrss.exe	101
PID 1908 wrote to memory of 2556	1908	csrss.exe	101
PID 1908 wrote to memory of 2792	1908	csrss.exe	102
PID 1908 wrote to memory of 2792	1908	csrss.exe	102
PID 1908 wrote to memory of 2792	1908	csrss.exe	102
PID 2556 wrote to memory of 2340	2556	WScript.exe	103
PID 2556 wrote to memory of 2340	2556	WScript.exe	103
PID 2556 wrote to memory of 2340	2556	WScript.exe	103
PID 2340 wrote to memory of 2428	2340	csrss.exe	104
PID 2340 wrote to memory of 2428	2340	csrss.exe	104
PID 2340 wrote to memory of 2428	2340	csrss.exe	104
PID 2340 wrote to memory of 2248	2340	csrss.exe	105
PID 2340 wrote to memory of 2248	2340	csrss.exe	105
PID 2340 wrote to memory of 2248	2340	csrss.exe	105
PID 2428 wrote to memory of 3020	2428	WScript.exe	106
PID 2428 wrote to memory of 3020	2428	WScript.exe	106
PID 2428 wrote to memory of 3020	2428	WScript.exe	106
PID 3020 wrote to memory of 2976	3020	csrss.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe
"C:\Users\Admin\AppData\Local\Temp\434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lQnvRVvYg2.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1936
- - C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
    "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a42a1a5-b22c-470c-b445-3fa94020cb41.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2340
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c7877a9-9373-4fa9-8f3f-fd9127f8b404.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eff125bf-7461-425b-99a4-899ba76516a0.vbs"
        8⤵
        
        PID:2976
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1067cd5f-7470-482d-98ed-aafa9136b728.vbs"
        10⤵
        
        PID:2400
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46c967aa-f00b-4d58-b55e-8bd7cd5ed856.vbs"
        12⤵
        
        PID:352
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb42d16d-62e7-4cdd-8b79-87a83a4fd36a.vbs"
        14⤵
        
        PID:2696
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11772eb1-0395-46cc-9e64-52c28d91270f.vbs"
        16⤵
        
        PID:2428
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40e8b350-0c29-4754-a7f9-6acbcd7892e1.vbs"
        18⤵
        
        PID:2644
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46a1f901-56fd-4f4c-93f0-d9e66ad4c146.vbs"
        20⤵
        
        PID:2548
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6146a944-6c83-4f8d-b021-c1f9a5883d1a.vbs"
        22⤵
        
        PID:2060
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\816211c7-8a56-4d05-9027-f6ead8a8dd99.vbs"
        24⤵
        
        PID:2020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ee61761-445d-48eb-827a-e0f0c9ebf196.vbs"
        24⤵
        
        PID:2740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5aacdd79-baf5-48be-91a8-6651390840f2.vbs"
        22⤵
        
        PID:808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\debde6c5-4bb4-4f61-8aea-61a86990decb.vbs"
        20⤵
        
        PID:2272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\226955ee-e4ff-4840-8dc7-c4cd4b7df119.vbs"
        18⤵
        
        PID:2992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9454fac3-dbcb-440b-885d-9360638437f0.vbs"
        16⤵
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a03ca09-d7fc-4f78-843e-74719f3b28f2.vbs"
        14⤵
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8ce8cb6-3818-43ae-976c-787f5e3c30c6.vbs"
        12⤵
        
        PID:2084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df63df5f-4484-4ad5-8b6c-c73608e100b3.vbs"
        10⤵
        
        PID:1676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\309d55ee-c278-4bf9-b95e-2d8af3c0ae55.vbs"
        8⤵
        
        PID:2112
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c34cd4d-c82d-414f-9615-ab9f73616790.vbs"
        6⤵
        
        PID:2248
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fb7bf3d-aefb-4789-82ff-c7b46b0c6dc8.vbs"
      4⤵
      PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\OSPPSVC.exe

Filesize
1.7MB

MD5
88bc360785b47c484011f5eaf67735a2

SHA1
1e868cecddcd99d570efa98d7966a5284d36b2c7

SHA256
434880bfeef7f1d71259feadeea49bf12ff08ad0f2a69ae940cb1a00c32e0eaa

SHA512
c52eae6960c1e499d569a35c961676897738ee844fb557bb46aa6e94f301b3b9305093d5389f3a1d70191c69e4591ce1a12a3e7581f5fe0813b388ca2d5d3509

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\OSPPSVC.exe

Filesize
1.7MB

MD5
5e618e8e837f2ff330ad73213318d5a2

SHA1
d47fbdf54e27aac0bb063bb0d51f1a983422c4e1

SHA256
1a0b89aac9d394d8165a19f0b581ae121f853d6f0adefef7c0c62931b704e406

SHA512
304b130e9e7bfde15090adde0fca0134caddd6f9be18c9a641b96dda6c7e6ab4482919a744c1abf7b0b5602a1d95dea7b8e2609a8a4eb5a8225090f6e7deb031

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe

Filesize
1.7MB

MD5
07933a4b9e8aafe47c68e151630d4259

SHA1
753fd98fe47e17a6392a2a68a93008a32461d84f

SHA256
33845922833cb10bf3aa870e450425e59bca1aa666f61ad09f43f1a1d6f8c9d5

SHA512
e4502589215194db4ab00962eb94a5188c2cbcd4b02336a37379b31c9e8c353de0535ee9c245be607ff6838b311f272dbe08b92f475a5e0d5b86e7b6bd7bddbb

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\taskhost.exe

Filesize
1.7MB

MD5
1865fe740b8337a2c8a1516338eacdc7

SHA1
a784fa710c9839e229a7511ce977384d6a7766ea

SHA256
ebd138a74bc337bad8fa52488d310bbe6c134881ee9aa515d31f2a3db51ed022

SHA512
61ac757cd0af54a431aad8c31282fbea0ff86c9834b5ffe537a9568fe54852544ea107cfae26745888d62025f38712ea136d99697edea3dfa35a610cee522e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\1067cd5f-7470-482d-98ed-aafa9136b728.vbs

Filesize
733B

MD5
64c7fb53d1f28f65ff47f94f4985ec33

SHA1
a3e2fc1679e3000e29da1fbcdce6d4e4c0499649

SHA256
ece3c5f65f66ab6adfe297c4b499fe9a9ea38fec7ab00c36236e892f78664755

SHA512
e09dfc32a03be568a5267668cf4401075c524deceadb4146e5147e5cafb4be05d6fdd2ce038965d1fbeca478c40e75d43b365cde5b608cb2c1d842dc61615623

Download Submit
C:\Users\Admin\AppData\Local\Temp\11772eb1-0395-46cc-9e64-52c28d91270f.vbs

Filesize
734B

MD5
a4d56ee9451eb8b2759574c1e9815ef9

SHA1
0bf67705c092b935484d230d36254b14269bdc87

SHA256
7802dd7fb1a6afc6ecf8317c78b16cf463928d54937cae26ce694ad5405cc4e0

SHA512
3178b13e97f3b7f43f5a525d0bc28b0d95b41bf3f0107278d6d3241367d32f60a61832d241a3ad9c7858e5dd252939c1fa7068006e90b626a9b514264b35b3cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c7877a9-9373-4fa9-8f3f-fd9127f8b404.vbs

Filesize
734B

MD5
cdaa556b4494e5185803410d70867aad

SHA1
478122c62f9e57e816fc7d2219d54997e2c448df

SHA256
95a1e869f736e6dae924fc36aee4fb19a418ceb6a911f92588c99db57c6024f9

SHA512
dc2f1cbc5e6f732cd87dd14c644ec2702d323259ab27a3da65ac9097d51e46756aa7f0c97b4bfb2b510e49fb800d28df69d5b190f9e0e5519ff9ca2b8682a5ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\40e8b350-0c29-4754-a7f9-6acbcd7892e1.vbs

Filesize
733B

MD5
b24086da6c134ad316e8b9ff775c0df4

SHA1
c65ee1a505012544f3a7c0b9e1c9ffd8bfe4e9ac

SHA256
6d6dad986eef3189e77da17124bcf73e6de8932740a63fe8e6135e441ffb4cd6

SHA512
cd0a6a0e06231c18574b2147b2a7a6eec66f7bfa6b41d1f7377cbdbee637c42134e2f5f7e8def95dad63d237913e4af449202e934ce9800404879b39f6d4a4d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\46a1f901-56fd-4f4c-93f0-d9e66ad4c146.vbs

Filesize
734B

MD5
aacaa8430d2babb4cc2f11ef7180e5cb

SHA1
57d54301abed75f07c9eda9eb2c9c58233a26e7b

SHA256
47ee34beb6e02ed5a2067d1eea89d5c4545ab16bfecac79723128df06adb6801

SHA512
95b816a0bf5254d17bcb7c729d99cf10275f80669ccbc733facb216a6110abaa8038c53aa39708e20fb508303293962238668c6bba90ba1825eb1f04004200ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\46c967aa-f00b-4d58-b55e-8bd7cd5ed856.vbs

Filesize
734B

MD5
c2e1f95ab2b44f1872523450993377b8

SHA1
7121623bc1b53fce4b6d8325d667c089c9441caa

SHA256
60518e5551e837bdce35dcd531db92fc3751107c6f024741dd08ee6e87004450

SHA512
0a0f96861395a0cf66c879e1639fd0b2b4824caa231988ab8cd0a732d1257fda3c510c132f8cd73ad4ed84a014362d8b4a9f0676749f0a4b738c5e5c2bdd1e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\6146a944-6c83-4f8d-b021-c1f9a5883d1a.vbs

Filesize
733B

MD5
33f28bead8882bb7006fbb7d0f950054

SHA1
d9232d886e1d983a5f939f23d5512346cb3d67f2

SHA256
81849b99fee03c38bc0b41c9d4dc710660cfd93dd71a3b0a7f36f8c67116eb11

SHA512
6c0686dd21e36142f26c976b7ab74c57f2c32a7bf989acae7fea1f532366d218f9025957f3ab3a5dc45cb473c83306f3ffe8786df5139e564088be3ccd4f4aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\816211c7-8a56-4d05-9027-f6ead8a8dd99.vbs

Filesize
734B

MD5
859e79ba61cf380e4bf44044423ac464

SHA1
3f874da66ebf154bd133af15f9d40624fb6001cb

SHA256
f28ef511d12829939b34764d0e701ba6c167159af68184a7b6c2df1194915cea

SHA512
628dbcfe801ff73049e92f2c16194ed7f6a81f24c2e6b16de128672a75b55257b2859d2fd09673d9d6dd2340ec3addaf48be2f83f1190450f1a554d8476fb5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a42a1a5-b22c-470c-b445-3fa94020cb41.vbs

Filesize
734B

MD5
69ba8357995566dbecea7d3b56aec478

SHA1
6b0565e11d2bec83cb09229eeb6e1eb0664be820

SHA256
bf79700cba2a4d6223be93c3885bb98b71873ce60d6f665eee55cf835b9194c9

SHA512
f2f8e0156413db39b2a385de06ba8f030267d6ec19db8a639b1cd96b36e0ec92c64e367be59b64084cde06ea85b7247949b5b1525e801710a8503ada3093f1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8fb7bf3d-aefb-4789-82ff-c7b46b0c6dc8.vbs

Filesize
510B

MD5
b1e800e6226071b2d8910e98f9923b5d

SHA1
62cb91cdbaf8955399cf93748f8752e18caa2211

SHA256
51577a49b9a5204398120fa15829e158f3fdb2304f89f48d415370d69a8f20a6

SHA512
6750ae8c00916bf50f543960e58fefa5e01e9e5e77349ab3bb483f689666d4d538e0b59f4eeb9346fbcfa18f5cdc9017259554ecf6fca8ca4e2aba040375a08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb42d16d-62e7-4cdd-8b79-87a83a4fd36a.vbs

Filesize
734B

MD5
c48fc91d6c799d861874b682bf408b62

SHA1
34ae8b32a7c5a71de32c2dc58b44cd3a75c1d32f

SHA256
f93ad2ab5f26205d61949dd036edde8244ea8adfcdd79d4c1473175c980ca4f5

SHA512
49efb87f1ba0194ca3b2d832460dbb3275ad06728990eff2456964eab7b232cde93404be5087776003689b65e5db25941e08dc41acabf58da821c2a6e375e902

Download Submit
C:\Users\Admin\AppData\Local\Temp\eff125bf-7461-425b-99a4-899ba76516a0.vbs

Filesize
734B

MD5
35c769e407fc3b6f1fa85bfdd65d1bd1

SHA1
1cd8a622cb2a1317b71757081deed51ed48ddee3

SHA256
a289127270b4f641ee054972bf9eb6f1c79d1e37521335615e96afc48303fac2

SHA512
d67ce833af261e1bde78ec6f0da4c122aae8d9684b3d0201ee81e9ec92602dcd86cb1775f8fe19a6d7779012b7e3f6895f6a26852fb553b0817c94bea833d584

Download Submit
C:\Users\Admin\AppData\Local\Temp\lQnvRVvYg2.bat

Filesize
223B

MD5
6b4da6e32d2e66751791e8c295bf56fc

SHA1
7226a84177812ce1f316db273b27f29021cf5c9d

SHA256
22de5a8562819988c03f4f5d01dc03095e890e03f719bbe2fa11123d35d7413a

SHA512
40f009698b9b8c4d5a8546bdc92afd709df544ce7b39da2ffdf228753bba73e6ba55f6422faf1eda321df092ca37c613436228c9de2a41d84e77666f7e30227d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
035d8ce17fb1a1d46aaf850cacace0d8

SHA1
1a846d0c44053390fae93f59d8a64b174e532b99

SHA256
1ef01ec98fc5d28678192716371107f83a6729750ef9751caf37b4178e778eca

SHA512
a4bf5f08cd6a00d4ae017cff46eea337cc57ef883ae911e97d7a7e3ec3a591a00785a16d5b32ffb5077b8888fc0968eccbfcd22ebb0f417b8b882a1421b9f971

Download Submit
memory/276-234-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/276-235-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/844-369-0x0000000000C40000-0x0000000000E00000-memory.dmp

Filesize
1.8MB

Download
memory/884-321-0x0000000000A80000-0x0000000000A92000-memory.dmp

Filesize
72KB

Download
memory/1468-405-0x0000000001210000-0x00000000013D0000-memory.dmp

Filesize
1.8MB

Download
memory/1628-357-0x00000000008C0000-0x0000000000A80000-memory.dmp

Filesize
1.8MB

Download
memory/1812-333-0x00000000012F0000-0x00000000014B0000-memory.dmp

Filesize
1.8MB

Download
memory/1908-283-0x0000000001260000-0x0000000001420000-memory.dmp

Filesize
1.8MB

Download
memory/1908-284-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/2232-382-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/2232-381-0x0000000001160000-0x0000000001320000-memory.dmp

Filesize
1.8MB

Download
memory/2340-295-0x0000000000120000-0x00000000002E0000-memory.dmp

Filesize
1.8MB

Download
memory/2340-296-0x0000000000800000-0x0000000000812000-memory.dmp

Filesize
72KB

Download
memory/2364-5-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

Filesize
64KB

Download
memory/2364-202-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2364-14-0x000000001AC40000-0x000000001AC4E000-memory.dmp

Filesize
56KB

Download
memory/2364-220-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2364-11-0x0000000002260000-0x0000000002272000-memory.dmp

Filesize
72KB

Download
memory/2364-1-0x0000000000BD0000-0x0000000000D90000-memory.dmp

Filesize
1.8MB

Download
memory/2364-17-0x000000001AC10000-0x000000001AC1C000-memory.dmp

Filesize
48KB

Download
memory/2364-9-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2364-0-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp

Filesize
4KB

Download
memory/2364-8-0x00000000021C0000-0x00000000021CC000-memory.dmp

Filesize
48KB

Download
memory/2364-13-0x000000001ABF0000-0x000000001ABFA000-memory.dmp

Filesize
40KB

Download
memory/2364-7-0x00000000021B0000-0x00000000021C0000-memory.dmp

Filesize
64KB

Download
memory/2364-2-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2364-6-0x0000000002190000-0x00000000021A6000-memory.dmp

Filesize
88KB

Download
memory/2364-16-0x000000001AC00000-0x000000001AC0C000-memory.dmp

Filesize
48KB

Download
memory/2364-18-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2364-12-0x000000001A7E0000-0x000000001A7EC000-memory.dmp

Filesize
48KB

Download
memory/2364-4-0x0000000000BB0000-0x0000000000BB8000-memory.dmp

Filesize
32KB

Download
memory/2364-189-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp

Filesize
4KB

Download
memory/2364-15-0x000000001ABE0000-0x000000001ABE8000-memory.dmp

Filesize
32KB

Download
memory/2364-3-0x0000000000B90000-0x0000000000BAC000-memory.dmp

Filesize
112KB

Download
memory/2504-345-0x0000000000020000-0x00000000001E0000-memory.dmp

Filesize
1.8MB

Download
memory/3020-309-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/3020-308-0x0000000000E90000-0x0000000001050000-memory.dmp

Filesize
1.8MB

Download