dcrat | abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-01-2025 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
Size

1.7MB
MD5

92f20cf5b97297600b5272178b6534c7
SHA1

3d7b513aea13d6a7c7e66d0a74d0af11b8d7f625
SHA256

abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b
SHA512

81f0c12d78f958d1a1d74bd13ed015c878bef5a51040ab9346713a47626a58e163f6568b9f97803b18b49a583b5622c61fd065d9fe957af8763ce80edd3135c4
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2432	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2432	schtasks.exe	30

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2236-1-0x0000000000B10000-0x0000000000CD0000-memory.dmp	dcrat
behavioral1/files/0x00060000000173f4-27.dat	dcrat
behavioral1/files/0x000600000001a433-76.dat	dcrat
behavioral1/files/0x0008000000017472-133.dat	dcrat
behavioral1/files/0x000a000000017487-156.dat	dcrat
behavioral1/files/0x0018000000018663-179.dat	dcrat
behavioral1/files/0x001300000001866e-228.dat	dcrat
behavioral1/memory/2856-314-0x0000000001100000-0x00000000012C0000-memory.dmp	dcrat
behavioral1/memory/292-348-0x0000000001380000-0x0000000001540000-memory.dmp	dcrat
behavioral1/memory/2916-360-0x0000000000210000-0x00000000003D0000-memory.dmp	dcrat
behavioral1/memory/1740-373-0x0000000000E10000-0x0000000000FD0000-memory.dmp	dcrat
behavioral1/memory/1640-385-0x00000000002D0000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/3000-397-0x00000000011C0000-0x0000000001380000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1632	powershell.exe
2944	powershell.exe
2932	powershell.exe
1724	powershell.exe
1420	powershell.exe
2052	powershell.exe
2324	powershell.exe
1952	powershell.exe
2872	powershell.exe
2488	powershell.exe
1660	powershell.exe
1860	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe

Executes dropped EXE 9 IoCs

pid	Process
2856	dllhost.exe
604	dllhost.exe
1164	dllhost.exe
292	dllhost.exe
2916	dllhost.exe
1740	dllhost.exe
1640	dllhost.exe
3000	dllhost.exe
1344	dllhost.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX6D21.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\RCX769B.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files\Windows Mail\RCX6918.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files\Reference Assemblies\OSPPSVC.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\6ccacd8608530f	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\7a0fd90576e088	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\RCX6424.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\RCX6492.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\lsass.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\RCX769C.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files\Windows Mail\RCX6917.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\6203df4a6bafc7	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files\Windows Mail\System.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX6D22.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\dwm.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\lsass.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files\Reference Assemblies\1610b97d3ab4a7	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files\Java\jre7\lib\ext\6cb0b6c459d5d3	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCX7215.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCX7D27.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files\Windows Mail\27d1bcfc3c54e0	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files\Reference Assemblies\OSPPSVC.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\explorer.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files\Java\jre7\lib\ext\dwm.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\explorer.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files\Windows Mail\System.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCX7216.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCX7D26.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\101b941d020240	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Windows\addins\RCX790E.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Windows\LiveKernelReports\dllhost.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Windows\Tasks\lsm.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Windows\addins\7a0fd90576e088	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Windows\LiveKernelReports\RCX6220.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Windows\Tasks\RCX6F93.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Windows\Tasks\lsm.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Windows\LiveKernelReports\dllhost.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Windows\LiveKernelReports\5940a34987c991	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File created	C:\Windows\addins\explorer.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Windows\addins\explorer.exe	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Windows\LiveKernelReports\RCX621F.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Windows\Tasks\RCX7001.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
File opened for modification	C:\Windows\addins\RCX78A0.tmp	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2564	schtasks.exe
1844	schtasks.exe
2016	schtasks.exe
2848	schtasks.exe
2532	schtasks.exe
2728	schtasks.exe
1816	schtasks.exe
1604	schtasks.exe
2324	schtasks.exe
1420	schtasks.exe
2328	schtasks.exe
2960	schtasks.exe
296	schtasks.exe
2352	schtasks.exe
1788	schtasks.exe
2856	schtasks.exe
2184	schtasks.exe
2212	schtasks.exe
700	schtasks.exe
1384	schtasks.exe
1784	schtasks.exe
1812	schtasks.exe
2280	schtasks.exe
2636	schtasks.exe
2584	schtasks.exe
484	schtasks.exe
1696	schtasks.exe
1216	schtasks.exe
1864	schtasks.exe
2500	schtasks.exe
2548	schtasks.exe
2944	schtasks.exe
840	schtasks.exe
1528	schtasks.exe
2244	schtasks.exe
2668	schtasks.exe
2884	schtasks.exe
2220	schtasks.exe
1524	schtasks.exe
1280	schtasks.exe
624	schtasks.exe
2972	schtasks.exe
1868	schtasks.exe
1484	schtasks.exe
1148	schtasks.exe
1972	schtasks.exe
1756	schtasks.exe
2256	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
1632	powershell.exe
1660	powershell.exe
2052	powershell.exe
1860	powershell.exe
1420	powershell.exe
2324	powershell.exe
2944	powershell.exe
2872	powershell.exe
2932	powershell.exe
1952	powershell.exe
2488	powershell.exe
1724	powershell.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe
2856	dllhost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2856	dllhost.exe
Token: SeDebugPrivilege	604	dllhost.exe
Token: SeDebugPrivilege	1164	dllhost.exe
Token: SeDebugPrivilege	292	dllhost.exe
Token: SeDebugPrivilege	2916	dllhost.exe
Token: SeDebugPrivilege	1740	dllhost.exe
Token: SeDebugPrivilege	1640	dllhost.exe
Token: SeDebugPrivilege	3000	dllhost.exe
Token: SeDebugPrivilege	1344	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 1632	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	80
PID 2236 wrote to memory of 1632	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	80
PID 2236 wrote to memory of 1632	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	80
PID 2236 wrote to memory of 1724	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	81
PID 2236 wrote to memory of 1724	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	81
PID 2236 wrote to memory of 1724	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	81
PID 2236 wrote to memory of 1860	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	82
PID 2236 wrote to memory of 1860	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	82
PID 2236 wrote to memory of 1860	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	82
PID 2236 wrote to memory of 1420	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	84
PID 2236 wrote to memory of 1420	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	84
PID 2236 wrote to memory of 1420	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	84
PID 2236 wrote to memory of 1660	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	85
PID 2236 wrote to memory of 1660	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	85
PID 2236 wrote to memory of 1660	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	85
PID 2236 wrote to memory of 2488	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	87
PID 2236 wrote to memory of 2488	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	87
PID 2236 wrote to memory of 2488	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	87
PID 2236 wrote to memory of 2872	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	88
PID 2236 wrote to memory of 2872	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	88
PID 2236 wrote to memory of 2872	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	88
PID 2236 wrote to memory of 2932	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	90
PID 2236 wrote to memory of 2932	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	90
PID 2236 wrote to memory of 2932	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	90
PID 2236 wrote to memory of 2944	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	91
PID 2236 wrote to memory of 2944	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	91
PID 2236 wrote to memory of 2944	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	91
PID 2236 wrote to memory of 1952	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	92
PID 2236 wrote to memory of 1952	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	92
PID 2236 wrote to memory of 1952	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	92
PID 2236 wrote to memory of 2324	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	93
PID 2236 wrote to memory of 2324	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	93
PID 2236 wrote to memory of 2324	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	93
PID 2236 wrote to memory of 2052	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	94
PID 2236 wrote to memory of 2052	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	94
PID 2236 wrote to memory of 2052	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	94
PID 2236 wrote to memory of 1280	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	104
PID 2236 wrote to memory of 1280	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	104
PID 2236 wrote to memory of 1280	2236	abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe	104
PID 1280 wrote to memory of 2140	1280	cmd.exe	106
PID 1280 wrote to memory of 2140	1280	cmd.exe	106
PID 1280 wrote to memory of 2140	1280	cmd.exe	106
PID 1280 wrote to memory of 2856	1280	cmd.exe	107
PID 1280 wrote to memory of 2856	1280	cmd.exe	107
PID 1280 wrote to memory of 2856	1280	cmd.exe	107
PID 2856 wrote to memory of 2184	2856	dllhost.exe	108
PID 2856 wrote to memory of 2184	2856	dllhost.exe	108
PID 2856 wrote to memory of 2184	2856	dllhost.exe	108
PID 2856 wrote to memory of 2972	2856	dllhost.exe	109
PID 2856 wrote to memory of 2972	2856	dllhost.exe	109
PID 2856 wrote to memory of 2972	2856	dllhost.exe	109
PID 2184 wrote to memory of 604	2184	WScript.exe	110
PID 2184 wrote to memory of 604	2184	WScript.exe	110
PID 2184 wrote to memory of 604	2184	WScript.exe	110
PID 604 wrote to memory of 2732	604	dllhost.exe	111
PID 604 wrote to memory of 2732	604	dllhost.exe	111
PID 604 wrote to memory of 2732	604	dllhost.exe	111
PID 604 wrote to memory of 2064	604	dllhost.exe	112
PID 604 wrote to memory of 2064	604	dllhost.exe	112
PID 604 wrote to memory of 2064	604	dllhost.exe	112
PID 2732 wrote to memory of 1164	2732	WScript.exe	113
PID 2732 wrote to memory of 1164	2732	WScript.exe	113
PID 2732 wrote to memory of 1164	2732	WScript.exe	113
PID 1164 wrote to memory of 2368	1164	dllhost.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe
"C:\Users\Admin\AppData\Local\Temp\abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QfKFARzT3K.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2140
- - C:\Windows\LiveKernelReports\dllhost.exe
    "C:\Windows\LiveKernelReports\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae8b8780-d058-447f-8a36-42b9bf978ddd.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2184
    - - C:\Windows\LiveKernelReports\dllhost.exe
        
        C:\Windows\LiveKernelReports\dllhost.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:604
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89e41114-2fec-477c-a49c-3df225619d35.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\LiveKernelReports\dllhost.exe
        
        C:\Windows\LiveKernelReports\dllhost.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa5221a9-0eaa-4127-862e-95700ab4a942.vbs"
        8⤵
        
        PID:2368
        
        C:\Windows\LiveKernelReports\dllhost.exe
        
        C:\Windows\LiveKernelReports\dllhost.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5d7639f-8641-442f-a5de-3d35beddb727.vbs"
        10⤵
        
        PID:700
        
        C:\Windows\LiveKernelReports\dllhost.exe
        
        C:\Windows\LiveKernelReports\dllhost.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af221f87-d92c-4612-a0a0-b31b4c10fa97.vbs"
        12⤵
        
        PID:2676
        
        C:\Windows\LiveKernelReports\dllhost.exe
        
        C:\Windows\LiveKernelReports\dllhost.exe
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75257d6b-ee30-405c-b0e3-0f54ee141bf5.vbs"
        14⤵
        
        PID:2184
        
        C:\Windows\LiveKernelReports\dllhost.exe
        
        C:\Windows\LiveKernelReports\dllhost.exe
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3da840b-c35c-4e00-ab45-18408f922379.vbs"
        16⤵
        
        PID:2192
        
        C:\Windows\LiveKernelReports\dllhost.exe
        
        C:\Windows\LiveKernelReports\dllhost.exe
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cfa97a0-ec23-48b9-83d5-d45ad79b5997.vbs"
        18⤵
        
        PID:2484
        
        C:\Windows\LiveKernelReports\dllhost.exe
        
        C:\Windows\LiveKernelReports\dllhost.exe
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12b1f53b-c6e0-4c44-84ce-d58fb461033e.vbs"
        20⤵
        
        PID:1984
        
        C:\Windows\LiveKernelReports\dllhost.exe
        
        C:\Windows\LiveKernelReports\dllhost.exe
        21⤵
        
        PID:344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64e351e1-e7f0-4c91-ab6d-ad92065b051c.vbs"
        20⤵
        
        PID:2436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc93244c-7968-4cd4-b9bc-21a3079a30a2.vbs"
        18⤵
        
        PID:1988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5450a999-dccb-4845-a4df-26cf44b0d56d.vbs"
        16⤵
        
        PID:2256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb818e64-60e5-41f4-b635-eed15f022043.vbs"
        14⤵
        
        PID:2588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de78863c-7d27-4e93-9818-e887aeda9199.vbs"
        12⤵
        
        PID:1732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6b4ebae-f757-429a-afbf-9e136254d614.vbs"
        10⤵
        
        PID:2460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16f85837-2f23-46e0-9bc2-a7b4267452fb.vbs"
        8⤵
        
        PID:2984
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ba55ac4-ad41-45b3-b3a0-051c352b151f.vbs"
        6⤵
        
        PID:2064
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4be4036-634e-4a2b-a6cf-1084521e8347.vbs"
      4⤵
      PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\browser\features\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\browser\features\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Saved Games\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Saved Games\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Tasks\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre7\lib\ext\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lib\ext\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\lib\ext\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\addins\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Desktop\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Desktop\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Default\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Documents\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Documents\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Favorites\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Favorites\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe

Filesize
1.7MB

MD5
2eafa686b9c8c25716fd185253673184

SHA1
d04d36db2cdcc52ecdb209a2bb6b739774c9d371

SHA256
22b773e6bfed34a929d79b74dddc88f0e6181a2c878e4c0daa1800ca2efe5374

SHA512
3e11d419dc2358b9aa85ba75256feb5e0596dfbbbbeb9d6a9022d5bc93911c6ff9f49336c424fd4562755783704526d02159b397d4535c446d4bbcfc84d7572d

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\lsass.exe

Filesize
1.7MB

MD5
2a51ca573d943b66b5d71083adfedcc2

SHA1
250670f5c7379cd41477ccb070e37820cce54d59

SHA256
80b55dda817616d0b8c779098f57f5bdd453b49efb8540f9a0822e2ed6be89c9

SHA512
e4d383be978d7b4034bbc03b4dd44030c31f545b4f35cccc3b591546ae88faeef9a92358e017624375da1270d4702427a4559e0ed1578fe224296cd5bbaf6543

Download Submit
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe

Filesize
1.7MB

MD5
92f20cf5b97297600b5272178b6534c7

SHA1
3d7b513aea13d6a7c7e66d0a74d0af11b8d7f625

SHA256
abd9f8aa3568761404062e820be47db1a3bcee625fcff0b2ce4ff4fe1bff983b

SHA512
81f0c12d78f958d1a1d74bd13ed015c878bef5a51040ab9346713a47626a58e163f6568b9f97803b18b49a583b5622c61fd065d9fe957af8763ce80edd3135c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\12b1f53b-c6e0-4c44-84ce-d58fb461033e.vbs

Filesize
716B

MD5
53c65d1af8f7971bf46823b204eaf9e2

SHA1
437c7d9770bd470ce61b23d17e6762d642165ec7

SHA256
f3ae1659aea55a0e7d5f9a30e49c6631c5d256f2e99425d8bbb6de130cd7fdc6

SHA512
01ecce95cf98250327d27d778fbcc1a16801694bab0dd1948fca11bc6e2d06c1046f13d81c41eedfa6857f7e7d6cfb9bef26f98dda13fe963f0ee5f5d63c3a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6cfa97a0-ec23-48b9-83d5-d45ad79b5997.vbs

Filesize
716B

MD5
ae242880c806adb909f1f678c229530e

SHA1
7d3fe2a6cd6bbcb971fef563e2c9fc8372964d8c

SHA256
69d32987437a7859322385ee91d347b0acc13241e89afe86b49676950c2e05f0

SHA512
fee698619a3f83fe165f95894a4294468e53ca898f72c6642069dd6ee2b4fc672b6a7400907baed3c10becaea68a4edd5a9e1182e228404ed6ae29b602cd8676

Download Submit
C:\Users\Admin\AppData\Local\Temp\75257d6b-ee30-405c-b0e3-0f54ee141bf5.vbs

Filesize
716B

MD5
66ff4b901f0d23a05f52f7998d4bbf84

SHA1
57a1b1d85806460bc1a1832fe409f7b9378de738

SHA256
135f7251f09768f2a7a81485f90a0c2ebf70b936d3849a1e5cc7aa5f4113c07c

SHA512
72be3df59bd8fcf4037f25b9c0a4a37d4129caf42d8b1b5ee4da95c3f2c18be06e4c3e20cd3cc60c706ea34d8453c5930f6978b8b4395d101fccffc1c9f70be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\89e41114-2fec-477c-a49c-3df225619d35.vbs

Filesize
715B

MD5
a9dafc7f2524b4d17d5db10512ab44cf

SHA1
8a3902616aaa8a2762d213ac0d2ee66505213fcc

SHA256
9c0c5387f2b775b11fd5c592e03b1ea21979009f3d9f9fc54d71167fc66d1e21

SHA512
87559c2c50473d6b98e0041327e8bf0a835c8fd083b543ce577aa1928750e61049aae400f45e904db8827d6e2fdbaf91d6c0e282900855fc71ae3e18124b9d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QfKFARzT3K.bat

Filesize
205B

MD5
b8eb250d8b17295206d1d86f6b9495ed

SHA1
3e67a17625cbe2c0e094cf4fcd112379889c5aa0

SHA256
847db573c9eff14eeaf4fbc2638f76c31270b8e692285e3c6232e7d464c5e52c

SHA512
11f687c5b9ca00eadc5e33ad3bc719be022476584ec7be4018c78961c19608d95d464c9b274bfbe238b95201cb31301d4ceefc3a31ae7de853752d2eb38655a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3da840b-c35c-4e00-ab45-18408f922379.vbs

Filesize
716B

MD5
79e46cfa3dc7768809e9f43ec0c86e51

SHA1
c4ed267d83d0d741074cd658c5dc9f85e4d1d4a3

SHA256
d57fc4b11a202b69573e8740b50e8b07dff0183f4ff2929f2e3519b0722bc82b

SHA512
c7f01fe7c99d135b93a33964c8583e7e22ff3573c09ae7983745ba0dc588aea1af59dbb02427963bd218de8dacef894960afe81bcab6fac4db6ef4d083dddf00

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae8b8780-d058-447f-8a36-42b9bf978ddd.vbs

Filesize
716B

MD5
cde9bca3554536ad3cbf157c49e0eb91

SHA1
60b3e453439c8aa11bbc429f55af27da7bd12acb

SHA256
00290cc160d93d9e09e179e9d0f462f16386a63cbbe9fc733fc567127373409b

SHA512
9e3320faf315a38d8e17ed84bf44991354ef41db83d1b4c603076bd1588b0159e9750f31a1a571f7d22c96ec049f10c5a154d261a660caa326a174b52bd83466

Download Submit
C:\Users\Admin\AppData\Local\Temp\af221f87-d92c-4612-a0a0-b31b4c10fa97.vbs

Filesize
716B

MD5
abb805716e231a65430841815d4d5940

SHA1
42cff4134f70b886ad126626e3a047a0c4768038

SHA256
c32886d6eb1d0479b44f557de88b59dece4919ce89ed968d01d63b79a81d116c

SHA512
4df7b2dcc3798616762c605bbf0919689d796bb2e9f80ef9bb4f8d6d004e4e02efa4b670d589d3cd313d2f5fd14003e4408dc6d698fc5d702fcc9d9c4cf9638d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4be4036-634e-4a2b-a6cf-1084521e8347.vbs

Filesize
492B

MD5
815ded13a319893e33191f6d443c0e3f

SHA1
75272e9e6f09a3c5e7d452159ba8a4395a7122d5

SHA256
6fc6ce076da2f55aa25b43f73f5a01091aa0d02d34ed1040c7fcda03de562ac0

SHA512
e68d03e3cca216594e8cdb6ef085906bf21067d748576d520fb8c5cb75ee07b1bf0bcb579e401d3ba40fdc134e5e224e482eb61a975ecd88222542e73c64f8fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d7639f-8641-442f-a5de-3d35beddb727.vbs

Filesize
715B

MD5
3943c6b6ed9e230c95ec4baeae8f92f1

SHA1
da7937ec2f18cee750083c26b43d35e5e7cfc974

SHA256
58c6e73b2506c6b5106d1bebe9e7265367a494dbb7bb35730daf99a828fc48cb

SHA512
e9cdb4d6843cd56ea021f5ccd2241f3ef3dd2fcfc7bb9423e15417a29ed69947dea01cb4756271c6448fd6440d8e2f0ba82a2a1c5b176f902ba83cc135df2fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa5221a9-0eaa-4127-862e-95700ab4a942.vbs

Filesize
716B

MD5
8f7decbc88ab59185933c1bd609d3d84

SHA1
570c304717d1d7a0b8870719d7c403685429f7ff

SHA256
619cca29120781622159d050e566fa813af83635f66dc7bb448f28a7c1eefbc3

SHA512
f541dd78daff3855ca47072a16f1012e2002c457d2177c9ac6c2159cc6fb3c0fe961c6d35bd7b0da76290092089ce65ccbb1847a0ef3f94772a264e50a603113

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
428902a3d1463dbf2b130f7666c0c020

SHA1
d22b241ce901a61ea06fe9515a3fa98a7cad143f

SHA256
b41ec6d31c771039bb66c3d51c0b25f7cae17ebe3e2de758bc4aa8ffec366e28

SHA512
74d329bc5a1cab4103e543196e81b6dbf0cbac8289b949bb915b032581a7d184f149813c90a2fe9a0b55f85fe527c4333fe13e9594d53bd5d66bb4320c682f91

Download Submit
C:\Users\Public\Documents\audiodg.exe

Filesize
1.7MB

MD5
b87942dbe8f653d0b7d67f7233a0e291

SHA1
847301ce45c8b991c6aee498f05a784ac4c917f8

SHA256
a6a9bad54aea028faed776bb6d374e651fcb919c713c032f58112002d5127139

SHA512
0a589ea66548515f8a303ef5c66e48be4b74e62e448073195a6c3c6d7b6d966c10791fc08c2fd315ae938dff883562bb946307376a4e8f1db005fa1ea7396453

Download Submit
C:\Windows\Tasks\lsm.exe

Filesize
1.7MB

MD5
62b7df12b0bf850473035c45eefef8d2

SHA1
0d3c5920934bc572437d1ab577db45758f22853b

SHA256
8a1721fba0b5865ece46eb0773ce21eceeec1ae211555e7f8ca4848db846b667

SHA512
b287c2cf953d1b5801b691869a804638cc0a93231e4aa45269fe7557cf715e871c8ea5b1da149a6e07917af28083cbc1334661ac7c41de848e60139e1c16d557

Download Submit
C:\Windows\addins\explorer.exe

Filesize
1.7MB

MD5
7bfa5f3a5093828a7d531eca9ca5ca37

SHA1
5b083dffa26e4f4b8f701deceb286468c68337fe

SHA256
4323994d0bac7a0f2d98fb628a04fdb046dc962960bc5393a519220bd2c197f5

SHA512
732e1102aedcdc495fb0c162248270cbc1d7b026139ed5b429c3d6c642e8f3a47ae98b8ee4dd5fce6477a97defaccdea8b94d42b1a3fe91f71de0150940fff0b

Download Submit
memory/292-348-0x0000000001380000-0x0000000001540000-memory.dmp

Filesize
1.8MB

Download
memory/1632-284-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/1632-285-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/1640-385-0x00000000002D0000-0x0000000000490000-memory.dmp

Filesize
1.8MB

Download
memory/1740-373-0x0000000000E10000-0x0000000000FD0000-memory.dmp

Filesize
1.8MB

Download
memory/2236-13-0x000000001A870000-0x000000001A87A000-memory.dmp

Filesize
40KB

Download
memory/2236-12-0x0000000002360000-0x000000000236C000-memory.dmp

Filesize
48KB

Download
memory/2236-194-0x000007FEF5DB3000-0x000007FEF5DB4000-memory.dmp

Filesize
4KB

Download
memory/2236-231-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/2236-254-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/2236-20-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/2236-17-0x000000001A9B0000-0x000000001A9BC000-memory.dmp

Filesize
48KB

Download
memory/2236-16-0x000000001A9A0000-0x000000001A9AC000-memory.dmp

Filesize
48KB

Download
memory/2236-15-0x000000001A990000-0x000000001A998000-memory.dmp

Filesize
32KB

Download
memory/2236-1-0x0000000000B10000-0x0000000000CD0000-memory.dmp

Filesize
1.8MB

Download
memory/2236-2-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/2236-14-0x000000001A980000-0x000000001A98E000-memory.dmp

Filesize
56KB

Download
memory/2236-0-0x000007FEF5DB3000-0x000007FEF5DB4000-memory.dmp

Filesize
4KB

Download
memory/2236-219-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/2236-11-0x0000000002240000-0x0000000002252000-memory.dmp

Filesize
72KB

Download
memory/2236-9-0x0000000002230000-0x0000000002238000-memory.dmp

Filesize
32KB

Download
memory/2236-8-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/2236-3-0x0000000000250000-0x000000000026C000-memory.dmp

Filesize
112KB

Download
memory/2236-4-0x0000000000270000-0x0000000000278000-memory.dmp

Filesize
32KB

Download
memory/2236-7-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/2236-6-0x0000000000AF0000-0x0000000000B06000-memory.dmp

Filesize
88KB

Download
memory/2236-5-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/2856-315-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/2856-314-0x0000000001100000-0x00000000012C0000-memory.dmp

Filesize
1.8MB

Download
memory/2916-361-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/2916-360-0x0000000000210000-0x00000000003D0000-memory.dmp

Filesize
1.8MB

Download
memory/3000-397-0x00000000011C0000-0x0000000001380000-memory.dmp

Filesize
1.8MB

Download