dcrat | e9e6a5e4d64f01b158801bbaead6aedfeeb8cd754e734d1471f591ca3e2c08f8

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9d8ce72bea14182d0909964ca07a8b6.exe
Size

885KB
MD5

d9d8ce72bea14182d0909964ca07a8b6
SHA1

b28d8a45177dc711160d4ea289b88ececf0174fb
SHA256

c14f2d55ba7fb0234c638ac3b7b7081e5c94fb27382b081176fd88ae5b90aeb7
SHA512

78e08e64514d53ae1335caa9c36d66b0e1eea3f52b8fef6fee72cfbc449b6cd3b8f15b432329f7528a7291a438ba96fd8ec6ee4f13a13a30438bd7f98870c256
SSDEEP

12288:clNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:clNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2484	schtasks.exe	30

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral9/memory/236-1-0x00000000003F0000-0x00000000004D4000-memory.dmp	dcrat
behavioral9/files/0x000500000001960b-18.dat	dcrat
behavioral9/memory/2828-217-0x0000000001070000-0x0000000001154000-memory.dmp	dcrat
behavioral9/files/0x000500000001c8d7-360.dat	dcrat
behavioral9/files/0x000600000001c8c2-316.dat	dcrat
behavioral9/memory/1904-386-0x0000000000C80000-0x0000000000D64000-memory.dmp	dcrat
behavioral9/memory/3064-397-0x0000000001140000-0x0000000001224000-memory.dmp	dcrat
behavioral9/memory/1628-464-0x0000000001280000-0x0000000001364000-memory.dmp	dcrat
behavioral9/memory/2800-520-0x0000000000F40000-0x0000000001024000-memory.dmp	dcrat

Executes dropped EXE 13 IoCs

pid	Process
1904	wininit.exe
3064	wininit.exe
2292	wininit.exe
1256	wininit.exe
2120	wininit.exe
892	wininit.exe
3064	wininit.exe
1628	wininit.exe
1704	wininit.exe
324	wininit.exe
2144	wininit.exe
820	wininit.exe
2800	wininit.exe

Drops file in Program Files directory 46 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCXAD8E.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\lsass.exe	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Program Files\Windows Media Player\fr-FR\WmiPrvSE.exe	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\RCXC4F5.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\dllhost.exe	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\5940a34987c991	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Program Files\Internet Explorer\fr-FR\24dbde2999530e	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\RCXAD2A.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Program Files (x86)\Windows Portable Devices\0a1fd5f707cd16	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\RCXC4B8.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXC4BA.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Program Files\Windows Portable Devices\f3b6ecef712a24	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Program Files\DVD Maker\lsm.exe	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\RCXC4B9.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Program Files\DVD Maker\RCXC506.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\audiodg.exe	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Program Files (x86)\MSBuild\dllhost.exe	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Program Files (x86)\MSBuild\5940a34987c991	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\RCXC4F6.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\RCXC508.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Program Files\Windows Media Player\fr-FR\24dbde2999530e	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Program Files\DVD Maker\RCXC507.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\7a0fd90576e088	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCXAD13.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Program Files\Windows Portable Devices\spoolsv.exe	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\1610b97d3ab4a7	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\explorer.exe	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXAD3D.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\RCXAD8C.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Program Files\Internet Explorer\fr-FR\WmiPrvSE.exe	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\42af1c969fbb7b	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCXAD14.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXAD67.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXAD78.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCXAD8D.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\dllhost.exe	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\6203df4a6bafc7	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Program Files (x86)\MSBuild\dllhost.exe	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\RCXAD29.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Program Files\DVD Maker\101b941d020240	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXC4BB.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\RCXC509.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXAD3C.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\RCXAD7B.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\servicing\en-US\lsass.exe	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Windows\LiveKernelReports\RCXAD79.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Windows\LiveKernelReports\RCXAD7A.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Windows\L2Schemas\56085415360792	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Windows\L2Schemas\RCXC4F1.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Windows\LiveKernelReports\lsm.exe	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Windows\LiveKernelReports\101b941d020240	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Windows\L2Schemas\wininit.exe	d9d8ce72bea14182d0909964ca07a8b6.exe
File opened for modification	C:\Windows\L2Schemas\RCXC4F2.tmp	d9d8ce72bea14182d0909964ca07a8b6.exe
File created	C:\Windows\rescache\Idle.exe	d9d8ce72bea14182d0909964ca07a8b6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2820	schtasks.exe
2988	schtasks.exe
2660	schtasks.exe
1008	schtasks.exe
2592	schtasks.exe
340	schtasks.exe
2164	schtasks.exe
1532	schtasks.exe
1960	schtasks.exe
2952	schtasks.exe
2372	schtasks.exe
2776	schtasks.exe
2688	schtasks.exe
1400	schtasks.exe
2300	schtasks.exe
1480	schtasks.exe
2288	schtasks.exe
2520	schtasks.exe
2040	schtasks.exe
2092	schtasks.exe
1176	schtasks.exe
2184	schtasks.exe
2116	schtasks.exe
1216	schtasks.exe
2380	schtasks.exe
2492	schtasks.exe
2372	schtasks.exe
1224	schtasks.exe
2840	schtasks.exe
3048	schtasks.exe
844	schtasks.exe
1268	schtasks.exe
1792	schtasks.exe
2780	schtasks.exe
2736	schtasks.exe
2824	schtasks.exe
2272	schtasks.exe
112	schtasks.exe
1964	schtasks.exe
2996	schtasks.exe
1952	schtasks.exe
1680	schtasks.exe
2328	schtasks.exe
2616	schtasks.exe
2292	schtasks.exe
2888	schtasks.exe
2348	schtasks.exe
2516	schtasks.exe
884	schtasks.exe
2532	schtasks.exe
2652	schtasks.exe
2332	schtasks.exe
2472	schtasks.exe
108	schtasks.exe
836	schtasks.exe
1988	schtasks.exe
1568	schtasks.exe
2448	schtasks.exe
2804	schtasks.exe
1688	schtasks.exe
2212	schtasks.exe
2824	schtasks.exe
2608	schtasks.exe
2980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
236	d9d8ce72bea14182d0909964ca07a8b6.exe
236	d9d8ce72bea14182d0909964ca07a8b6.exe
236	d9d8ce72bea14182d0909964ca07a8b6.exe
236	d9d8ce72bea14182d0909964ca07a8b6.exe
236	d9d8ce72bea14182d0909964ca07a8b6.exe
236	d9d8ce72bea14182d0909964ca07a8b6.exe
236	d9d8ce72bea14182d0909964ca07a8b6.exe
2828	d9d8ce72bea14182d0909964ca07a8b6.exe
2828	d9d8ce72bea14182d0909964ca07a8b6.exe
2828	d9d8ce72bea14182d0909964ca07a8b6.exe
1904	wininit.exe
3064	wininit.exe
2292	wininit.exe
1256	wininit.exe
2120	wininit.exe
892	wininit.exe
3064	wininit.exe
1628	wininit.exe
1704	wininit.exe
324	wininit.exe
2144	wininit.exe
820	wininit.exe
2800	wininit.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	236	d9d8ce72bea14182d0909964ca07a8b6.exe
Token: SeDebugPrivilege	2828	d9d8ce72bea14182d0909964ca07a8b6.exe
Token: SeDebugPrivilege	1904	wininit.exe
Token: SeDebugPrivilege	3064	wininit.exe
Token: SeDebugPrivilege	2292	wininit.exe
Token: SeDebugPrivilege	1256	wininit.exe
Token: SeDebugPrivilege	2120	wininit.exe
Token: SeDebugPrivilege	892	wininit.exe
Token: SeDebugPrivilege	3064	wininit.exe
Token: SeDebugPrivilege	1628	wininit.exe
Token: SeDebugPrivilege	1704	wininit.exe
Token: SeDebugPrivilege	324	wininit.exe
Token: SeDebugPrivilege	2144	wininit.exe
Token: SeDebugPrivilege	820	wininit.exe
Token: SeDebugPrivilege	2800	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 236 wrote to memory of 2624	236	d9d8ce72bea14182d0909964ca07a8b6.exe	76
PID 236 wrote to memory of 2624	236	d9d8ce72bea14182d0909964ca07a8b6.exe	76
PID 236 wrote to memory of 2624	236	d9d8ce72bea14182d0909964ca07a8b6.exe	76
PID 2624 wrote to memory of 2344	2624	cmd.exe	78
PID 2624 wrote to memory of 2344	2624	cmd.exe	78
PID 2624 wrote to memory of 2344	2624	cmd.exe	78
PID 2624 wrote to memory of 2828	2624	cmd.exe	79
PID 2624 wrote to memory of 2828	2624	cmd.exe	79
PID 2624 wrote to memory of 2828	2624	cmd.exe	79
PID 2828 wrote to memory of 1904	2828	d9d8ce72bea14182d0909964ca07a8b6.exe	116
PID 2828 wrote to memory of 1904	2828	d9d8ce72bea14182d0909964ca07a8b6.exe	116
PID 2828 wrote to memory of 1904	2828	d9d8ce72bea14182d0909964ca07a8b6.exe	116
PID 1904 wrote to memory of 2300	1904	wininit.exe	118
PID 1904 wrote to memory of 2300	1904	wininit.exe	118
PID 1904 wrote to memory of 2300	1904	wininit.exe	118
PID 1904 wrote to memory of 2112	1904	wininit.exe	119
PID 1904 wrote to memory of 2112	1904	wininit.exe	119
PID 1904 wrote to memory of 2112	1904	wininit.exe	119
PID 2300 wrote to memory of 3064	2300	WScript.exe	120
PID 2300 wrote to memory of 3064	2300	WScript.exe	120
PID 2300 wrote to memory of 3064	2300	WScript.exe	120
PID 3064 wrote to memory of 1204	3064	wininit.exe	121
PID 3064 wrote to memory of 1204	3064	wininit.exe	121
PID 3064 wrote to memory of 1204	3064	wininit.exe	121
PID 3064 wrote to memory of 2588	3064	wininit.exe	122
PID 3064 wrote to memory of 2588	3064	wininit.exe	122
PID 3064 wrote to memory of 2588	3064	wininit.exe	122
PID 1204 wrote to memory of 2292	1204	WScript.exe	123
PID 1204 wrote to memory of 2292	1204	WScript.exe	123
PID 1204 wrote to memory of 2292	1204	WScript.exe	123
PID 2292 wrote to memory of 2964	2292	wininit.exe	124
PID 2292 wrote to memory of 2964	2292	wininit.exe	124
PID 2292 wrote to memory of 2964	2292	wininit.exe	124
PID 2292 wrote to memory of 1036	2292	wininit.exe	125
PID 2292 wrote to memory of 1036	2292	wininit.exe	125
PID 2292 wrote to memory of 1036	2292	wininit.exe	125
PID 2964 wrote to memory of 1256	2964	WScript.exe	126
PID 2964 wrote to memory of 1256	2964	WScript.exe	126
PID 2964 wrote to memory of 1256	2964	WScript.exe	126
PID 1256 wrote to memory of 876	1256	wininit.exe	127
PID 1256 wrote to memory of 876	1256	wininit.exe	127
PID 1256 wrote to memory of 876	1256	wininit.exe	127
PID 1256 wrote to memory of 1784	1256	wininit.exe	128
PID 1256 wrote to memory of 1784	1256	wininit.exe	128
PID 1256 wrote to memory of 1784	1256	wininit.exe	128
PID 876 wrote to memory of 2120	876	WScript.exe	129
PID 876 wrote to memory of 2120	876	WScript.exe	129
PID 876 wrote to memory of 2120	876	WScript.exe	129
PID 2120 wrote to memory of 2108	2120	wininit.exe	130
PID 2120 wrote to memory of 2108	2120	wininit.exe	130
PID 2120 wrote to memory of 2108	2120	wininit.exe	130
PID 2120 wrote to memory of 1952	2120	wininit.exe	131
PID 2120 wrote to memory of 1952	2120	wininit.exe	131
PID 2120 wrote to memory of 1952	2120	wininit.exe	131
PID 2108 wrote to memory of 892	2108	WScript.exe	132
PID 2108 wrote to memory of 892	2108	WScript.exe	132
PID 2108 wrote to memory of 892	2108	WScript.exe	132
PID 892 wrote to memory of 1408	892	wininit.exe	133
PID 892 wrote to memory of 1408	892	wininit.exe	133
PID 892 wrote to memory of 1408	892	wininit.exe	133
PID 892 wrote to memory of 3012	892	wininit.exe	134
PID 892 wrote to memory of 3012	892	wininit.exe	134
PID 892 wrote to memory of 3012	892	wininit.exe	134
PID 1408 wrote to memory of 3064	1408	WScript.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d9d8ce72bea14182d0909964ca07a8b6.exe
"C:\Users\Admin\AppData\Local\Temp\d9d8ce72bea14182d0909964ca07a8b6.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:236
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PjeqD3hzkr.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2344
- - C:\Users\Admin\AppData\Local\Temp\d9d8ce72bea14182d0909964ca07a8b6.exe
    "C:\Users\Admin\AppData\Local\Temp\d9d8ce72bea14182d0909964ca07a8b6.exe"
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe
      "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1904
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1ad9b23-0ae2-45be-8ca8-b8e60e51aa38.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2300
      - C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cadfb35-46d2-4e37-ae22-2196d15c538f.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\135d61a1-f830-4048-9414-434d13caacf7.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df734261-9829-40c8-8fa2-149054b6b546.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e14a75e-c403-4af5-bdf9-945b7e7cf026.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffe439c3-6eb1-4bfe-bbd6-bd09efeb4b52.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99f769dc-449a-45f1-bc0a-225efbf02d1d.vbs"
        17⤵
        
        PID:2532
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c026ba13-48ad-49c0-9aa2-6d5cbb4c3341.vbs"
        19⤵
        
        PID:2984
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\968d803d-b93b-4896-98e3-50bc91b522fc.vbs"
        21⤵
        
        PID:1888
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3a2f94f-2c3d-494b-8f8c-42c8d5199735.vbs"
        23⤵
        
        PID:664
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6587bde-1fb7-4c2d-96ad-2467979fbe22.vbs"
        25⤵
        
        PID:1428
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\448a350d-f79f-46e9-b7a3-a79f22616671.vbs"
        27⤵
        
        PID:1692
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\191e1f5c-77f2-4d6f-9de5-650024766e08.vbs"
        29⤵
        
        PID:1636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8eeef83-44c4-49a3-98eb-a6082e22f3c8.vbs"
        29⤵
        
        PID:2736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1433d64d-8f14-41e5-88fd-0abedc350fdd.vbs"
        27⤵
        
        PID:2184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04f0a530-a4c1-463e-bbce-54f3e0716359.vbs"
        25⤵
        
        PID:1344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4012c81a-70df-42ca-a4ea-a187e173daaf.vbs"
        23⤵
        
        PID:948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0d6fbe3-a500-44fe-81ef-56ccf482b774.vbs"
        21⤵
        
        PID:408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afe94701-e189-4318-a33f-96fd66af8184.vbs"
        19⤵
        
        PID:2964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7d33880-3d70-4fdc-bd19-c53a43269e9e.vbs"
        17⤵
        
        PID:2608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\935e99e8-e4a1-4055-bded-772adfb7e643.vbs"
        15⤵
        
        PID:3012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f294b66-ccb6-46d2-8759-962f2b737669.vbs"
        13⤵
        
        PID:1952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42401c62-47df-44ac-8c2c-5d4b3383970c.vbs"
        11⤵
        
        PID:1784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5dd95a81-4867-42d9-90dc-048959bd75b1.vbs"
        9⤵
        
        PID:1036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91ac02b6-c116-451d-a720-d71e333878fa.vbs"
        7⤵
        
        PID:2588
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84771dad-a1be-43c0-9289-2801c651ee24.vbs"
        5⤵
        
        PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d9d8ce72bea14182d0909964ca07a8b6d" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\d9d8ce72bea14182d0909964ca07a8b6.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d9d8ce72bea14182d0909964ca07a8b6" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\d9d8ce72bea14182d0909964ca07a8b6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d9d8ce72bea14182d0909964ca07a8b6d" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\d9d8ce72bea14182d0909964ca07a8b6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\fr-FR\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d9d8ce72bea14182d0909964ca07a8b6d" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Favorites\d9d8ce72bea14182d0909964ca07a8b6.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d9d8ce72bea14182d0909964ca07a8b6" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\d9d8ce72bea14182d0909964ca07a8b6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d9d8ce72bea14182d0909964ca07a8b6d" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Favorites\d9d8ce72bea14182d0909964ca07a8b6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Cookies\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\Cookies\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Cookies\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\lsass.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\lsass.exe'" /rl HIGHEST /f
1⤵
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\lsm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\lsm.exe'" /rl HIGHEST /f
1⤵
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\fr-FR\WmiPrvSE.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\dwm.exe

Filesize
885KB

MD5
d9d8ce72bea14182d0909964ca07a8b6

SHA1
b28d8a45177dc711160d4ea289b88ececf0174fb

SHA256
c14f2d55ba7fb0234c638ac3b7b7081e5c94fb27382b081176fd88ae5b90aeb7

SHA512
78e08e64514d53ae1335caa9c36d66b0e1eea3f52b8fef6fee72cfbc449b6cd3b8f15b432329f7528a7291a438ba96fd8ec6ee4f13a13a30438bd7f98870c256

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RCXC50A.tmp

Filesize
885KB

MD5
f25769a2e485d6031c39ae5c3d9e0fe8

SHA1
02a25f3a7182694bbfa7f4629e6be1327cff9409

SHA256
2519101063dfe5e70bc61c2a7890494025de01c05fcb3eef88393a05e2652a54

SHA512
b90000ea09408fbdeea140aab82c2d11a88b39785801dffc869603ddc90f34249c0f9313bd138f6fab93ff0aed609493dbd9e323a71e4ab401cbfbb09f346034

Download Submit
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\RCXC4F3.tmp

Filesize
885KB

MD5
c1c83ada423e43f472d16d79bfccfdbe

SHA1
71d44b49bbdda78ec94f72c95dc1417bb922e4c7

SHA256
22559ea43dc87333c2b8e8299e1e6048414be94dcec4faaabdc9c311e8a0f6ac

SHA512
2b35cbcb218cae63e8ce657c6a3e0dd24f62e0e4fe6ced7fa0317dc4923fc1266e4974b03bc88ce7f5b1bbf47d57ee2ace306cefcbfb87c3fac61fe51778b48a

Download Submit
C:\Users\Admin\AppData\Local\Temp\135d61a1-f830-4048-9414-434d13caacf7.vbs

Filesize
736B

MD5
cae294a6227ea6f888b1729dfd63d11b

SHA1
cbffc163ed31f5c7a0e4acb850c59e9aac15f281

SHA256
a6e13e22351031e06ab91275538e1a050206c49dda230244b22fbb6eb1a2a9d6

SHA512
06950349f706dbf46e52b12b3dc6cecfe67cfe5c55346042622bf80fb264fee7c23bd23010187bb9614c423b3c0bbd93f43efbbb66d2fe2af27ff2fdfabc50dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\191e1f5c-77f2-4d6f-9de5-650024766e08.vbs

Filesize
736B

MD5
537ccd1b7f2ef11dda6c9906847a497d

SHA1
a0ae01b9957f370b8f8964c2367191529a5928d9

SHA256
4c2ea4d235c864b84862d04fb2bd4e1dfbc56806bb961bf008302e94fee561fc

SHA512
db65f40ed6a0fabb8bc59a0cf09a9debddafd7fc4144cf619685871df3f334718888226059583b7f583bc939ff0d28a32a2c71d964b02df936dd1599c32993cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\448a350d-f79f-46e9-b7a3-a79f22616671.vbs

Filesize
735B

MD5
afb7156561fb929df13a4f748ce67aaf

SHA1
54125b4da81e9765311cfe5da972d3bfbad82688

SHA256
5e347e7e733efdbb4dc3544ec9c4cfa7efd17992cc74e90e71503cc033f5e3ed

SHA512
511093db258c7dc310b532e6100177e4fe97c92deed3866a063ae24202276d8f21bc21f36ae8a12e1a118d9241a13b52e3a001d283a6dda86ea5aecaa8c43933

Download Submit
C:\Users\Admin\AppData\Local\Temp\6cadfb35-46d2-4e37-ae22-2196d15c538f.vbs

Filesize
736B

MD5
558177a39e3371feaaf97efc5c4af99d

SHA1
7d0ff645afb70c703f95d304a54cc961649a05ae

SHA256
11b5039a9c78085f485d4e21566869560bddb56f8024b78cb5d8ab22c614f63d

SHA512
4b493a1656698fd8a8903c57c63024c384e6ec5f1c5c35d5570c57ee6a0a77ff7d6d8c1960e0947be651fe81de63f91e98d0e3acc6c029f752caf1697613fa3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e14a75e-c403-4af5-bdf9-945b7e7cf026.vbs

Filesize
736B

MD5
9688b105adb1b27502698cdeb8dd3c32

SHA1
a97ed9385dfe4d5a3d9346fc1e7d66afcc815937

SHA256
2e53619032625c800afeb56af73f86c32342ff706494c1528067e457e38d0549

SHA512
e794cd0d0825f814b347b50dfc9eb44d58285b2744d6b45bc1fbffc14d840532374cf018ceaa450154b45bea187c47f216f5d469eb41eca4ff8c22b460fa6c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\84771dad-a1be-43c0-9289-2801c651ee24.vbs

Filesize
512B

MD5
eb650dcac7db1a2f72bde2f6512db0c8

SHA1
b23cb125ecfa6cd17ef9194cbee629fc57c303d6

SHA256
4854ced8443037141110dea7e61631fff9a434e4fc92528bc4de515b4ccf98e6

SHA512
c31b01d4b471e54261e34999bdf380c0acd0b6ccaf33b9a03723adbcf1ce34fd1aabf62af9f64a5d485dfb7f5d6d73e4f969637abd28dd245ce10c7edc70089d

Download Submit
C:\Users\Admin\AppData\Local\Temp\968d803d-b93b-4896-98e3-50bc91b522fc.vbs

Filesize
736B

MD5
360ec6c0b1417031855b4ee3ddb39483

SHA1
2067cb9152e8d8d55098fb21e5018dd3dbb58226

SHA256
30d2430b8a92823af7e97759c1a482f611f436f652a5b5f902f1b2983e85cc5a

SHA512
6aa97f089d17a9ca1ade7070272ce0b2668298074e17f93b97e474a8f9d1f70be9d31aa2c08ae46eb37af1b51299b856ee1b662e034a3f50a9d2da993a385456

Download Submit
C:\Users\Admin\AppData\Local\Temp\PjeqD3hzkr.bat

Filesize
235B

MD5
cb7c1c86a03ec941651dd58c0ad73d12

SHA1
0e7fc9646e86579459f939d0a0e6964fc94aace9

SHA256
f0157f564f55730cbb9018d84b4a256c6fd31c6719b789878a51e601f35a1495

SHA512
a25d19f03dd615f48893376a873f3ddc4e1df6fff22a34ee12b7f88759388502b7f671fe46ee8f7e6f8dc188d5f945f8d02754bec4c8cd1dc58179259067ab1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c026ba13-48ad-49c0-9aa2-6d5cbb4c3341.vbs

Filesize
736B

MD5
d7f53ffdce19b301ad3ab3f55edc6f42

SHA1
538663235bd43ae777c4e8e3c1c80c417399e15a

SHA256
0b1e3e068b20a23fe9f1f100f9ab054d767db250ffab89f50bc002cb91476ae8

SHA512
f0e9f9a6200f1aacb6025cd42c09577d438d5a6554471a9e2a98fc2beae6adc7e52fded5abbf6d1cc5485bf5c949c1018ad71bdfa974ff41437c7453e03c3a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1ad9b23-0ae2-45be-8ca8-b8e60e51aa38.vbs

Filesize
736B

MD5
06ba4b825bff6278b921a84e7a34c6ca

SHA1
2af25ae4360911766b6bf1b0ff0d477faefa3c08

SHA256
261c03add816332cdb6cada86abb5201ee5672d1df0380e114981c07c017dd54

SHA512
72ff532fbaf4c485476ed8d9850220548e4a40ed933143136f040d097e1a23819e6534132d2b615bd75107749d1f370510116835319280e6da248d57b18fcaa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\df734261-9829-40c8-8fa2-149054b6b546.vbs

Filesize
736B

MD5
7c0af6e63b5e31824e747c86ad2cd515

SHA1
3ffa7b89158cb455866c39904eff9da8833c522f

SHA256
2b138e718a561e4020d16cfab9e4cc62a9937666512b525479a7382bdfd49009

SHA512
f3b65a78d6107feeef1fbb1ff88688d5e57917d068aefff907c224733f951e22e4d0d78a7dbef2ed445bc905300d6e0ef8d6caec00f70dd376757122920ee64d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3a2f94f-2c3d-494b-8f8c-42c8d5199735.vbs

Filesize
735B

MD5
68b67000af08bb81522199a49c4c6818

SHA1
edcc11962b442c224776be8d67317fb498f2c4a9

SHA256
700d368229eb51ae8c7d52dd11d596030f88e1c054d3debaf0fec11438cb7df8

SHA512
8b56c3d8949a221b5a5858ce0007d4bfba5dc806cb22bdb4ef909747e527e10c7866018896e1c0ad7eaba6d96fe81bd092bccb0c35e3fc8b8737d5761f95e8b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6587bde-1fb7-4c2d-96ad-2467979fbe22.vbs

Filesize
736B

MD5
420af6846e0dd730f67ba84fff8c91da

SHA1
a28b9e7ce08bfd75f11ddea001408e5f1bc48a2b

SHA256
6e771c7792d759a363fc713422c36665668d3ee2ecb3a6fac33229ea374ffcab

SHA512
45924ea62db966337765f6357952cac6d45eba6418560e816b06c7ed0ee2274d935f5156227ad50fcda3f3e894f0a26b9bda7067f724348227c2fd1eba6c6140

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffe439c3-6eb1-4bfe-bbd6-bd09efeb4b52.vbs

Filesize
735B

MD5
026a59f35139b80185bb46c62c0584fb

SHA1
9fab8c72768d943cc0c937804101fccab0b8b26e

SHA256
5f0866d273329aecc572e3230cf76b0adf8f84f613514f8c72061da5a8f4ba7f

SHA512
8e3e3b8141d98db416ed5bff2e34eebe5fc43fccc9dee1a961e048a3888083859535152ce164b6b8939d7cadce6565ebed1ad62cfa77b716ce027da56b9dbb25

Download Submit
memory/236-9-0x000000001AC60000-0x000000001AC6C000-memory.dmp

Filesize
48KB

Download
memory/236-6-0x00000000021E0000-0x00000000021EA000-memory.dmp

Filesize
40KB

Download
memory/236-1-0x00000000003F0000-0x00000000004D4000-memory.dmp

Filesize
912KB

Download
memory/236-2-0x000007FEF64F0000-0x000007FEF6EDC000-memory.dmp

Filesize
9.9MB

Download
memory/236-215-0x000007FEF64F0000-0x000007FEF6EDC000-memory.dmp

Filesize
9.9MB

Download
memory/236-8-0x000000001AC50000-0x000000001AC58000-memory.dmp

Filesize
32KB

Download
memory/236-0-0x000007FEF64F3000-0x000007FEF64F4000-memory.dmp

Filesize
4KB

Download
memory/236-3-0x00000000021C0000-0x00000000021DC000-memory.dmp

Filesize
112KB

Download
memory/236-4-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/236-7-0x000000001AB40000-0x000000001AB4E000-memory.dmp

Filesize
56KB

Download
memory/236-5-0x000000001A750000-0x000000001A766000-memory.dmp

Filesize
88KB

Download
memory/1628-464-0x0000000001280000-0x0000000001364000-memory.dmp

Filesize
912KB

Download
memory/1904-386-0x0000000000C80000-0x0000000000D64000-memory.dmp

Filesize
912KB

Download
memory/2800-520-0x0000000000F40000-0x0000000001024000-memory.dmp

Filesize
912KB

Download
memory/2828-217-0x0000000001070000-0x0000000001154000-memory.dmp

Filesize
912KB

Download
memory/3064-397-0x0000000001140000-0x0000000001224000-memory.dmp

Filesize
912KB

Download