dcrat | f08d555b265bc840ef4d7904f37de7886b276d3b2f85180bb63b0e29445e02b1

Analysis

max time kernel
138s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c888e1de25b9c34d74509d3ed5a918e1.exe
Size

885KB
MD5

c888e1de25b9c34d74509d3ed5a918e1
SHA1

61c0aa0c64a7142e1a7e1682993c97b72fc8deb3
SHA256

8cdc21ccbff31e8798a3581282fdb5007c33042221a3d2d64e6ce767e936b930
SHA512

eca2875bda3c49425b803cd2b21ef79cc0e693c32f3f8808148bff03670408b6eb561b9dd50de41eeb26008f294e492ab171c6afe97c50f9e51c2afb3187452c
SSDEEP

12288:0lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:0lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3444	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2520	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	2520	schtasks.exe	88

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral16/memory/852-1-0x0000000000030000-0x0000000000114000-memory.dmp	dcrat
behavioral16/files/0x00080000000240d3-21.dat	dcrat
behavioral16/files/0x00090000000240d9-102.dat	dcrat
behavioral16/files/0x00080000000240da-112.dat	dcrat
behavioral16/files/0x000600000001e723-195.dat	dcrat
behavioral16/files/0x000800000001e97e-225.dat	dcrat

Checks computer location settings 2 TTPs 19 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	c888e1de25b9c34d74509d3ed5a918e1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	c888e1de25b9c34d74509d3ed5a918e1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	taskhostw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	taskhostw.exe

Executes dropped EXE 17 IoCs

pid	Process
1488	taskhostw.exe
1348	taskhostw.exe
2948	taskhostw.exe
852	taskhostw.exe
1916	taskhostw.exe
3584	taskhostw.exe
1312	taskhostw.exe
4912	taskhostw.exe
540	taskhostw.exe
1104	taskhostw.exe
2872	taskhostw.exe
2328	taskhostw.exe
1804	taskhostw.exe
2344	taskhostw.exe
468	taskhostw.exe
3624	taskhostw.exe
2960	taskhostw.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\System\es-ES\RCX8F75.tmp	c888e1de25b9c34d74509d3ed5a918e1.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\StartMenuExperienceHost.exe	c888e1de25b9c34d74509d3ed5a918e1.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\ea9f0e6c9e2dcd	c888e1de25b9c34d74509d3ed5a918e1.exe
File created	C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe	c888e1de25b9c34d74509d3ed5a918e1.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\RCXAA97.tmp	c888e1de25b9c34d74509d3ed5a918e1.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXABB9.tmp	c888e1de25b9c34d74509d3ed5a918e1.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXABCA.tmp	c888e1de25b9c34d74509d3ed5a918e1.exe
File created	C:\Program Files (x86)\Windows Portable Devices\9e8d7a4ca61bd9	c888e1de25b9c34d74509d3ed5a918e1.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\es-ES\RCX8FB4.tmp	c888e1de25b9c34d74509d3ed5a918e1.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\taskhostw.exe	c888e1de25b9c34d74509d3ed5a918e1.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\55b276f4edf653	c888e1de25b9c34d74509d3ed5a918e1.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXA986.tmp	c888e1de25b9c34d74509d3ed5a918e1.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXA987.tmp	c888e1de25b9c34d74509d3ed5a918e1.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\RCXAA96.tmp	c888e1de25b9c34d74509d3ed5a918e1.exe
File created	C:\Program Files (x86)\Common Files\System\es-ES\System.exe	c888e1de25b9c34d74509d3ed5a918e1.exe
File created	C:\Program Files (x86)\Common Files\System\es-ES\27d1bcfc3c54e0	c888e1de25b9c34d74509d3ed5a918e1.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\debug\csrss.exe	c888e1de25b9c34d74509d3ed5a918e1.exe
File created	C:\Windows\debug\886983d96e3d3e	c888e1de25b9c34d74509d3ed5a918e1.exe
File opened for modification	C:\Windows\debug\RCX8F63.tmp	c888e1de25b9c34d74509d3ed5a918e1.exe
File created	C:\Windows\it-IT\ea9f0e6c9e2dcd	c888e1de25b9c34d74509d3ed5a918e1.exe
File created	C:\Windows\schemas\AvailableNetwork\winlogon.exe	c888e1de25b9c34d74509d3ed5a918e1.exe
File opened for modification	C:\Windows\it-IT\RCXAA05.tmp	c888e1de25b9c34d74509d3ed5a918e1.exe
File opened for modification	C:\Windows\it-IT\RCXAA06.tmp	c888e1de25b9c34d74509d3ed5a918e1.exe
File opened for modification	C:\Windows\schemas\AvailableNetwork\RCXAA85.tmp	c888e1de25b9c34d74509d3ed5a918e1.exe
File opened for modification	C:\Windows\debug\RCX8F64.tmp	c888e1de25b9c34d74509d3ed5a918e1.exe
File created	C:\Windows\it-IT\taskhostw.exe	c888e1de25b9c34d74509d3ed5a918e1.exe
File created	C:\Windows\schemas\AvailableNetwork\cc11b995f2a76d	c888e1de25b9c34d74509d3ed5a918e1.exe
File opened for modification	C:\Windows\schemas\AvailableNetwork\RCXAA84.tmp	c888e1de25b9c34d74509d3ed5a918e1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	c888e1de25b9c34d74509d3ed5a918e1.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	taskhostw.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4540	schtasks.exe
2492	schtasks.exe
4552	schtasks.exe
4976	schtasks.exe
4772	schtasks.exe
1480	schtasks.exe
2476	schtasks.exe
696	schtasks.exe
1596	schtasks.exe
2136	schtasks.exe
4440	schtasks.exe
2348	schtasks.exe
1512	schtasks.exe
2176	schtasks.exe
1856	schtasks.exe
4432	schtasks.exe
3608	schtasks.exe
3444	schtasks.exe
748	schtasks.exe
3516	schtasks.exe
3060	schtasks.exe
4580	schtasks.exe
2164	schtasks.exe
3732	schtasks.exe
644	schtasks.exe
3024	schtasks.exe
544	schtasks.exe
264	schtasks.exe
2112	schtasks.exe
2764	schtasks.exe
964	schtasks.exe
2684	schtasks.exe
2128	schtasks.exe
1432	schtasks.exe
4144	schtasks.exe
4112	schtasks.exe
4636	schtasks.exe
232	schtasks.exe
1812	schtasks.exe
4044	schtasks.exe
1700	schtasks.exe
1340	schtasks.exe
2948	schtasks.exe
3508	schtasks.exe
3284	schtasks.exe
2436	schtasks.exe
2868	schtasks.exe
4884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
852	c888e1de25b9c34d74509d3ed5a918e1.exe
1916	c888e1de25b9c34d74509d3ed5a918e1.exe
1916	c888e1de25b9c34d74509d3ed5a918e1.exe
1916	c888e1de25b9c34d74509d3ed5a918e1.exe
1916	c888e1de25b9c34d74509d3ed5a918e1.exe
1916	c888e1de25b9c34d74509d3ed5a918e1.exe
1488	taskhostw.exe
1348	taskhostw.exe
2948	taskhostw.exe
852	taskhostw.exe
1916	taskhostw.exe
3584	taskhostw.exe
3584	taskhostw.exe
1312	taskhostw.exe
1312	taskhostw.exe
4912	taskhostw.exe
4912	taskhostw.exe
540	taskhostw.exe
540	taskhostw.exe
1104	taskhostw.exe
1104	taskhostw.exe
2872	taskhostw.exe
2872	taskhostw.exe
2328	taskhostw.exe
2328	taskhostw.exe
1804	taskhostw.exe
1804	taskhostw.exe
2344	taskhostw.exe
2344	taskhostw.exe
468	taskhostw.exe
468	taskhostw.exe
3624	taskhostw.exe
3624	taskhostw.exe
2960	taskhostw.exe
2960	taskhostw.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	852	c888e1de25b9c34d74509d3ed5a918e1.exe
Token: SeDebugPrivilege	1916	c888e1de25b9c34d74509d3ed5a918e1.exe
Token: SeDebugPrivilege	1488	taskhostw.exe
Token: SeDebugPrivilege	1348	taskhostw.exe
Token: SeDebugPrivilege	2948	taskhostw.exe
Token: SeDebugPrivilege	852	taskhostw.exe
Token: SeDebugPrivilege	1916	taskhostw.exe
Token: SeDebugPrivilege	3584	taskhostw.exe
Token: SeDebugPrivilege	1312	taskhostw.exe
Token: SeDebugPrivilege	4912	taskhostw.exe
Token: SeDebugPrivilege	540	taskhostw.exe
Token: SeDebugPrivilege	1104	taskhostw.exe
Token: SeDebugPrivilege	2872	taskhostw.exe
Token: SeDebugPrivilege	2328	taskhostw.exe
Token: SeDebugPrivilege	1804	taskhostw.exe
Token: SeDebugPrivilege	2344	taskhostw.exe
Token: SeDebugPrivilege	468	taskhostw.exe
Token: SeDebugPrivilege	3624	taskhostw.exe
Token: SeDebugPrivilege	2960	taskhostw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 4916	852	c888e1de25b9c34d74509d3ed5a918e1.exe	98
PID 852 wrote to memory of 4916	852	c888e1de25b9c34d74509d3ed5a918e1.exe	98
PID 4916 wrote to memory of 4108	4916	cmd.exe	100
PID 4916 wrote to memory of 4108	4916	cmd.exe	100
PID 4916 wrote to memory of 1916	4916	cmd.exe	104
PID 4916 wrote to memory of 1916	4916	cmd.exe	104
PID 1916 wrote to memory of 1488	1916	c888e1de25b9c34d74509d3ed5a918e1.exe	145
PID 1916 wrote to memory of 1488	1916	c888e1de25b9c34d74509d3ed5a918e1.exe	145
PID 1488 wrote to memory of 1904	1488	taskhostw.exe	146
PID 1488 wrote to memory of 1904	1488	taskhostw.exe	146
PID 1488 wrote to memory of 4548	1488	taskhostw.exe	147
PID 1488 wrote to memory of 4548	1488	taskhostw.exe	147
PID 1904 wrote to memory of 1348	1904	WScript.exe	150
PID 1904 wrote to memory of 1348	1904	WScript.exe	150
PID 1348 wrote to memory of 2436	1348	taskhostw.exe	151
PID 1348 wrote to memory of 2436	1348	taskhostw.exe	151
PID 1348 wrote to memory of 3608	1348	taskhostw.exe	152
PID 1348 wrote to memory of 3608	1348	taskhostw.exe	152
PID 2436 wrote to memory of 2948	2436	WScript.exe	153
PID 2436 wrote to memory of 2948	2436	WScript.exe	153
PID 2948 wrote to memory of 2380	2948	taskhostw.exe	154
PID 2948 wrote to memory of 2380	2948	taskhostw.exe	154
PID 2948 wrote to memory of 4328	2948	taskhostw.exe	155
PID 2948 wrote to memory of 4328	2948	taskhostw.exe	155
PID 2380 wrote to memory of 852	2380	WScript.exe	156
PID 2380 wrote to memory of 852	2380	WScript.exe	156
PID 852 wrote to memory of 2916	852	taskhostw.exe	158
PID 852 wrote to memory of 2916	852	taskhostw.exe	158
PID 852 wrote to memory of 3296	852	taskhostw.exe	159
PID 852 wrote to memory of 3296	852	taskhostw.exe	159
PID 2916 wrote to memory of 1916	2916	WScript.exe	161
PID 2916 wrote to memory of 1916	2916	WScript.exe	161
PID 1916 wrote to memory of 1168	1916	taskhostw.exe	162
PID 1916 wrote to memory of 1168	1916	taskhostw.exe	162
PID 1916 wrote to memory of 1220	1916	taskhostw.exe	163
PID 1916 wrote to memory of 1220	1916	taskhostw.exe	163
PID 1168 wrote to memory of 3584	1168	WScript.exe	166
PID 1168 wrote to memory of 3584	1168	WScript.exe	166
PID 3584 wrote to memory of 468	3584	taskhostw.exe	168
PID 3584 wrote to memory of 468	3584	taskhostw.exe	168
PID 3584 wrote to memory of 2884	3584	taskhostw.exe	169
PID 3584 wrote to memory of 2884	3584	taskhostw.exe	169
PID 468 wrote to memory of 1312	468	WScript.exe	171
PID 468 wrote to memory of 1312	468	WScript.exe	171
PID 1312 wrote to memory of 2696	1312	taskhostw.exe	175
PID 1312 wrote to memory of 2696	1312	taskhostw.exe	175
PID 1312 wrote to memory of 2180	1312	taskhostw.exe	176
PID 1312 wrote to memory of 2180	1312	taskhostw.exe	176
PID 2696 wrote to memory of 4912	2696	WScript.exe	177
PID 2696 wrote to memory of 4912	2696	WScript.exe	177
PID 4912 wrote to memory of 1340	4912	taskhostw.exe	178
PID 4912 wrote to memory of 1340	4912	taskhostw.exe	178
PID 4912 wrote to memory of 2840	4912	taskhostw.exe	179
PID 4912 wrote to memory of 2840	4912	taskhostw.exe	179
PID 1340 wrote to memory of 540	1340	WScript.exe	180
PID 1340 wrote to memory of 540	1340	WScript.exe	180
PID 540 wrote to memory of 4808	540	taskhostw.exe	181
PID 540 wrote to memory of 4808	540	taskhostw.exe	181
PID 540 wrote to memory of 4868	540	taskhostw.exe	182
PID 540 wrote to memory of 4868	540	taskhostw.exe	182
PID 4808 wrote to memory of 1104	4808	WScript.exe	183
PID 4808 wrote to memory of 1104	4808	WScript.exe	183
PID 1104 wrote to memory of 2092	1104	taskhostw.exe	184
PID 1104 wrote to memory of 2092	1104	taskhostw.exe	184

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c888e1de25b9c34d74509d3ed5a918e1.exe
"C:\Users\Admin\AppData\Local\Temp\c888e1de25b9c34d74509d3ed5a918e1.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bfl7XIBvmU.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4108
- - C:\Users\Admin\AppData\Local\Temp\c888e1de25b9c34d74509d3ed5a918e1.exe
    "C:\Users\Admin\AppData\Local\Temp\c888e1de25b9c34d74509d3ed5a918e1.exe"
    3⤵
    - Checks computer location settings
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Windows\it-IT\taskhostw.exe
      "C:\Windows\it-IT\taskhostw.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1488
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bac45db-c6f7-44ac-ac38-d313a86ef394.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1904
      - C:\Windows\it-IT\taskhostw.exe
        
        C:\Windows\it-IT\taskhostw.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c641d11a-7c1e-48a8-ac90-e6852f1b4d01.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\it-IT\taskhostw.exe
        
        C:\Windows\it-IT\taskhostw.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62f6ea9d-0d20-429b-8ce9-4bb23be0d0a6.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\it-IT\taskhostw.exe
        
        C:\Windows\it-IT\taskhostw.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a589d4c-ae05-4159-9650-34c341bcef39.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\it-IT\taskhostw.exe
        
        C:\Windows\it-IT\taskhostw.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e38de89-0f71-4182-9677-a7624cff6452.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\it-IT\taskhostw.exe
        
        C:\Windows\it-IT\taskhostw.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91da70fe-d1b3-4274-929b-3e332cb7c791.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\it-IT\taskhostw.exe
        
        C:\Windows\it-IT\taskhostw.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\030f6188-cfbe-45aa-9721-5fad6e6351c2.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\it-IT\taskhostw.exe
        
        C:\Windows\it-IT\taskhostw.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19e654cb-5547-478c-96c9-60f05f9879bf.vbs"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\it-IT\taskhostw.exe
        
        C:\Windows\it-IT\taskhostw.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\576b0f01-87c7-475e-9989-c0616e23dd66.vbs"
        21⤵
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\it-IT\taskhostw.exe
        
        C:\Windows\it-IT\taskhostw.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4e745fe-22b2-4cce-9a74-e826f01614d0.vbs"
        23⤵
        
        PID:2092
        
        C:\Windows\it-IT\taskhostw.exe
        
        C:\Windows\it-IT\taskhostw.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d452f69-4f9e-4c8e-805e-2c6adc57f932.vbs"
        25⤵
        
        PID:3552
        
        C:\Windows\it-IT\taskhostw.exe
        
        C:\Windows\it-IT\taskhostw.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9907826-25e3-470f-87bc-a4706c735d32.vbs"
        27⤵
        
        PID:4532
        
        C:\Windows\it-IT\taskhostw.exe
        
        C:\Windows\it-IT\taskhostw.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0465a017-0930-4df5-aa9f-a7d2f870250a.vbs"
        29⤵
        
        PID:4444
        
        C:\Windows\it-IT\taskhostw.exe
        
        C:\Windows\it-IT\taskhostw.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f59f562-68ce-4a38-b8a4-4c05d12fed85.vbs"
        31⤵
        
        PID:3464
        
        C:\Windows\it-IT\taskhostw.exe
        
        C:\Windows\it-IT\taskhostw.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e4a4fbf-419d-4124-b940-111403b346ce.vbs"
        33⤵
        
        PID:3940
        
        C:\Windows\it-IT\taskhostw.exe
        
        C:\Windows\it-IT\taskhostw.exe
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92de793a-da16-4cd2-b217-ec573a4ca554.vbs"
        35⤵
        
        PID:1088
        
        C:\Windows\it-IT\taskhostw.exe
        
        C:\Windows\it-IT\taskhostw.exe
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ea5e33d-5c59-456e-b8bd-6d7dbaf0ab43.vbs"
        37⤵
        
        PID:3952
        
        C:\Windows\it-IT\taskhostw.exe
        
        C:\Windows\it-IT\taskhostw.exe
        38⤵
        
        PID:2392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\340184d3-4c01-4c3c-8ccc-9b572dd12c70.vbs"
        39⤵
        
        PID:4620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52023bf0-e51b-45a9-bf3c-4cf624455d38.vbs"
        39⤵
        
        PID:2312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86be7161-5368-4b3a-84a1-e697ed5826ed.vbs"
        37⤵
        
        PID:648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a9ffc9b-b73f-47df-be4b-b66323829683.vbs"
        35⤵
        
        PID:2476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\509ad3ca-b68e-4dae-a3b7-1de4e405068b.vbs"
        33⤵
        
        PID:1676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c38c30b0-6c27-4450-b611-b37ddf54b5f5.vbs"
        31⤵
        
        PID:3084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c215d6d5-0112-4fdb-a9fe-5c71371e79cd.vbs"
        29⤵
        
        PID:2388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\460fba86-6230-4a22-8c5b-42d034606403.vbs"
        27⤵
        
        PID:3956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88a511cb-eff1-4519-8bc3-fcc6e2fe1401.vbs"
        25⤵
        
        PID:3848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\697adac5-d7f7-438e-a32d-3c515b597248.vbs"
        23⤵
        
        PID:3888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\689a2158-470f-4e03-80d0-fd754de3a387.vbs"
        21⤵
        
        PID:4868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a24e2e0-ef24-4b8d-844d-47c14c3165de.vbs"
        19⤵
        
        PID:2840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4fa74ee-b93d-44c4-81aa-0a38efd355d3.vbs"
        17⤵
        
        PID:2180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f757a36f-03d7-4ff7-8c04-926b59b543ae.vbs"
        15⤵
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d79ed7a-0288-4f32-9263-892dff9121c1.vbs"
        13⤵
        
        PID:1220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f853d4f-8cfb-4e1a-b469-37b146a4bcd3.vbs"
        11⤵
        
        PID:3296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\388865dc-4c66-4f43-9bed-7b43f8eb20af.vbs"
        9⤵
        
        PID:4328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0fa8af0-bddd-44cd-9dc6-45837695f809.vbs"
        7⤵
        
        PID:3608
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb15e2a6-5c68-4ea9-977a-a816c92ecafa.vbs"
        5⤵
        
        PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\3ac54ddf2ad44faa6035cf\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\3ac54ddf2ad44faa6035cf\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\debug\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\debug\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\debug\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\System\es-ES\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\System\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Users\Default\NetHood\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\0154351536fc379faee1\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\0154351536fc379faee1\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\0154351536fc379faee1\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Windows\it-IT\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\it-IT\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\schemas\AvailableNetwork\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\schemas\AvailableNetwork\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\schemas\AvailableNetwork\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\3ac54ddf2ad44faa6035cf\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\3ac54ddf2ad44faa6035cf\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\3ac54ddf2ad44faa6035cf\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\3ac54ddf2ad44faa6035cf\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\0154351536fc379faee1\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\0154351536fc379faee1\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\0154351536fc379faee1\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\0154351536fc379faee1\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\0154351536fc379faee1\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\0154351536fc379faee1\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\0154351536fc379faee1\RuntimeBroker.exe

Filesize
885KB

MD5
0b27181ba5271cc0a6ed6ca17a38eb04

SHA1
ef77d5749bf96e17cb0e1c6fd43a5f41ff9bc06c

SHA256
feb6d79f9fb412a0cd5657716dc0aedd220ca02314533517c419a7bf627ceac0

SHA512
99005a03b50336edef4c8dc1f42db7b65d76e7c6b3aa8ea9829204ba0718ad711fcb1a4e1663d06db774211cfd4071f1bff4727c326a27f37e9f4e9f11b57332

Download Submit
C:\0154351536fc379faee1\smss.exe

Filesize
885KB

MD5
2c4e52965f9b52402a4964338307e613

SHA1
561fb4b295bb0584231df547d187c6b8723d7bdc

SHA256
8f0fece651275092607c4956e521313b13f4f4786631e8c76785c9461df9904b

SHA512
0e6a90f93848305ed2b72c7c36573b5d48c669b8f8ffb5e0765e730835c7a95c486e92bdf93feb39efb1b5eb912c287b90d37aa558dac6d6b5cd784260b5f0b8

Download Submit
C:\Recovery\WindowsRE\backgroundTaskHost.exe

Filesize
885KB

MD5
99cc6f33fe4d73b553fd2e1800ea517a

SHA1
083fcb79302715b7dfba1ef17b99fa33cbd7d8f5

SHA256
dea9caf9fae9d30e30d10fd5e64a630dc9550d30800b8ff10462b9f8ee5f6e43

SHA512
00efcad1a484e58f0b23fe243132b8315d3928ca72bf0501b8af4e7a7fb805ee940e792f47ad4cc3173f575e8439f968296320ae2d755bd211335aa872529fb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\c888e1de25b9c34d74509d3ed5a918e1.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\taskhostw.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\030f6188-cfbe-45aa-9721-5fad6e6351c2.vbs

Filesize
706B

MD5
c86144ec562666a2d5b6214ea14be440

SHA1
35ac26efb5d1cd6d80981ff0971dfa399e20d53b

SHA256
c9123bae3f374ad6a85f909bde870705bb6ee4709977651eb66380cadf300da3

SHA512
b6179875d3ece979eb7d6667904eb8761ab33e2d52492c642afe3da3e05d64bad41be484d665078bb7578e30b7b363782952d65aa7669ea132f9fa45b0bb87b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\0465a017-0930-4df5-aa9f-a7d2f870250a.vbs

Filesize
706B

MD5
808b6de88126515b80b97d1aa791cba2

SHA1
e7d24a1af53b70816c69aafa7391c40717e24cd2

SHA256
158f01e919d16968d636fd37b7ec5e2e35c11be22cc52db53a9dbf1c637ee064

SHA512
538f32deddbdd6faba011fd7566001456f3521bc2055504a62edd484d36aba3faa549e5660c72de520d909fb43c0abdc04386545644de02f41a302b5284c315f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e38de89-0f71-4182-9677-a7624cff6452.vbs

Filesize
706B

MD5
a9ec7e11b38b43a90f6236eb0ca6320c

SHA1
0afc2fd75b3f354f5d8dbc89f2716b32a75b2678

SHA256
7052756ea6c2324e5c9df2767049a804c4c19970f1550015d17c0dfaf9a8bf71

SHA512
91eae619b0c7b1748ce21879ba0d4e110c1b5f2edb1c63428eed5deb08c0b9d15d09fa0f071ed2bc0519a7f4cc24b24fd7c6fbad051e96c9a32ddbe3bd69cb58

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f59f562-68ce-4a38-b8a4-4c05d12fed85.vbs

Filesize
706B

MD5
bbc9908bcfed9f3748523aa0d1860357

SHA1
0d78974dbd75f9a17307c723f7db6a9493d74a44

SHA256
dea8497cb851e287944fa846cb29f3d59d109476ed84f2e5cd1141f5634f22fd

SHA512
c624b330e8560e9f4144e6c6b69ddec6fa2f118dd4a6babe47703066a5d1605400624722a6349a81966af5d788a4c75c6c80031237a3b2253c0f77e2364ad8bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\19e654cb-5547-478c-96c9-60f05f9879bf.vbs

Filesize
706B

MD5
ed1c147d072f3ec444c2677d51d28007

SHA1
abb468e4eb94331a26ba1d868fcf0ade4eadcdf9

SHA256
6fba442047d21dc09a2d219601aa98feb1e7cbc4c3354f7b90161c8083bb1066

SHA512
f0273b788e161f686913c46338079ebc1a39621dc8a540afc11d37f7c2c5af527cb2f749159a94974ba822da399b6a8008bad9ea197b66ac2b7e15cf2f00d254

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d452f69-4f9e-4c8e-805e-2c6adc57f932.vbs

Filesize
706B

MD5
97a573ebd12b03d4a4b49e696825ebc2

SHA1
cd20eb6eabf76ecf89a8ebc4570d02a8825e1e2a

SHA256
1f98c3602666bdb135041e0659ad7b6ee047c700544f27ff7a2ece1de2dd2be6

SHA512
f6ad18595c49192bdd0ca480ce92bcddd0014dd82fee4aa567cde960fe7b6e86eb0a3fade2d9ad376842de4a6202f84b0cd47555e662be600a605a1af09e6966

Download Submit
C:\Users\Admin\AppData\Local\Temp\3bac45db-c6f7-44ac-ac38-d313a86ef394.vbs

Filesize
706B

MD5
b4b0ca8f93623551634028da571d9d81

SHA1
2d867e7016642af457540338a7b941ccf9f60043

SHA256
77b8a069ad4f0aa577a9ef4d6c37b4cf35c254fe3e4ed9fcdfe09c4f7b10826b

SHA512
65d7ce64397bfc95566549e6e4847a4b4bc3af6933fcdf019367714175429c818710e148bf9c4ba2798fdffeef26fb5a80c27882d02cdccadf61d1ea0a0d09c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\576b0f01-87c7-475e-9989-c0616e23dd66.vbs

Filesize
705B

MD5
e31de877f9cbf8d910d667f1b6e1b414

SHA1
9e3ad229f63253114ff3db01b25b0074b53c1f46

SHA256
f06d3814d6221847de10125ccb18e9b31d5f7d83cd45a26101d25dbc98b931af

SHA512
7805d31ed6e413014040625e26af69a8664d679513753e58f77f7a77a810a932735bf85820491270df67ee9ab392f0eda7fe227fd5e1be2117868b7ff3927a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\62f6ea9d-0d20-429b-8ce9-4bb23be0d0a6.vbs

Filesize
706B

MD5
3e948d59bf6faad41112d82c9a42a40c

SHA1
a15b11a5622431190b756aaa8bf2ea8b71e8b104

SHA256
a8ca8bf18eb6a1d2805108313cc384c7bcda66a8451d85447baa16adf19cd391

SHA512
fa62f2e1710db5a628e57ca9845caacfb090a9f4fac17d5fba3cf017acc4531cbbf421c0bc244434eb0af8daf57911bc436bcc4a71382103314093bf991b35bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a589d4c-ae05-4159-9650-34c341bcef39.vbs

Filesize
705B

MD5
ad843425f06ad54f46520261ac39d90e

SHA1
eea49b0ed49b454fb27c15f866551f35817fe0fd

SHA256
b804eb25859f86dc1238e62de3d6b70ffad529da44bafbd03e39efa38a9fc273

SHA512
ada00d7ccf55e04d78381790364befd49d7abd44bd8f115c31daef3ca5706574abf91806faef74308aaf9fd3e2aafa45209b32a5b09e9e9b2dbff89b6e248b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e4a4fbf-419d-4124-b940-111403b346ce.vbs

Filesize
705B

MD5
00dd075a70f85de54e4ebecfd4ba2681

SHA1
9a9552b1bbffe3e2a82efe789fb3d0afc983c01f

SHA256
48b3fb575dd90ce3db24ac709665f0045023585556e541e99eb87eab2977be9e

SHA512
87b212993e12903c2c898b62ea63c6c817a6767ad9558971dd2c2747bec413202812d29c5f3a361331b55c591a24cea6bee5cd31d1be19085bd720248487b2fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\91da70fe-d1b3-4274-929b-3e332cb7c791.vbs

Filesize
706B

MD5
f7980e3190e44e1d462182edb85b2e2d

SHA1
be663cce370526f9cca908d3a478179d63dc64cd

SHA256
c958e97553261e141c9215bd46c771d1b249adedce771ab27a08347c6a07ae20

SHA512
ae3f3d0074426394fd66fcf4d3a7a7dc0f10e2fb218144973a06618cbef0d197619003643cdcb9457ee3869069b67ccc04c7abde3e5b4b9d5ca3ab95d8073af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bfl7XIBvmU.bat

Filesize
235B

MD5
a78097f687f393cdc09ff34e1c42e8ec

SHA1
d302bbc0c85d2cd3e875d4ab1ba0c02081278660

SHA256
6e59031bd064d0929873486668da196339ad5df64a8185f43125c2669cb8ec8a

SHA512
6dffa11fe252bb4dfbb724de1c380a1432432616db2c819fbe3bc7c7ba06aa935e75749e17dc3bbe99f3a79828ba31c2e8002459f10eb5ef201bf767e7bdabdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX8F50.tmp

Filesize
885KB

MD5
c888e1de25b9c34d74509d3ed5a918e1

SHA1
61c0aa0c64a7142e1a7e1682993c97b72fc8deb3

SHA256
8cdc21ccbff31e8798a3581282fdb5007c33042221a3d2d64e6ce767e936b930

SHA512
eca2875bda3c49425b803cd2b21ef79cc0e693c32f3f8808148bff03670408b6eb561b9dd50de41eeb26008f294e492ab171c6afe97c50f9e51c2afb3187452c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb15e2a6-5c68-4ea9-977a-a816c92ecafa.vbs

Filesize
482B

MD5
844484da599d8856205e9c22137eb0e4

SHA1
89e9e5800382a985c49b49124f51a1b66f7597f4

SHA256
dd7f1ef8af4223c7d9f3cf958746f463821c291d5334046b14cade3ddfd42a13

SHA512
e24912f08fb2210678467ec370aed3d2ef725d1ea575a1ecebb50b0fb8514d3ae21351b6681e4dfe895c7680d3836a101d841e14e3f8c581244fff984c7a4d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4e745fe-22b2-4cce-9a74-e826f01614d0.vbs

Filesize
706B

MD5
0baa517c3c41a69dad894d39310628be

SHA1
4183e56cb3245a61e9a2b0a32dd6042ef4520531

SHA256
44eaea1e87fa00837646a5774fd2d067211675871c3b33df7aaf4789436d23b1

SHA512
be20a06ed41f243c001f4a4bcd0198967b48022582e8c323d26fb890bc7bed35ab931aa9ec703505eb9dab73cf49d3d2d57775d29fb2faa32cef4ecfccf9f2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\c641d11a-7c1e-48a8-ac90-e6852f1b4d01.vbs

Filesize
706B

MD5
9fa99f86cb385da99dc1f5748a675ce4

SHA1
c937583e927617158c7109d26c3b7e28052e9ee7

SHA256
3807285dac74af30d08b3fe8a47acb9bb9063bdd32babee958d24836d9849d50

SHA512
923cf71f2bf6077cdba8d138030bfffe67fb7d54a3734fb736bdeb10fccdad1090ed6b2629000c239d25829a8d6ebf1b3f5485c21e3d1ef6bc47e1b0b6a5da86

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9907826-25e3-470f-87bc-a4706c735d32.vbs

Filesize
706B

MD5
728c71a1602b037bf1374a6f6a413615

SHA1
9af931a2d632497d195262d032d0fcb9f54fd49d

SHA256
4d43113510d52e4a1cdb019d9fd82c8a5859a48d7a66d2a9f7ee8278d91dc2ef

SHA512
2787c8f4a962fa35c222b1505b88d9e54bb3e8af7ff87069bae1b2439a892c676393fbe064c9aba1523e2c272394d96970ce3325998d89efcb20b7ceba87a2c5

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\WaaSMedicAgent.exe

Filesize
885KB

MD5
59532bd269e2d4f58b517eb4421158fe

SHA1
ac9a502f97ef276674bd60a75a04a78389533c23

SHA256
7ab89c952d3112e85158d1254e7bf7a5fa39c3883f91c67227d0cf2725f914da

SHA512
62673bcb5ff4d6401ac3afef4b84577c18f1f16a8c7a470679d66a5875b529875a6673a001cfc13a90d623aae5f90cfd7f188a0cb7b4ce4a9df55e6c4a243621

Download Submit
memory/852-3-0x00000000008D0000-0x00000000008EC000-memory.dmp

Filesize
112KB

Download
memory/852-5-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download
memory/852-6-0x0000000002370000-0x0000000002386000-memory.dmp

Filesize
88KB

Download
memory/852-0-0x00007FFF87243000-0x00007FFF87245000-memory.dmp

Filesize
8KB

Download
memory/852-4-0x000000001ADC0000-0x000000001AE10000-memory.dmp

Filesize
320KB

Download
memory/852-60-0x00007FFF87240000-0x00007FFF87D01000-memory.dmp

Filesize
10.8MB

Download
memory/852-2-0x00007FFF87240000-0x00007FFF87D01000-memory.dmp

Filesize
10.8MB

Download
memory/852-7-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

Filesize
40KB

Download
memory/852-1-0x0000000000030000-0x0000000000114000-memory.dmp

Filesize
912KB

Download
memory/852-8-0x0000000002390000-0x000000000239E000-memory.dmp

Filesize
56KB

Download
memory/852-9-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/852-10-0x00000000023B0000-0x00000000023BC000-memory.dmp

Filesize
48KB

Download