dcrat | 35e26bdbdea45ece8f73ddac192c584868bc55018cd95fcf669695c0f68260d7

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa9684b8aa290d6ff1b647323a6d35f5.exe
Size

885KB
MD5

fa9684b8aa290d6ff1b647323a6d35f5
SHA1

eaa2e4dec8b464bb28620701b1be6e43c213e353
SHA256

c9fe3fb036b54f47621312aa2237e9b9038c52f1b089c3c5fa047d4d7e5d7eca
SHA512

7f47d4b4b51fdf860ed53cd9710a72898fe14200904542d7a7ec8e0c6c2b617ee094307b061d8cb951c0966a66779e5bfda9a60d9782055b17e2005adcadf1ca
SSDEEP

12288:UlNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:UlNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	5584	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	5584	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	5584	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	5584	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	5584	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	5584	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	5584	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	5584	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	5584	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5296	5584	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6040	5584	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	5584	schtasks.exe	88

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3312-1-0x0000000000030000-0x0000000000114000-memory.dmp	dcrat
behavioral2/files/0x0007000000024279-19.dat	dcrat
behavioral2/files/0x00070000000242a6-81.dat	dcrat
behavioral2/files/0x000d0000000227cb-135.dat	dcrat
behavioral2/files/0x0009000000024285-156.dat	dcrat
behavioral2/files/0x000f000000024272-177.dat	dcrat
behavioral2/files/0x000f000000024099-218.dat	dcrat
behavioral2/memory/224-254-0x00000000007D0000-0x00000000008B4000-memory.dmp	dcrat
behavioral2/files/0x00070000000242a6-419.dat	dcrat
behavioral2/files/0x00070000000242a9-423.dat	dcrat

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fa9684b8aa290d6ff1b647323a6d35f5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fa9684b8aa290d6ff1b647323a6d35f5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fa9684b8aa290d6ff1b647323a6d35f5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fa9684b8aa290d6ff1b647323a6d35f5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fa9684b8aa290d6ff1b647323a6d35f5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fa9684b8aa290d6ff1b647323a6d35f5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fa9684b8aa290d6ff1b647323a6d35f5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fa9684b8aa290d6ff1b647323a6d35f5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fa9684b8aa290d6ff1b647323a6d35f5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fa9684b8aa290d6ff1b647323a6d35f5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fa9684b8aa290d6ff1b647323a6d35f5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fa9684b8aa290d6ff1b647323a6d35f5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fa9684b8aa290d6ff1b647323a6d35f5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fa9684b8aa290d6ff1b647323a6d35f5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	fa9684b8aa290d6ff1b647323a6d35f5.exe

Executes dropped EXE 14 IoCs

pid	Process
224	fa9684b8aa290d6ff1b647323a6d35f5.exe
4404	fa9684b8aa290d6ff1b647323a6d35f5.exe
3720	fa9684b8aa290d6ff1b647323a6d35f5.exe
392	fa9684b8aa290d6ff1b647323a6d35f5.exe
5968	fa9684b8aa290d6ff1b647323a6d35f5.exe
3600	fa9684b8aa290d6ff1b647323a6d35f5.exe
1008	fa9684b8aa290d6ff1b647323a6d35f5.exe
2296	fa9684b8aa290d6ff1b647323a6d35f5.exe
5540	fa9684b8aa290d6ff1b647323a6d35f5.exe
464	fa9684b8aa290d6ff1b647323a6d35f5.exe
920	fa9684b8aa290d6ff1b647323a6d35f5.exe
5732	fa9684b8aa290d6ff1b647323a6d35f5.exe
2632	fa9684b8aa290d6ff1b647323a6d35f5.exe
5848	fa9684b8aa290d6ff1b647323a6d35f5.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX80A8.tmp	fa9684b8aa290d6ff1b647323a6d35f5.exe
File created	C:\Program Files (x86)\Windows Portable Devices\16ab002226f784	fa9684b8aa290d6ff1b647323a6d35f5.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\winlogon.exe	fa9684b8aa290d6ff1b647323a6d35f5.exe
File created	C:\Program Files (x86)\Common Files\ea9f0e6c9e2dcd	fa9684b8aa290d6ff1b647323a6d35f5.exe
File opened for modification	C:\Program Files (x86)\Common Files\RCX8196.tmp	fa9684b8aa290d6ff1b647323a6d35f5.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX81A9.tmp	fa9684b8aa290d6ff1b647323a6d35f5.exe
File created	C:\Program Files (x86)\Common Files\taskhostw.exe	fa9684b8aa290d6ff1b647323a6d35f5.exe
File created	C:\Program Files\7-Zip\Lang\16ab002226f784	fa9684b8aa290d6ff1b647323a6d35f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCX7DE0.tmp	fa9684b8aa290d6ff1b647323a6d35f5.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX7E5F.tmp	fa9684b8aa290d6ff1b647323a6d35f5.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\RCX7E96.tmp	fa9684b8aa290d6ff1b647323a6d35f5.exe
File opened for modification	C:\Program Files (x86)\Common Files\RCX8197.tmp	fa9684b8aa290d6ff1b647323a6d35f5.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX8198.tmp	fa9684b8aa290d6ff1b647323a6d35f5.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\fa9684b8aa290d6ff1b647323a6d35f5.exe	fa9684b8aa290d6ff1b647323a6d35f5.exe
File created	C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe	fa9684b8aa290d6ff1b647323a6d35f5.exe
File created	C:\Program Files\7-Zip\Lang\fa9684b8aa290d6ff1b647323a6d35f5.exe	fa9684b8aa290d6ff1b647323a6d35f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCX7DDF.tmp	fa9684b8aa290d6ff1b647323a6d35f5.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX7DE1.tmp	fa9684b8aa290d6ff1b647323a6d35f5.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX80B9.tmp	fa9684b8aa290d6ff1b647323a6d35f5.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\16ab002226f784	fa9684b8aa290d6ff1b647323a6d35f5.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\cc11b995f2a76d	fa9684b8aa290d6ff1b647323a6d35f5.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RuntimeBroker.exe	fa9684b8aa290d6ff1b647323a6d35f5.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\9e8d7a4ca61bd9	fa9684b8aa290d6ff1b647323a6d35f5.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\RCX7F14.tmp	fa9684b8aa290d6ff1b647323a6d35f5.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\wow64_microsoft-windows-wlanui.resources_31bf3856ad364e35_10.0.19041.1_de-de_3e4feffac766a470\backgroundTaskHost.exe	fa9684b8aa290d6ff1b647323a6d35f5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fa9684b8aa290d6ff1b647323a6d35f5.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fa9684b8aa290d6ff1b647323a6d35f5.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fa9684b8aa290d6ff1b647323a6d35f5.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fa9684b8aa290d6ff1b647323a6d35f5.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fa9684b8aa290d6ff1b647323a6d35f5.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fa9684b8aa290d6ff1b647323a6d35f5.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fa9684b8aa290d6ff1b647323a6d35f5.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fa9684b8aa290d6ff1b647323a6d35f5.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fa9684b8aa290d6ff1b647323a6d35f5.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fa9684b8aa290d6ff1b647323a6d35f5.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fa9684b8aa290d6ff1b647323a6d35f5.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fa9684b8aa290d6ff1b647323a6d35f5.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fa9684b8aa290d6ff1b647323a6d35f5.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fa9684b8aa290d6ff1b647323a6d35f5.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	fa9684b8aa290d6ff1b647323a6d35f5.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5572	schtasks.exe
4724	schtasks.exe
4800	schtasks.exe
4928	schtasks.exe
5364	schtasks.exe
4848	schtasks.exe
4652	schtasks.exe
4412	schtasks.exe
2240	schtasks.exe
4836	schtasks.exe
4352	schtasks.exe
4756	schtasks.exe
3604	schtasks.exe
1212	schtasks.exe
4168	schtasks.exe
3196	schtasks.exe
4680	schtasks.exe
4480	schtasks.exe
1204	schtasks.exe
1724	schtasks.exe
1364	schtasks.exe
4628	schtasks.exe
4220	schtasks.exe
5812	schtasks.exe
4380	schtasks.exe
2340	schtasks.exe
4612	schtasks.exe
3672	schtasks.exe
5296	schtasks.exe
2056	schtasks.exe
1268	schtasks.exe
3872	schtasks.exe
4500	schtasks.exe
3464	schtasks.exe
1696	schtasks.exe
964	schtasks.exe
4332	schtasks.exe
1088	schtasks.exe
2280	schtasks.exe
4916	schtasks.exe
4908	schtasks.exe
4404	schtasks.exe
5596	schtasks.exe
2876	schtasks.exe
3468	schtasks.exe
4992	schtasks.exe
3804	schtasks.exe
5956	schtasks.exe
5952	schtasks.exe
1512	schtasks.exe
6040	schtasks.exe
4824	schtasks.exe
4632	schtasks.exe
3612	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3312	fa9684b8aa290d6ff1b647323a6d35f5.exe
3312	fa9684b8aa290d6ff1b647323a6d35f5.exe
3312	fa9684b8aa290d6ff1b647323a6d35f5.exe
3312	fa9684b8aa290d6ff1b647323a6d35f5.exe
3312	fa9684b8aa290d6ff1b647323a6d35f5.exe
3312	fa9684b8aa290d6ff1b647323a6d35f5.exe
3312	fa9684b8aa290d6ff1b647323a6d35f5.exe
3312	fa9684b8aa290d6ff1b647323a6d35f5.exe
3312	fa9684b8aa290d6ff1b647323a6d35f5.exe
3312	fa9684b8aa290d6ff1b647323a6d35f5.exe
3312	fa9684b8aa290d6ff1b647323a6d35f5.exe
3312	fa9684b8aa290d6ff1b647323a6d35f5.exe
3312	fa9684b8aa290d6ff1b647323a6d35f5.exe
3312	fa9684b8aa290d6ff1b647323a6d35f5.exe
3312	fa9684b8aa290d6ff1b647323a6d35f5.exe
3312	fa9684b8aa290d6ff1b647323a6d35f5.exe
3312	fa9684b8aa290d6ff1b647323a6d35f5.exe
3312	fa9684b8aa290d6ff1b647323a6d35f5.exe
3312	fa9684b8aa290d6ff1b647323a6d35f5.exe
224	fa9684b8aa290d6ff1b647323a6d35f5.exe
4404	fa9684b8aa290d6ff1b647323a6d35f5.exe
3720	fa9684b8aa290d6ff1b647323a6d35f5.exe
392	fa9684b8aa290d6ff1b647323a6d35f5.exe
392	fa9684b8aa290d6ff1b647323a6d35f5.exe
5968	fa9684b8aa290d6ff1b647323a6d35f5.exe
3600	fa9684b8aa290d6ff1b647323a6d35f5.exe
1008	fa9684b8aa290d6ff1b647323a6d35f5.exe
1008	fa9684b8aa290d6ff1b647323a6d35f5.exe
2296	fa9684b8aa290d6ff1b647323a6d35f5.exe
5540	fa9684b8aa290d6ff1b647323a6d35f5.exe
464	fa9684b8aa290d6ff1b647323a6d35f5.exe
920	fa9684b8aa290d6ff1b647323a6d35f5.exe
5732	fa9684b8aa290d6ff1b647323a6d35f5.exe
2632	fa9684b8aa290d6ff1b647323a6d35f5.exe
5848	fa9684b8aa290d6ff1b647323a6d35f5.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3312	fa9684b8aa290d6ff1b647323a6d35f5.exe
Token: SeDebugPrivilege	224	fa9684b8aa290d6ff1b647323a6d35f5.exe
Token: SeDebugPrivilege	4404	fa9684b8aa290d6ff1b647323a6d35f5.exe
Token: SeDebugPrivilege	3720	fa9684b8aa290d6ff1b647323a6d35f5.exe
Token: SeDebugPrivilege	392	fa9684b8aa290d6ff1b647323a6d35f5.exe
Token: SeDebugPrivilege	5968	fa9684b8aa290d6ff1b647323a6d35f5.exe
Token: SeDebugPrivilege	3600	fa9684b8aa290d6ff1b647323a6d35f5.exe
Token: SeDebugPrivilege	1008	fa9684b8aa290d6ff1b647323a6d35f5.exe
Token: SeDebugPrivilege	2296	fa9684b8aa290d6ff1b647323a6d35f5.exe
Token: SeDebugPrivilege	5540	fa9684b8aa290d6ff1b647323a6d35f5.exe
Token: SeDebugPrivilege	464	fa9684b8aa290d6ff1b647323a6d35f5.exe
Token: SeDebugPrivilege	920	fa9684b8aa290d6ff1b647323a6d35f5.exe
Token: SeDebugPrivilege	5732	fa9684b8aa290d6ff1b647323a6d35f5.exe
Token: SeDebugPrivilege	2632	fa9684b8aa290d6ff1b647323a6d35f5.exe
Token: SeDebugPrivilege	5848	fa9684b8aa290d6ff1b647323a6d35f5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3312 wrote to memory of 2004	3312	fa9684b8aa290d6ff1b647323a6d35f5.exe	145
PID 3312 wrote to memory of 2004	3312	fa9684b8aa290d6ff1b647323a6d35f5.exe	145
PID 2004 wrote to memory of 4544	2004	cmd.exe	147
PID 2004 wrote to memory of 4544	2004	cmd.exe	147
PID 2004 wrote to memory of 224	2004	cmd.exe	150
PID 2004 wrote to memory of 224	2004	cmd.exe	150
PID 224 wrote to memory of 4468	224	fa9684b8aa290d6ff1b647323a6d35f5.exe	151
PID 224 wrote to memory of 4468	224	fa9684b8aa290d6ff1b647323a6d35f5.exe	151
PID 224 wrote to memory of 2576	224	fa9684b8aa290d6ff1b647323a6d35f5.exe	152
PID 224 wrote to memory of 2576	224	fa9684b8aa290d6ff1b647323a6d35f5.exe	152
PID 4468 wrote to memory of 4404	4468	WScript.exe	155
PID 4468 wrote to memory of 4404	4468	WScript.exe	155
PID 4404 wrote to memory of 4828	4404	fa9684b8aa290d6ff1b647323a6d35f5.exe	156
PID 4404 wrote to memory of 4828	4404	fa9684b8aa290d6ff1b647323a6d35f5.exe	156
PID 4404 wrote to memory of 4692	4404	fa9684b8aa290d6ff1b647323a6d35f5.exe	157
PID 4404 wrote to memory of 4692	4404	fa9684b8aa290d6ff1b647323a6d35f5.exe	157
PID 4828 wrote to memory of 3720	4828	WScript.exe	158
PID 4828 wrote to memory of 3720	4828	WScript.exe	158
PID 3720 wrote to memory of 4800	3720	fa9684b8aa290d6ff1b647323a6d35f5.exe	159
PID 3720 wrote to memory of 4800	3720	fa9684b8aa290d6ff1b647323a6d35f5.exe	159
PID 3720 wrote to memory of 2008	3720	fa9684b8aa290d6ff1b647323a6d35f5.exe	160
PID 3720 wrote to memory of 2008	3720	fa9684b8aa290d6ff1b647323a6d35f5.exe	160
PID 4800 wrote to memory of 392	4800	WScript.exe	164
PID 4800 wrote to memory of 392	4800	WScript.exe	164
PID 392 wrote to memory of 4556	392	fa9684b8aa290d6ff1b647323a6d35f5.exe	167
PID 392 wrote to memory of 4556	392	fa9684b8aa290d6ff1b647323a6d35f5.exe	167
PID 392 wrote to memory of 3932	392	fa9684b8aa290d6ff1b647323a6d35f5.exe	168
PID 392 wrote to memory of 3932	392	fa9684b8aa290d6ff1b647323a6d35f5.exe	168
PID 4556 wrote to memory of 5968	4556	WScript.exe	172
PID 4556 wrote to memory of 5968	4556	WScript.exe	172
PID 5968 wrote to memory of 3740	5968	fa9684b8aa290d6ff1b647323a6d35f5.exe	173
PID 5968 wrote to memory of 3740	5968	fa9684b8aa290d6ff1b647323a6d35f5.exe	173
PID 5968 wrote to memory of 4024	5968	fa9684b8aa290d6ff1b647323a6d35f5.exe	174
PID 5968 wrote to memory of 4024	5968	fa9684b8aa290d6ff1b647323a6d35f5.exe	174
PID 3740 wrote to memory of 3600	3740	WScript.exe	175
PID 3740 wrote to memory of 3600	3740	WScript.exe	175
PID 3600 wrote to memory of 3428	3600	fa9684b8aa290d6ff1b647323a6d35f5.exe	176
PID 3600 wrote to memory of 3428	3600	fa9684b8aa290d6ff1b647323a6d35f5.exe	176
PID 3600 wrote to memory of 3792	3600	fa9684b8aa290d6ff1b647323a6d35f5.exe	177
PID 3600 wrote to memory of 3792	3600	fa9684b8aa290d6ff1b647323a6d35f5.exe	177
PID 3428 wrote to memory of 1008	3428	WScript.exe	178
PID 3428 wrote to memory of 1008	3428	WScript.exe	178
PID 1008 wrote to memory of 5344	1008	fa9684b8aa290d6ff1b647323a6d35f5.exe	179
PID 1008 wrote to memory of 5344	1008	fa9684b8aa290d6ff1b647323a6d35f5.exe	179
PID 1008 wrote to memory of 3272	1008	fa9684b8aa290d6ff1b647323a6d35f5.exe	180
PID 1008 wrote to memory of 3272	1008	fa9684b8aa290d6ff1b647323a6d35f5.exe	180
PID 5344 wrote to memory of 2296	5344	WScript.exe	181
PID 5344 wrote to memory of 2296	5344	WScript.exe	181
PID 2296 wrote to memory of 4728	2296	fa9684b8aa290d6ff1b647323a6d35f5.exe	182
PID 2296 wrote to memory of 4728	2296	fa9684b8aa290d6ff1b647323a6d35f5.exe	182
PID 2296 wrote to memory of 4580	2296	fa9684b8aa290d6ff1b647323a6d35f5.exe	183
PID 2296 wrote to memory of 4580	2296	fa9684b8aa290d6ff1b647323a6d35f5.exe	183
PID 4728 wrote to memory of 5540	4728	WScript.exe	185
PID 4728 wrote to memory of 5540	4728	WScript.exe	185
PID 5540 wrote to memory of 2604	5540	fa9684b8aa290d6ff1b647323a6d35f5.exe	186
PID 5540 wrote to memory of 2604	5540	fa9684b8aa290d6ff1b647323a6d35f5.exe	186
PID 5540 wrote to memory of 3756	5540	fa9684b8aa290d6ff1b647323a6d35f5.exe	187
PID 5540 wrote to memory of 3756	5540	fa9684b8aa290d6ff1b647323a6d35f5.exe	187
PID 2604 wrote to memory of 464	2604	WScript.exe	188
PID 2604 wrote to memory of 464	2604	WScript.exe	188
PID 464 wrote to memory of 2996	464	fa9684b8aa290d6ff1b647323a6d35f5.exe	189
PID 464 wrote to memory of 2996	464	fa9684b8aa290d6ff1b647323a6d35f5.exe	189
PID 464 wrote to memory of 1340	464	fa9684b8aa290d6ff1b647323a6d35f5.exe	190
PID 464 wrote to memory of 1340	464	fa9684b8aa290d6ff1b647323a6d35f5.exe	190

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fa9684b8aa290d6ff1b647323a6d35f5.exe
"C:\Users\Admin\AppData\Local\Temp\fa9684b8aa290d6ff1b647323a6d35f5.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sEB9lezSNh.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4544
- - C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe
    "C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87a0a726-1580-44df-a414-54cb449978d8.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4468
    - - C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4404
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be15d8b3-4224-4013-b84e-cbeaa41ff445.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f59e14c4-002a-4c8d-9ef1-62ca1d9ea7c1.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\781737cc-a79d-4b92-ae83-c821fde6d074.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef9d85bc-cfbe-4c8e-8122-2c0dfed56244.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a18b842b-612f-4e60-bb81-e2c80078949e.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f77631d6-e6cb-42e2-a4fa-f232ee9796da.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:5344
        
        C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddf0d0bf-89d8-46d5-857d-d667fcd1cde9.vbs"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1262c4ff-2442-497e-8e38-af701c4d6541.vbs"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1257fec8-88b3-40ac-b9f2-112cf5ecb709.vbs"
        22⤵
        
        PID:2996
        
        C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8160656a-e369-4302-94a8-c17ce5349857.vbs"
        24⤵
        
        PID:3052
        
        C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11feb119-ecdb-479f-accb-b4401584e359.vbs"
        26⤵
        
        PID:3384
        
        C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b367ec3d-072e-4f3b-bedb-acec60748f6d.vbs"
        28⤵
        
        PID:3152
        
        C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f29fdf7c-b0c7-47b1-b882-056381a8b99c.vbs"
        30⤵
        
        PID:5220
        
        C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe"
        31⤵
        
        PID:5928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6caaa8e-534c-4284-b30e-40073b0f1df8.vbs"
        32⤵
        
        PID:4128
        
        C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe"
        33⤵
        
        PID:1724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\460325d4-0872-4f4d-8ae8-f38240de0811.vbs"
        34⤵
        
        PID:4628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11afee79-39b7-4076-831e-e2f2d3bcbdab.vbs"
        34⤵
        
        PID:5328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\807f3cbe-e62a-47d0-825d-a76e89071079.vbs"
        32⤵
        
        PID:5324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa4cb203-00c0-4230-a6ab-45461b30b461.vbs"
        30⤵
        
        PID:4752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d25c972-5367-4f9c-a69a-6bd27ddce278.vbs"
        28⤵
        
        PID:2680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2f3b36a-72b1-40ff-b4d6-399efcb222aa.vbs"
        26⤵
        
        PID:1296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c1601e2-17b7-4b9c-972b-6cbcc1c4024d.vbs"
        24⤵
        
        PID:5352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af4d5365-1230-4fd2-8fb9-a2200db67317.vbs"
        22⤵
        
        PID:1340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e9734bd-1260-4558-b795-f70e06781222.vbs"
        20⤵
        
        PID:3756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73354353-067e-428f-97f5-605e69dd5efd.vbs"
        18⤵
        
        PID:4580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a80e1838-2c9e-4f8d-b1dc-a0ad8cca7c46.vbs"
        16⤵
        
        PID:3272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\027a9003-a1c9-4d99-91d7-03b172fb18ee.vbs"
        14⤵
        
        PID:3792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e601afe-fa59-49a7-9566-e3d01927f887.vbs"
        12⤵
        
        PID:4024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c314cdb4-4125-40b0-9bd8-89dcc4426206.vbs"
        10⤵
        
        PID:3932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\534e6959-3c0c-40d9-b6ca-449364691aa0.vbs"
        8⤵
        
        PID:2008
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00841ffe-64c0-4565-8d41-d0cc52ecea4e.vbs"
        6⤵
        
        PID:4692
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5acd7555-f3c3-44a6-b378-b5b47d2a169e.vbs"
      4⤵
      PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fa9684b8aa290d6ff1b647323a6d35f5f" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\fa9684b8aa290d6ff1b647323a6d35f5.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fa9684b8aa290d6ff1b647323a6d35f5" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\fa9684b8aa290d6ff1b647323a6d35f5.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fa9684b8aa290d6ff1b647323a6d35f5f" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\fa9684b8aa290d6ff1b647323a6d35f5.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fa9684b8aa290d6ff1b647323a6d35f5f" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fa9684b8aa290d6ff1b647323a6d35f5" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fa9684b8aa290d6ff1b647323a6d35f5f" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\aff403968f1bfcc42131676322798b50\services.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\aff403968f1bfcc42131676322798b50\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\aff403968f1bfcc42131676322798b50\smss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\aff403968f1bfcc42131676322798b50\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\f9532e701a889cdd91b8\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\f9532e701a889cdd91b8\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\winlogon.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\f9532e701a889cdd91b8\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\f9532e701a889cdd91b8\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\aff403968f1bfcc42131676322798b50\services.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\aff403968f1bfcc42131676322798b50\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\f9532e701a889cdd91b8\RuntimeBroker.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\f9532e701a889cdd91b8\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\f9532e701a889cdd91b8\Registry.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\Registry.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\f9532e701a889cdd91b8\Registry.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\aff403968f1bfcc42131676322798b50\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\aff403968f1bfcc42131676322798b50\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fa9684b8aa290d6ff1b647323a6d35f5f" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\fa9684b8aa290d6ff1b647323a6d35f5.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fa9684b8aa290d6ff1b647323a6d35f5" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\fa9684b8aa290d6ff1b647323a6d35f5.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fa9684b8aa290d6ff1b647323a6d35f5f" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\fa9684b8aa290d6ff1b647323a6d35f5.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Media Player\it-IT\winlogon.exe

Filesize
885KB

MD5
053b6346496ee3e875fb646a9cbffaa8

SHA1
71c4cb874021cb9b1a928879d1b7ce8a4c9e1d78

SHA256
04422034dad4eb10adc3fcf2ed3edc2292c206dc8ed6bdb94ef20b656123f03f

SHA512
e3f00b15312cdef691818c384ad085d2d647c779bf549595a6bd2fce3e5f311235f639a33bc6a2450e5e9e7eec04945e2608231ff781a505ae2c7b48ade30618

Download Submit
C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe

Filesize
655KB

MD5
09760265fa44692c9b66f608d50f8e0b

SHA1
9208858e67bc31fff262b00d23bf34885fcdf9da

SHA256
41c66f23c4f4f674bf6dbff0525032cc094f3c1d928f12708e6faa51d4613890

SHA512
c67eced0e39775a9739a5756938c4b5f64ced7cba4fe348f40bbff89527c344301d921ddc260c2c939e7b77edd30e035559077581f74bf72111189bfeccfc66a

Download Submit
C:\Program Files (x86)\Windows Portable Devices\fa9684b8aa290d6ff1b647323a6d35f5.exe

Filesize
885KB

MD5
4eca47fbf2e34143c2ebbb3b5100238c

SHA1
adb23234f4af8e74795db5ddfb2d2ce1d965ff48

SHA256
852137d59296517eadc38168bf075e568e734022e5f0d089f31a9cc06a521499

SHA512
01cc1db3846c06d94155791f1b0ee6729da5176d4fa2a89ea94537eecbd133802d034d8c261c4484f0c9e46855496c0f3087c08b7ab380420560e6808822244d

Download Submit
C:\Recovery\WindowsRE\taskhostw.exe

Filesize
885KB

MD5
f099555062cf3aaa17ed3d1ac9040aa5

SHA1
4c0925976010d5c55afaa62d6f8f0968c75adb44

SHA256
7dfe6a119bed6f1e76da94934f6e6b8b7c42ff1ba8bd64b4b15aa27d43f5e3e6

SHA512
219134f76754aad7678d17fec30ce9923e9e7e5afbc3966fdbde338b66bc69cd2fdc98b2eeed9819517da3f36a8b05c52ac2746817ad19bde31c46cd7118b5d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fa9684b8aa290d6ff1b647323a6d35f5.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Temp\11feb119-ecdb-479f-accb-b4401584e359.vbs

Filesize
760B

MD5
de760c9b33a73ee45c18ba2b520b822c

SHA1
f93618ac85f85f04c4a9f5fbafc2df70119e1f05

SHA256
2e8134a8083ef4f50bbba7df21813abcd15c487dc36ed2f2c9622cd5b1e50b1d

SHA512
0aba4122f0270bc84de6eb78c909b323dc76c58e670abe3360ec256da576d70670fedc5d30a6f1cf4ec1e1264a73be18c146b009e010e575420aec16abd8becf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1257fec8-88b3-40ac-b9f2-112cf5ecb709.vbs

Filesize
759B

MD5
107a332dd48cb87e9fb4530c15b4ff88

SHA1
97a807c3caf2c4e8bd46e506884426bb7066d815

SHA256
423e5ebb05a43ab5a9a802c73c6562d50923503c660459c63bb404e6b67dc46e

SHA512
5183528349cb0457358a48ace8e4c77da32ba01aa710e29a7ad90967b314b7f1b1cc7147c78286f2b9de3071c517fb67f5579aa098e3fff1bac4e0f2cc0812ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1262c4ff-2442-497e-8e38-af701c4d6541.vbs

Filesize
760B

MD5
1b591dcb8d6d18d0c88402d1899ff153

SHA1
d9cc0a67a9747b1126ead554ab71bed4e509ca41

SHA256
3eb1d45f8bdb84683edee27e1abed223cfb2580783afcf08e57ce99f35e211d7

SHA512
16b3a7bac9c991e428081aab96d960054edb02123d910bf21a979905d77cdc03aa24f73d3487cc55b07b4e5277837b928f093131f8b587dbc8126c03c82d8b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\5acd7555-f3c3-44a6-b378-b5b47d2a169e.vbs

Filesize
536B

MD5
aab80ecf0b799975ed87d67a0a22b46d

SHA1
de45635bfa28fc27a298aa2d3ba91c27e070abb6

SHA256
49e0c93f0fa73e1ec2c6f172929c3d264524036780721579e11fc302f87c489d

SHA512
593c68a55056064555bf34d37fc08cad8d2dc3c31b14c6e284c591068467a8c1f3bf76bf6fc4978b0b79b3514d8c5ca95b5f7c45efcec121e00b39e313778294

Download Submit
C:\Users\Admin\AppData\Local\Temp\781737cc-a79d-4b92-ae83-c821fde6d074.vbs

Filesize
759B

MD5
a7afef595de8ac713c6e75033bb0d5f6

SHA1
3210323630e206d524f4558291c0cea2575c9f78

SHA256
acc834769065dbeceec95a289c9158181f992920a9ea080ebf9677dc650b7cf6

SHA512
5199a51fc4973e9b201a07a68c566f50013e21f7667149f272a898e781f37dbaf3ffae186d34ad3f95f8f25bc1f8def70d992e59ce9d69fa1cbc04f76f8ce445

Download Submit
C:\Users\Admin\AppData\Local\Temp\8160656a-e369-4302-94a8-c17ce5349857.vbs

Filesize
759B

MD5
af2e27c24801c566583ebb3fb5d5fc7e

SHA1
9740d08469f7ce043bdaae635b5c772c44dbf83c

SHA256
1ffcf0769302522a1cd8cc32d24290bfe2a0fb148b8aecc00e39fec55124879c

SHA512
63c2904ee94dfbcce4c547baed801e9dfc811cea193c3b2fcf8a10b975e7948653e865310eb3e635ae2b6bae1e6d81d31f3430aaa604da5be289b85b740e0a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\87a0a726-1580-44df-a414-54cb449978d8.vbs

Filesize
759B

MD5
80973bacc1397291383bf94e37e06f05

SHA1
fe3d8a6cef79a53b7b33dde339ce50fc146ab750

SHA256
53600a75473da27df582fd9e0c5e4bfa218b0835c11933bfd25950d9d50f4e7b

SHA512
8bf50b131a5e250d5da5df435ead248b68c0c79e996597f16381467af37a6d33da620cb0ca9459f508440cc88adc515e4223acd33b32bd9e0b25e01122d7f418

Download Submit
C:\Users\Admin\AppData\Local\Temp\a18b842b-612f-4e60-bb81-e2c80078949e.vbs

Filesize
760B

MD5
85ebf0147f3d036851427a8f87a353c3

SHA1
41231a5b1e551a906adee971c027a49653995f88

SHA256
29af33a515ee8aaca533261bbed9fd023bd2f4e1f197ed19810558fe080b1dcc

SHA512
e7ada530d53557f729718a91eda37a03484f0fa694976fbeddd7035846ec47e74e1adc3774381b1113c25c1e5567c3fb9822213a07b4986077aca927dd079db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a6caaa8e-534c-4284-b30e-40073b0f1df8.vbs

Filesize
760B

MD5
af8064d82f60b0167514ae2f90b440c6

SHA1
a2ebcf18d656244d82eec778196d0e14738ff7fd

SHA256
a2cda7c5fbfd8dfc9eec90bde2d6f306757563bc3d410d3c98c627e929be7e71

SHA512
bd8701ed3871e0106b5d906c51b555fbc093410b9fc1bcee8c7441a2bc0ab0318ad130e675dc1a8d1907818e76f5f5f3c10060f1a68dd49e69184891c2417bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\b367ec3d-072e-4f3b-bedb-acec60748f6d.vbs

Filesize
760B

MD5
c680c5fa6fcc6ddb13ad7b9e61c7e5b2

SHA1
b138bc4481b900884e61f433016e494a88ecea0a

SHA256
3e330c4e5de63d2543d6caa69a54dcaa1d9ab7943930f2fe6582fc55baefd698

SHA512
0569f33d679635dcc9497e4eb64f4989ca878a9b31bf92cce3e6b9278256f78e9c8ca7d69fbb6e6deeabde1f424acb97809be20be49283d2a14d6891c79114b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\be15d8b3-4224-4013-b84e-cbeaa41ff445.vbs

Filesize
760B

MD5
793cd6bd1330270862aff2e9a491b98a

SHA1
7bc586d5258fe25fb2bc439c874f419d22317b69

SHA256
c052de6f18d4a72003e189a00a960224c92e433b82fb8ef93e58e8b1722aa39d

SHA512
3c0ebe56f72d6a825a44767913748f381ea61a6e593936003b625c3044a143c463efa122e1aad9554c12bced0bb3ae94709b35ed9c1fb83afe1a2de439bf267f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d97aaef5ec674872b25e0e00f0306155c15a7d13.exe

Filesize
143KB

MD5
1f72fdf0fa849b2ba178dd012859924c

SHA1
73e9dfe8d9cc5cb3cb8ca984c4a6eca39a1d31d3

SHA256
59200316dbcd8b7b91e05feaf7febbc2a2fe4897040283d3896d21282a6a5b0c

SHA512
28b30439ab70bd098e8862ca82661583bf15030507e150dfafedd86d5d2c3e23c70741c04b79e448c52d8d4354e40dc292b7bb11d0070342c624fe4fca67db84

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddf0d0bf-89d8-46d5-857d-d667fcd1cde9.vbs

Filesize
760B

MD5
d1dc7a3503c8684d3d22c4b4739c7ef8

SHA1
2fff1198abbc1a77a659dc99a3262b26390d06bb

SHA256
0727744ef581ea9bd6cfc9140b5a0ffbc5353bf28f93fa60deb9b8559cb645cd

SHA512
6116558527a305151997f5d53500d95053fdc189995b525517db843d829c49fc1a141f5a95e19c146ed57c1424264f6e0ba176056a0ed06c1e01585dd92e1cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef9d85bc-cfbe-4c8e-8122-2c0dfed56244.vbs

Filesize
760B

MD5
e65fa28e005be00fc3a1ee4191e2ae1b

SHA1
c11718be4858fbf6a449005c73b81b66c7fbcca0

SHA256
06a01e61e1226d4dda09f340cea3aefebb8a204dacbfe99769e0fb596a0c3457

SHA512
5741dce006c5908cbb362fb5680ffde7389b4279ddb0a897edabcc5b54d14724c3ef481cfb0f8ffb39269c4a7de56ddc8dfa8903098caeeea25bda9068515e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\f29fdf7c-b0c7-47b1-b882-056381a8b99c.vbs

Filesize
760B

MD5
9d2f19899a2467141798cb47f8d0f9eb

SHA1
a16c18ad80967a04571809addd23591e30844d4b

SHA256
ac67e43a44f3f3dce3cf411aedd8534dc9ee73793718674ed80669cc385be8ea

SHA512
1a0548f04498138494df25cc8e1b9e7c851fee51a24be43a7ace99e0491ac8a8c8ddf48e0ca1e6cf6db6a2f14386f3575a7574a0d9982a1dd54cae2fe8450628

Download Submit
C:\Users\Admin\AppData\Local\Temp\f59e14c4-002a-4c8d-9ef1-62ca1d9ea7c1.vbs

Filesize
760B

MD5
25fba3c87f74dabbf3eaa35bf286335c

SHA1
e65053eb18f185f4007fb35b005e83dcdd1eec3f

SHA256
c7c0e47b8ff7e6fc81a02006db291b1f450158b2a78e11b786b7d1b5a0b3d7d4

SHA512
99f918dd2ea0775f3a737fe1596a6b426591d057a49e462d77229d9861bad6e7f81f47c588e7e459848ac0f0a7ef30648fdb3af2003ed8edc3698d50c498012d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f77631d6-e6cb-42e2-a4fa-f232ee9796da.vbs

Filesize
760B

MD5
e6df53b0350eda32098e6da93a204cd2

SHA1
7b0979a8080b28c4ffe2b7e01473d56a3634dfc4

SHA256
97e4d7685e03f72c39318a0241e4d810c6d9c147dd771a27624821f6bb290a0e

SHA512
0f7b18f0a6788a3b2c4a701e7fa0672835807680e4d7c4b4cc23f5eea489b89fe3acb3cb98a887c8b784762e3312f79a569915a75dae162f7e765b8262523872

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEB9lezSNh.bat

Filesize
249B

MD5
f55a75368efe8a3cdfd33d9fd2694739

SHA1
22d6d9f079701c20a440330876a2fe234f2888f8

SHA256
51963d6d85a8d9eec8f94f1c03985d1fcc038459835554d05518e707e570ca51

SHA512
d966430d97a77762c3300c0fec136cb22000d73ea136689bd3fe821fb3e3eebffdf43d6366e9d33f4e09187f9a6e3eb5d573fd6fb8905e38a35e4fc7a9cea291

Download Submit
C:\aff403968f1bfcc42131676322798b50\Idle.exe

Filesize
885KB

MD5
0e5e7c5ce6fa4007606e0cdbfb25cf64

SHA1
fc8ab9a3c81207dd254cad16a84bbd4700306221

SHA256
72b884342d23ca611a4a28e4b177da3e9b0f52480f346c9516088a9e16a95e10

SHA512
b180119195e66eec1c765f3cb6a6dc20b71232630e02465b5dddb47af684bae0f7aa33bf15f4a2c740a72c45213334e38125d69e26ce7a51eda5ae57d3814b1e

Download Submit
C:\aff403968f1bfcc42131676322798b50\services.exe

Filesize
885KB

MD5
6e53afd6b5956932d389846e682f8e33

SHA1
979944f5a82d2222591a1325bd9c91fc24984fb7

SHA256
af0edf413f7ee1fdf887426094c1ff9dba2a426d23503ac111ca3176986dc1d8

SHA512
37f80960ce0b2492c3a8251e2e814f68acdd011a4a41383323086903b18c861c2298f9f6e9e571ba03c5f2da7e849c04b245511ec0cb0f05a42844214c9fa16d

Download Submit
C:\aff403968f1bfcc42131676322798b50\smss.exe

Filesize
885KB

MD5
fa9684b8aa290d6ff1b647323a6d35f5

SHA1
eaa2e4dec8b464bb28620701b1be6e43c213e353

SHA256
c9fe3fb036b54f47621312aa2237e9b9038c52f1b089c3c5fa047d4d7e5d7eca

SHA512
7f47d4b4b51fdf860ed53cd9710a72898fe14200904542d7a7ec8e0c6c2b617ee094307b061d8cb951c0966a66779e5bfda9a60d9782055b17e2005adcadf1ca

Download Submit
memory/224-254-0x00000000007D0000-0x00000000008B4000-memory.dmp

Filesize
912KB

Download
memory/2296-341-0x000000001C260000-0x000000001C362000-memory.dmp

Filesize
1.0MB

Download
memory/3312-249-0x00007FFF4E2E0000-0x00007FFF4EDA1000-memory.dmp

Filesize
10.8MB

Download
memory/3312-3-0x0000000000A30000-0x0000000000A4C000-memory.dmp

Filesize
112KB

Download
memory/3312-1-0x0000000000030000-0x0000000000114000-memory.dmp

Filesize
912KB

Download
memory/3312-4-0x000000001AD80000-0x000000001ADD0000-memory.dmp

Filesize
320KB

Download
memory/3312-7-0x000000001AD60000-0x000000001AD6A000-memory.dmp

Filesize
40KB

Download
memory/3312-8-0x000000001AD70000-0x000000001AD7E000-memory.dmp

Filesize
56KB

Download
memory/3312-9-0x000000001ADD0000-0x000000001ADD8000-memory.dmp

Filesize
32KB

Download
memory/3312-10-0x000000001ADE0000-0x000000001ADEC000-memory.dmp

Filesize
48KB

Download
memory/3312-6-0x000000001AD40000-0x000000001AD56000-memory.dmp

Filesize
88KB

Download
memory/3312-5-0x000000001AD30000-0x000000001AD40000-memory.dmp

Filesize
64KB

Download
memory/3312-2-0x00007FFF4E2E0000-0x00007FFF4EDA1000-memory.dmp

Filesize
10.8MB

Download
memory/3312-0-0x00007FFF4E2E3000-0x00007FFF4E2E5000-memory.dmp

Filesize
8KB

Download