dcrat | ec9fa98b9c0a55ad5d3b51bf6148b6e2041d1a14c36b4ad98caa9438bc3854e9

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffc45f2c5865480a76df2d8f64009673.exe
Size

885KB
MD5

ffc45f2c5865480a76df2d8f64009673
SHA1

ed4d772472682c390f3adcbab5f34758e34255a2
SHA256

2301d9d871089a3d47d66f630934afd65d4be33e3650a14e016275635c2b736b
SHA512

44907f4b8add6cbf4534ef39180c054ac80f47e94e730afb4b5ee53207476bea980fcda1be66283f4fd20ff9d6923e89e74c375fda74068249b2fbe27b8e158a
SSDEEP

12288:ElNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:ElNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2384	schtasks.exe	30

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral29/memory/2144-1-0x0000000000AB0000-0x0000000000B94000-memory.dmp	dcrat
behavioral29/files/0x000500000001960f-18.dat	dcrat
behavioral29/files/0x000600000001a0a3-51.dat	dcrat
behavioral29/files/0x000600000001c8ed-270.dat	dcrat
behavioral29/files/0x000b00000001c8e3-308.dat	dcrat
behavioral29/memory/1228-405-0x00000000011A0000-0x0000000001284000-memory.dmp	dcrat
behavioral29/memory/836-504-0x0000000000110000-0x00000000001F4000-memory.dmp	dcrat
behavioral29/memory/2716-516-0x0000000000D30000-0x0000000000E14000-memory.dmp	dcrat

Executes dropped EXE 13 IoCs

pid	Process
1228	spoolsv.exe
2516	spoolsv.exe
816	spoolsv.exe
1400	spoolsv.exe
620	spoolsv.exe
2388	spoolsv.exe
2188	spoolsv.exe
1648	spoolsv.exe
2880	spoolsv.exe
836	spoolsv.exe
2716	spoolsv.exe
2896	spoolsv.exe
2176	spoolsv.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\services.exe	ffc45f2c5865480a76df2d8f64009673.exe

Drops file in Program Files directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\RCX1BE.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\RCX931.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\lsm.exe	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files\Internet Explorer\en-US\services.exe	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX1CF.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX79D.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\RCX882.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX1D0.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\RCX932.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCX208.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\services.exe	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files\Windows NT\wininit.exe	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\RCX789.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files (x86)\Uninstall Information\taskhost.exe	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dwm.exe	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files\Internet Explorer\en-US\c5b4cb5e9653cc	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCX1BF.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCX209.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\RCX21A.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\c5b4cb5e9653cc	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\lsm.exe	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\RCX778.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files (x86)\Adobe\283f3f7fedce65	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\6cb0b6c459d5d3	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\6cb0b6c459d5d3	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files\Windows NT\56085415360792	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\RCX883.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files\Windows NT\RCX92F.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files (x86)\Uninstall Information\b75386f1303e64	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\101b941d020240	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX79E.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files\Windows NT\RCX930.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files (x86)\Adobe\ffc45f2c5865480a76df2d8f64009673.exe	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\RCX21B.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\101b941d020240	ffc45f2c5865480a76df2d8f64009673.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\Panther\UnattendGC\f3b6ecef712a24	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Windows\AppPatch\fr-FR\dllhost.exe	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Windows\debug\WIA\RCX1BD.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Windows\Vss\Writers\System\RCX1F6.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Windows\Vss\Writers\System\RCX1F7.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Windows\Panther\UnattendGC\spoolsv.exe	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Windows\L2Schemas\RCX800.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Windows\debug\WIA\services.exe	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Windows\Vss\Writers\System\dllhost.exe	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Windows\L2Schemas\101b941d020240	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Windows\L2Schemas\RCX7E0.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Windows\Panther\UnattendGC\RCX943.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Windows\Panther\UnattendGC\RCX944.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Windows\Vss\Writers\System\5940a34987c991	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Windows\debug\WIA\RCX1BC.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Windows\AppPatch\fr-FR\RCX1E4.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Windows\CSC\v2.0.6\dllhost.exe	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Windows\debug\WIA\c5b4cb5e9653cc	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Windows\AppPatch\fr-FR\5940a34987c991	ffc45f2c5865480a76df2d8f64009673.exe
File opened for modification	C:\Windows\AppPatch\fr-FR\RCX1D3.tmp	ffc45f2c5865480a76df2d8f64009673.exe
File created	C:\Windows\L2Schemas\lsm.exe	ffc45f2c5865480a76df2d8f64009673.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2460	schtasks.exe
2104	schtasks.exe
2924	schtasks.exe
2688	schtasks.exe
2928	schtasks.exe
1684	schtasks.exe
1640	schtasks.exe
1944	schtasks.exe
2616	schtasks.exe
1996	schtasks.exe
3012	schtasks.exe
2640	schtasks.exe
1524	schtasks.exe
1036	schtasks.exe
2040	schtasks.exe
3032	schtasks.exe
2780	schtasks.exe
1312	schtasks.exe
2328	schtasks.exe
2264	schtasks.exe
2092	schtasks.exe
2396	schtasks.exe
2352	schtasks.exe
3064	schtasks.exe
1156	schtasks.exe
2512	schtasks.exe
992	schtasks.exe
1820	schtasks.exe
588	schtasks.exe
1660	schtasks.exe
2104	schtasks.exe
2888	schtasks.exe
840	schtasks.exe
800	schtasks.exe
1952	schtasks.exe
2576	schtasks.exe
1348	schtasks.exe
2868	schtasks.exe
1040	schtasks.exe
2316	schtasks.exe
1656	schtasks.exe
1304	schtasks.exe
2108	schtasks.exe
3052	schtasks.exe
1764	schtasks.exe
712	schtasks.exe
1528	schtasks.exe
2980	schtasks.exe
2988	schtasks.exe
1380	schtasks.exe
2700	schtasks.exe
2004	schtasks.exe
596	schtasks.exe
1152	schtasks.exe
1480	schtasks.exe
2592	schtasks.exe
852	schtasks.exe
1044	schtasks.exe
2572	schtasks.exe
2720	schtasks.exe
1628	schtasks.exe
804	schtasks.exe
1676	schtasks.exe
1940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2144	ffc45f2c5865480a76df2d8f64009673.exe
2144	ffc45f2c5865480a76df2d8f64009673.exe
2144	ffc45f2c5865480a76df2d8f64009673.exe
2372	ffc45f2c5865480a76df2d8f64009673.exe
2372	ffc45f2c5865480a76df2d8f64009673.exe
2372	ffc45f2c5865480a76df2d8f64009673.exe
2372	ffc45f2c5865480a76df2d8f64009673.exe
2372	ffc45f2c5865480a76df2d8f64009673.exe
2372	ffc45f2c5865480a76df2d8f64009673.exe
2372	ffc45f2c5865480a76df2d8f64009673.exe
1228	spoolsv.exe
2516	spoolsv.exe
816	spoolsv.exe
1400	spoolsv.exe
620	spoolsv.exe
2388	spoolsv.exe
2188	spoolsv.exe
1648	spoolsv.exe
2880	spoolsv.exe
836	spoolsv.exe
2716	spoolsv.exe
2896	spoolsv.exe
2176	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	ffc45f2c5865480a76df2d8f64009673.exe
Token: SeDebugPrivilege	2372	ffc45f2c5865480a76df2d8f64009673.exe
Token: SeDebugPrivilege	1228	spoolsv.exe
Token: SeDebugPrivilege	2516	spoolsv.exe
Token: SeDebugPrivilege	816	spoolsv.exe
Token: SeDebugPrivilege	1400	spoolsv.exe
Token: SeDebugPrivilege	620	spoolsv.exe
Token: SeDebugPrivilege	2388	spoolsv.exe
Token: SeDebugPrivilege	2188	spoolsv.exe
Token: SeDebugPrivilege	1648	spoolsv.exe
Token: SeDebugPrivilege	2880	spoolsv.exe
Token: SeDebugPrivilege	836	spoolsv.exe
Token: SeDebugPrivilege	2716	spoolsv.exe
Token: SeDebugPrivilege	2896	spoolsv.exe
Token: SeDebugPrivilege	2176	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2372	2144	ffc45f2c5865480a76df2d8f64009673.exe	64
PID 2144 wrote to memory of 2372	2144	ffc45f2c5865480a76df2d8f64009673.exe	64
PID 2144 wrote to memory of 2372	2144	ffc45f2c5865480a76df2d8f64009673.exe	64
PID 2372 wrote to memory of 2764	2372	ffc45f2c5865480a76df2d8f64009673.exe	119
PID 2372 wrote to memory of 2764	2372	ffc45f2c5865480a76df2d8f64009673.exe	119
PID 2372 wrote to memory of 2764	2372	ffc45f2c5865480a76df2d8f64009673.exe	119
PID 2764 wrote to memory of 1348	2764	cmd.exe	121
PID 2764 wrote to memory of 1348	2764	cmd.exe	121
PID 2764 wrote to memory of 1348	2764	cmd.exe	121
PID 2764 wrote to memory of 1228	2764	cmd.exe	122
PID 2764 wrote to memory of 1228	2764	cmd.exe	122
PID 2764 wrote to memory of 1228	2764	cmd.exe	122
PID 1228 wrote to memory of 1656	1228	spoolsv.exe	123
PID 1228 wrote to memory of 1656	1228	spoolsv.exe	123
PID 1228 wrote to memory of 1656	1228	spoolsv.exe	123
PID 1228 wrote to memory of 664	1228	spoolsv.exe	124
PID 1228 wrote to memory of 664	1228	spoolsv.exe	124
PID 1228 wrote to memory of 664	1228	spoolsv.exe	124
PID 1656 wrote to memory of 2516	1656	WScript.exe	125
PID 1656 wrote to memory of 2516	1656	WScript.exe	125
PID 1656 wrote to memory of 2516	1656	WScript.exe	125
PID 2516 wrote to memory of 2920	2516	spoolsv.exe	126
PID 2516 wrote to memory of 2920	2516	spoolsv.exe	126
PID 2516 wrote to memory of 2920	2516	spoolsv.exe	126
PID 2516 wrote to memory of 2580	2516	spoolsv.exe	127
PID 2516 wrote to memory of 2580	2516	spoolsv.exe	127
PID 2516 wrote to memory of 2580	2516	spoolsv.exe	127
PID 2920 wrote to memory of 816	2920	WScript.exe	128
PID 2920 wrote to memory of 816	2920	WScript.exe	128
PID 2920 wrote to memory of 816	2920	WScript.exe	128
PID 816 wrote to memory of 1680	816	spoolsv.exe	129
PID 816 wrote to memory of 1680	816	spoolsv.exe	129
PID 816 wrote to memory of 1680	816	spoolsv.exe	129
PID 816 wrote to memory of 2560	816	spoolsv.exe	130
PID 816 wrote to memory of 2560	816	spoolsv.exe	130
PID 816 wrote to memory of 2560	816	spoolsv.exe	130
PID 1680 wrote to memory of 1400	1680	WScript.exe	131
PID 1680 wrote to memory of 1400	1680	WScript.exe	131
PID 1680 wrote to memory of 1400	1680	WScript.exe	131
PID 1400 wrote to memory of 1960	1400	spoolsv.exe	132
PID 1400 wrote to memory of 1960	1400	spoolsv.exe	132
PID 1400 wrote to memory of 1960	1400	spoolsv.exe	132
PID 1400 wrote to memory of 1084	1400	spoolsv.exe	133
PID 1400 wrote to memory of 1084	1400	spoolsv.exe	133
PID 1400 wrote to memory of 1084	1400	spoolsv.exe	133
PID 1960 wrote to memory of 620	1960	WScript.exe	134
PID 1960 wrote to memory of 620	1960	WScript.exe	134
PID 1960 wrote to memory of 620	1960	WScript.exe	134
PID 620 wrote to memory of 2796	620	spoolsv.exe	135
PID 620 wrote to memory of 2796	620	spoolsv.exe	135
PID 620 wrote to memory of 2796	620	spoolsv.exe	135
PID 620 wrote to memory of 1224	620	spoolsv.exe	136
PID 620 wrote to memory of 1224	620	spoolsv.exe	136
PID 620 wrote to memory of 1224	620	spoolsv.exe	136
PID 2796 wrote to memory of 2388	2796	WScript.exe	137
PID 2796 wrote to memory of 2388	2796	WScript.exe	137
PID 2796 wrote to memory of 2388	2796	WScript.exe	137
PID 2388 wrote to memory of 2896	2388	spoolsv.exe	138
PID 2388 wrote to memory of 2896	2388	spoolsv.exe	138
PID 2388 wrote to memory of 2896	2388	spoolsv.exe	138
PID 2388 wrote to memory of 2424	2388	spoolsv.exe	139
PID 2388 wrote to memory of 2424	2388	spoolsv.exe	139
PID 2388 wrote to memory of 2424	2388	spoolsv.exe	139
PID 2896 wrote to memory of 2188	2896	WScript.exe	140

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ffc45f2c5865480a76df2d8f64009673.exe
"C:\Users\Admin\AppData\Local\Temp\ffc45f2c5865480a76df2d8f64009673.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\AppData\Local\Temp\ffc45f2c5865480a76df2d8f64009673.exe
  "C:\Users\Admin\AppData\Local\Temp\ffc45f2c5865480a76df2d8f64009673.exe"
  2⤵
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MiRzS7nDj0.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:1348
  - - C:\Windows\Panther\UnattendGC\spoolsv.exe
      "C:\Windows\Panther\UnattendGC\spoolsv.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1228
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de2676b6-0837-4c17-94cd-abb839172dcc.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1656
      - C:\Windows\Panther\UnattendGC\spoolsv.exe
        
        C:\Windows\Panther\UnattendGC\spoolsv.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b90326be-deaa-41b8-99ec-873b9063c853.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\Panther\UnattendGC\spoolsv.exe
        
        C:\Windows\Panther\UnattendGC\spoolsv.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9424bbd9-d079-478e-bef3-92fc333161c2.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\Panther\UnattendGC\spoolsv.exe
        
        C:\Windows\Panther\UnattendGC\spoolsv.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4396dd28-cc59-4b87-b0b6-e8eb2a8d3a2c.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\Panther\UnattendGC\spoolsv.exe
        
        C:\Windows\Panther\UnattendGC\spoolsv.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f16b311f-8186-4418-b238-68f59c1131b8.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\Panther\UnattendGC\spoolsv.exe
        
        C:\Windows\Panther\UnattendGC\spoolsv.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6aae4d6a-f34c-466d-b410-ed3c64d91c0d.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\Panther\UnattendGC\spoolsv.exe
        
        C:\Windows\Panther\UnattendGC\spoolsv.exe
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0acb3041-d764-4c4b-914b-aef9a5701dd0.vbs"
        17⤵
        
        PID:236
        
        C:\Windows\Panther\UnattendGC\spoolsv.exe
        
        C:\Windows\Panther\UnattendGC\spoolsv.exe
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66abce4c-6a41-4fc4-bf6e-43bd694a186d.vbs"
        19⤵
        
        PID:2168
        
        C:\Windows\Panther\UnattendGC\spoolsv.exe
        
        C:\Windows\Panther\UnattendGC\spoolsv.exe
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07b4ef55-4de9-4a64-a547-a12c23fbb85e.vbs"
        21⤵
        
        PID:856
        
        C:\Windows\Panther\UnattendGC\spoolsv.exe
        
        C:\Windows\Panther\UnattendGC\spoolsv.exe
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d1dd326-6859-41c5-9ba5-80f9003175b2.vbs"
        23⤵
        
        PID:2160
        
        C:\Windows\Panther\UnattendGC\spoolsv.exe
        
        C:\Windows\Panther\UnattendGC\spoolsv.exe
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\415216f2-41af-4dd7-b4c1-6f0434795855.vbs"
        25⤵
        
        PID:2516
        
        C:\Windows\Panther\UnattendGC\spoolsv.exe
        
        C:\Windows\Panther\UnattendGC\spoolsv.exe
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd9a589d-3594-43a4-9396-1bc29a6b0b7d.vbs"
        27⤵
        
        PID:2004
        
        C:\Windows\Panther\UnattendGC\spoolsv.exe
        
        C:\Windows\Panther\UnattendGC\spoolsv.exe
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c78d534f-1856-4a39-9c5f-9881fae84636.vbs"
        29⤵
        
        PID:1596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\754cb9e5-7a80-47d8-9c0b-e04f79602f26.vbs"
        29⤵
        
        PID:2008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db33a07e-c72b-44d5-960a-61d7ea29228d.vbs"
        27⤵
        
        PID:1704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99d1331d-5891-4218-a13a-f73a7552c39f.vbs"
        25⤵
        
        PID:2760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1481d2a-eccc-418d-9ac7-9ee9be795741.vbs"
        23⤵
        
        PID:484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\590715d2-67ad-43e1-8906-048b392f8731.vbs"
        21⤵
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c86cb6b8-4f15-4339-aa7c-332f65db5221.vbs"
        19⤵
        
        PID:3000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b1ccd06-fed9-4a36-86b3-ba1451fbd7c7.vbs"
        17⤵
        
        PID:2180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28373676-c1a6-4ea1-b884-88a0f8f92b6b.vbs"
        15⤵
        
        PID:2424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec9461c6-cf9d-4472-9669-a21338ad5754.vbs"
        13⤵
        
        PID:1224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89b8712f-d3fa-4a2d-a186-38130adfed61.vbs"
        11⤵
        
        PID:1084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e57106e3-ffed-43c8-bfd2-a1f2d61d4304.vbs"
        9⤵
        
        PID:2560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc4fa2ec-a428-42e3-a414-fbd9b080b9c0.vbs"
        7⤵
        
        PID:2580
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60f7f15d-49d1-486d-9ba6-778ea3b1ff8b.vbs"
        5⤵
        
        PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\explorer.exe'" /f
1⤵
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\services.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\debug\WIA\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\debug\WIA\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\debug\WIA\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ffc45f2c5865480a76df2d8f64009673f" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\ffc45f2c5865480a76df2d8f64009673.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ffc45f2c5865480a76df2d8f64009673" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\ffc45f2c5865480a76df2d8f64009673.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ffc45f2c5865480a76df2d8f64009673f" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\ffc45f2c5865480a76df2d8f64009673.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\fr-FR\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\AppPatch\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\AppPatch\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\System\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\System\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\en-US\services.exe'" /f
1⤵
- Process spawned unexpected child process
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Cookies\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Cookies\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Cookies\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\Sample Pictures\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\Sample Pictures\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\L2Schemas\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\MSOCache\All Users\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Templates\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Templates\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\lsm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\wininit.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows NT\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\plugins\demux\lsm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\demux\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\plugins\demux\lsm.exe'" /rl HIGHEST /f
1⤵
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\Panther\UnattendGC\spoolsv.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\UnattendGC\spoolsv.exe'" /rl HIGHEST /f
1⤵
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\audiodg.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f
1⤵
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\schtasks.exe

Filesize
885KB

MD5
49f19756963f2ed2f276853ef066f367

SHA1
45e0035d93bcd35bdad0155ade1469be19e55a66

SHA256
a589feb771b3f3925e48a3e6c21869c70bc39fe2efef99f1bc95bbb1be065069

SHA512
38824d2108645db6b8ad2ab61fd172b3e16a81b148eb0aedb115530b5b4ac3d349b340d1d9d696123d05f3f25cc37520b04cf9055c3cf556412902285bc5be9c

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\RCX1AA.tmp

Filesize
885KB

MD5
19fc9a5046522dd61d86f760065e66a9

SHA1
0536865ca964625473fb3e6de3d7168c9d4a432a

SHA256
e58c3e67803f92381419c0572c2e21dd56f7d06278c1260bbeb9740f75a7e600

SHA512
1d2e804756cf8dce1e0b5f302a25a1a1154b3ac999135e2d04dc5a393a4419a0ec32ae32aff58b9d45075b1cf79925012ec3ac4cc211f31b5d42c0c157c0be1b

Download Submit
C:\Program Files (x86)\Uninstall Information\taskhost.exe

Filesize
885KB

MD5
ffc45f2c5865480a76df2d8f64009673

SHA1
ed4d772472682c390f3adcbab5f34758e34255a2

SHA256
2301d9d871089a3d47d66f630934afd65d4be33e3650a14e016275635c2b736b

SHA512
44907f4b8add6cbf4534ef39180c054ac80f47e94e730afb4b5ee53207476bea980fcda1be66283f4fd20ff9d6923e89e74c375fda74068249b2fbe27b8e158a

Download Submit
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX79D.tmp

Filesize
885KB

MD5
8b1252ff5e97c60e52ebde8b8fa1a0e0

SHA1
c0361110b32adc8da4acd8d8750e3ef4fe759d63

SHA256
fab8585b62f178a01c67beb5d9c03c2bff32064fd746c6792e374090f309a53c

SHA512
a733c5e32d796e1a80848514a840966d93c23507f9aeefdbce3216cdb63db8b6a9fa608808d5b75e1c83d59883c2dcc79196b691b3ab82a761b2b159c8ef22e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\07b4ef55-4de9-4a64-a547-a12c23fbb85e.vbs

Filesize
717B

MD5
c0cd053eee2a9abda94fced409a3d1c2

SHA1
6f496076aaf27edcb305dd8900e95953504ecf69

SHA256
eacd9b54a621f008eaa68398e30770e7502f555757f9516417fb53a2d7a63e93

SHA512
57b0187c518c35d7fd66e90f0473d45379fb5dd889f7b8f2caf90af4001d8b25d694549663a974b13a5387c5c2a820c52429ae8ce1e8c6eb7e0277004bfe8598

Download Submit
C:\Users\Admin\AppData\Local\Temp\0acb3041-d764-4c4b-914b-aef9a5701dd0.vbs

Filesize
717B

MD5
876ee960dced0e1898e5b2541453f839

SHA1
8077ff0d3ed0a2c00cb92853fd1d1e7a0ce35976

SHA256
9ee5dc0841cd8e5b7604cc6c7cc2756419ca39a40048f685e709a7e10a5bbf00

SHA512
b3e85cde7951c014aae11bec267914ccd9ee6998f16a8fd4f68e5bf9c586a8da56768cdf9a71080204c8676aab7e5fbe48418040e39bc2c9a5952858d7b44b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\415216f2-41af-4dd7-b4c1-6f0434795855.vbs

Filesize
717B

MD5
a250dca316cb7c03f32f9f9528484c92

SHA1
1d9a8715d951eae08562865b5b2d1d70a26e9901

SHA256
0ac530d3d89f6e9706c9a69ab9973b449a8999ebd85bb9784081c32bcb69bbb3

SHA512
8efdbe2c1e68e9bd947a53dfcc25b5e642160ff8a1018c965038aa6cadd2b70c3618567eb9d5c7a994236f3152309e94d40e96ebdaa3dfb4fc036992d7bfe618

Download Submit
C:\Users\Admin\AppData\Local\Temp\4396dd28-cc59-4b87-b0b6-e8eb2a8d3a2c.vbs

Filesize
717B

MD5
d6070eb030da1e17cb32560556732b61

SHA1
1b75e8cd2e3ae70e5cf3b45b1ee8f6bcbfb65ba1

SHA256
63c6c00144ffc07cda3e6707998c48641d572835aa46e427c07f83e4d83f6ea9

SHA512
e1a0b5fba987726fbb53b4fe8627aa4991fbe17b4da8d83713c1831af2d59a59f40017341d66d38b06a94bf6e8ecbfa3a04f0eeb87d96f3cd26151fbe73249df

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d1dd326-6859-41c5-9ba5-80f9003175b2.vbs

Filesize
716B

MD5
a88ee3b0ee15c44661a06c6f0151301b

SHA1
11878caa622345ca2244098b5ad67bfebb4c5482

SHA256
67d196ef07e1118731178d30a585b13f8648e7c98fa6f3a0f35d3e1ebf43e675

SHA512
514908768b22b931229532470026937fe0322be569209fcc17e603a7e6cc1921a4c55f1d9feb72dbad1b0f2295d82d8d6869aa4b6c9731eefe42e0f662fe9dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\60f7f15d-49d1-486d-9ba6-778ea3b1ff8b.vbs

Filesize
493B

MD5
3ac0d6b44627737e1b390167145d3559

SHA1
1bcd1e05158dcc273087a47615c87bb0af5627e3

SHA256
92d8390635a417f08b116cda15af7733ecabe3a8481ff4702f716663b283b283

SHA512
d71433b93a5f81aa734660868fa1487cdbc331bca4c4710f1b70e45ed3b4c62de1054a3bda6ccee92eae16ee2e39f822712b74f38648d0754f12ee501dfa4df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\66abce4c-6a41-4fc4-bf6e-43bd694a186d.vbs

Filesize
717B

MD5
59cf3992e7eafa18fb9afac510b6dede

SHA1
ed106ac0f7ccd8e733976d90cdf5609ce588201d

SHA256
71de8abd8a78cc2c834b4a9888c6e8a85bd1e75cdf5e36b79ad48c773f35c814

SHA512
04e0e361f62f580862908b0180707577e3a658100143647c81020a7ea7f09effe321a3a7cc2b4fe445d7788421eb3f3ecbe3e49151150e0caa67b8a54eddd146

Download Submit
C:\Users\Admin\AppData\Local\Temp\6aae4d6a-f34c-466d-b410-ed3c64d91c0d.vbs

Filesize
717B

MD5
99b6b84bd22a6cd6761db676aee5de4b

SHA1
f0565309bfb8c93a0c6a4afcca9c781042f9d019

SHA256
5660e7713136819e3cef6b4acf04c64dfb06f690fbc8ec82c93c81ed496ba2ac

SHA512
2f16e14cdebd03edd7c399c44afc891e32a1091e9a2e1eef24e682b6abecab828305610a2046be095ce4af59f0e80b451075e7c5429c4846d7a17c85d34a7acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\9424bbd9-d079-478e-bef3-92fc333161c2.vbs

Filesize
716B

MD5
355ae91276599b42c55f11045c9071f4

SHA1
be40fa86b618a706dbff452a0e8b0273367dd4e8

SHA256
c2855690a37d2c34e0ddabbd6469f7e15c5b406f1c9cb63a708932bf80d65e57

SHA512
5da4614ab003e9593d643a2dd41cd69d5484ab349f12cc008724d66dadfa62f7f6d5850708fc2fd40f268b716912109b4cc53adfe00b23ea4cb315ca80178a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\MiRzS7nDj0.bat

Filesize
206B

MD5
27681fa7242541a1d82fdf2657c6c98e

SHA1
01f256da457faf7f6b4b5b79ca84116db683847c

SHA256
915151273590153d11cb9ba527f83484643cbd9e8498fc49aab20cd5cf74c5fd

SHA512
52b40fef32a2e9854a95cc25c3f37a277586f82f4ed2866dcf7d75d19e0a4e8d4bd43c5ae8098e10cebe382e8a6321b4002ea2dd64cf67fbcde3c799a368189c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b90326be-deaa-41b8-99ec-873b9063c853.vbs

Filesize
717B

MD5
40ca809b56f5b9ff9f8f9ad464f643b1

SHA1
e5c4db3546bf5cd0f95370cc114346e694e5fd84

SHA256
30057da8464614e1b52d8cd2474dc4091294690fd39cd76bacc3a0bb18880fc8

SHA512
c892a306112f980075f03fdb3c25fa97532b33285903443eae3a946fed87a4da52a525eb9b9f1575a716fdf49eb0a77297f9e68526f75ea395d573765e4b7d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c78d534f-1856-4a39-9c5f-9881fae84636.vbs

Filesize
717B

MD5
b4c708528abcfd370df4847c99f65f97

SHA1
2fc4d97fb93077d015be676a145dc92da6526429

SHA256
f02e53283f24e49f2f2814570a72f3b2da98a905066d32998c7c446d30937585

SHA512
478ad3b38bcd990fae5bee4ba11a6d99e44bc4b5937b5df14826144f09f5f456ee54789a5a688e7db5d944d989ab9f805a5194f71fe13a5a0c600a3224e8736d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd9a589d-3594-43a4-9396-1bc29a6b0b7d.vbs

Filesize
717B

MD5
d50de39ff7700bc94bfe75fc97b4a382

SHA1
eb97a83a408f5e28572afec7f0507c7b470e27fc

SHA256
e1532aa6ddcca47f22c8200d08ab27cc151276b6801114d9e73d33cba067b5a1

SHA512
e65f7b68015a2d4fb9a9d1343b9f8fc319790de0f4d705596d9af30eb8399700d7276e5990614603bc270a7ea730bee3814ffd0b149ca0d5a2c2ea44e1dd1792

Download Submit
C:\Users\Admin\AppData\Local\Temp\de2676b6-0837-4c17-94cd-abb839172dcc.vbs

Filesize
717B

MD5
cf847595a2ab3192ec599d300b681617

SHA1
e590dd1d89dd1886c872a19b75927ebf2ea3f831

SHA256
13b1080efe2229a4b3aec47df90779a281266b072b3b12fa8fa0295f7342065e

SHA512
b25627f6b83e66e6d8b4db87a6cb2103f86df0428080e59813f0269d591610e7c38f4011e45cbc3ee3994a0d27a798d6afcdd76f2c161946a415b7aa627f82fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\f16b311f-8186-4418-b238-68f59c1131b8.vbs

Filesize
716B

MD5
60adcd40fa99e3ba2eca93246b2a0696

SHA1
7d70312f1e1b708aa74137e644543e47826b3cb3

SHA256
9275205a650e67b8ccf3f9618eb6990decc275d4c61213966c8cfbc0dd8aa9c6

SHA512
0d72de99cbab713ac2bfa2b990f2e9e2f633ab62e799d8606a9c338ae810cd83c9b71c0a9f5abfad2b69fdcfc458666eae1c3a42278867d0f3b1570cd3d2dc3b

Download Submit
memory/836-504-0x0000000000110000-0x00000000001F4000-memory.dmp

Filesize
912KB

Download
memory/1228-405-0x00000000011A0000-0x0000000001284000-memory.dmp

Filesize
912KB

Download
memory/2144-0-0x000007FEF61C3000-0x000007FEF61C4000-memory.dmp

Filesize
4KB

Download
memory/2144-159-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2144-9-0x0000000000A00000-0x0000000000A0C000-memory.dmp

Filesize
48KB

Download
memory/2144-8-0x00000000009F0000-0x00000000009F8000-memory.dmp

Filesize
32KB

Download
memory/2144-6-0x00000000009D0000-0x00000000009DA000-memory.dmp

Filesize
40KB

Download
memory/2144-7-0x00000000009E0000-0x00000000009EE000-memory.dmp

Filesize
56KB

Download
memory/2144-5-0x0000000000480000-0x0000000000496000-memory.dmp

Filesize
88KB

Download
memory/2144-4-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/2144-3-0x0000000000450000-0x000000000046C000-memory.dmp

Filesize
112KB

Download
memory/2144-2-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2144-1-0x0000000000AB0000-0x0000000000B94000-memory.dmp

Filesize
912KB

Download
memory/2716-516-0x0000000000D30000-0x0000000000E14000-memory.dmp

Filesize
912KB

Download