dcrat | e5d28ec84e4b5f023e3f386cf7e0776850b67e2bad1299413885f3fdd757f58c

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
Size

1.6MB
MD5

d49f9f0f5730138879ce947728596fe0
SHA1

4757810dc00db1570dfd3508acaf6fd47b925e07
SHA256

e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b
SHA512

099508a93873b25601ab8e187cc731a00d6248455a3e60738bfc0f0d9eb23504f21cdb121b30fdd63d82eb5fd597f7f2a4629f489551dc7b08cf96acb68dbe9b
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral22/memory/5724-1-0x0000000000E40000-0x0000000000FE2000-memory.dmp	dcrat
behavioral22/files/0x0007000000024246-26.dat	dcrat
behavioral22/files/0x000c00000002426b-81.dat	dcrat
behavioral22/files/0x000c00000002426d-116.dat	dcrat
behavioral22/files/0x000900000002424b-127.dat	dcrat
behavioral22/files/0x000a0000000241ce-169.dat	dcrat
behavioral22/files/0x000900000002425f-182.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2808	powershell.exe
1720	powershell.exe
2656	powershell.exe
3520	powershell.exe
3200	powershell.exe
3428	powershell.exe
2440	powershell.exe
3220	powershell.exe
2464	powershell.exe
4348	powershell.exe
4184	powershell.exe
3704	powershell.exe
3104	powershell.exe
2760	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe

Executes dropped EXE 15 IoCs

pid	Process
5256	lsass.exe
3652	lsass.exe
4916	lsass.exe
3492	lsass.exe
4752	lsass.exe
3308	lsass.exe
4768	lsass.exe
2596	lsass.exe
2432	lsass.exe
5312	lsass.exe
3200	lsass.exe
5920	lsass.exe
5880	lsass.exe
3284	lsass.exe
2844	lsass.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\eddb19405b7ce1	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX54E8.tmp	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX54E9.tmp	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\886983d96e3d3e	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\f3b6ecef712a24	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\spoolsv.exe	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\6203df4a6bafc7	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\7a0fd90576e088	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\RCX5913.tmp	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCX5BB5.tmp	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCX5BB6.tmp	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File opened for modification	C:\Program Files\Common Files\backgroundTaskHost.exe	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\spoolsv.exe	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File created	C:\Program Files\Common Files\backgroundTaskHost.exe	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX69DB.tmp	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\RCX59A0.tmp	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX69DA.tmp	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File opened for modification	C:\Program Files\Common Files\RCX7152.tmp	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File opened for modification	C:\Program Files\Common Files\RCX71C1.tmp	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Globalization\ELS\winlogon.exe	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File created	C:\Windows\de-DE\e1ef82546f0b02	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File created	C:\Windows\Globalization\ELS\winlogon.exe	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File opened for modification	C:\Windows\de-DE\RCX5DCB.tmp	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File opened for modification	C:\Windows\Globalization\ELS\RCX64D5.tmp	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File created	C:\Windows\CSC\explorer.exe	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File created	C:\Windows\de-DE\SppExtComObj.exe	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File created	C:\Windows\Globalization\ELS\cc11b995f2a76d	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File opened for modification	C:\Windows\de-DE\RCX5DCA.tmp	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File opened for modification	C:\Windows\de-DE\SppExtComObj.exe	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File opened for modification	C:\Windows\Globalization\ELS\RCX6553.tmp	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2772	schtasks.exe
1892	schtasks.exe
2272	schtasks.exe
2072	schtasks.exe
4008	schtasks.exe
728	schtasks.exe
2064	schtasks.exe
4800	schtasks.exe
6028	schtasks.exe
5004	schtasks.exe
3452	schtasks.exe
3084	schtasks.exe
4924	schtasks.exe
4600	schtasks.exe
4820	schtasks.exe
4760	schtasks.exe
2768	schtasks.exe
6128	schtasks.exe
5280	schtasks.exe
3328	schtasks.exe
4864	schtasks.exe
5316	schtasks.exe
4836	schtasks.exe
4828	schtasks.exe
3984	schtasks.exe
4732	schtasks.exe
4688	schtasks.exe
6036	schtasks.exe
4276	schtasks.exe
428	schtasks.exe
1664	schtasks.exe
4740	schtasks.exe
4676	schtasks.exe
5040	schtasks.exe
4776	schtasks.exe
5116	schtasks.exe
2756	schtasks.exe
5416	schtasks.exe
1084	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
2808	powershell.exe
2808	powershell.exe
4348	powershell.exe
4348	powershell.exe
2760	powershell.exe
2760	powershell.exe
3200	powershell.exe
3200	powershell.exe
4184	powershell.exe
4184	powershell.exe
3220	powershell.exe
3220	powershell.exe
2464	powershell.exe
2464	powershell.exe
3104	powershell.exe
3104	powershell.exe
3704	powershell.exe
3704	powershell.exe
2656	powershell.exe
2656	powershell.exe
3428	powershell.exe
3428	powershell.exe
2440	powershell.exe
2440	powershell.exe
1720	powershell.exe
1720	powershell.exe
3520	powershell.exe
3520	powershell.exe
3104	powershell.exe
1720	powershell.exe
3520	powershell.exe
2808	powershell.exe
2808	powershell.exe
4348	powershell.exe
4348	powershell.exe
2760	powershell.exe
2760	powershell.exe
2440	powershell.exe
3200	powershell.exe
2464	powershell.exe
2656	powershell.exe
4184	powershell.exe
3220	powershell.exe
3704	powershell.exe
3428	powershell.exe
5256	lsass.exe
3652	lsass.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	3220	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	3104	powershell.exe
Token: SeDebugPrivilege	3704	powershell.exe
Token: SeDebugPrivilege	3428	powershell.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	5256	lsass.exe
Token: SeDebugPrivilege	3652	lsass.exe
Token: SeDebugPrivilege	4916	lsass.exe
Token: SeDebugPrivilege	3492	lsass.exe
Token: SeDebugPrivilege	4752	lsass.exe
Token: SeDebugPrivilege	3308	lsass.exe
Token: SeDebugPrivilege	4768	lsass.exe
Token: SeDebugPrivilege	2596	lsass.exe
Token: SeDebugPrivilege	2432	lsass.exe
Token: SeDebugPrivilege	5312	lsass.exe
Token: SeDebugPrivilege	3200	lsass.exe
Token: SeDebugPrivilege	5920	lsass.exe
Token: SeDebugPrivilege	5880	lsass.exe
Token: SeDebugPrivilege	3284	lsass.exe
Token: SeDebugPrivilege	2844	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5724 wrote to memory of 2808	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	132
PID 5724 wrote to memory of 2808	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	132
PID 5724 wrote to memory of 2464	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	133
PID 5724 wrote to memory of 2464	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	133
PID 5724 wrote to memory of 3220	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	134
PID 5724 wrote to memory of 3220	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	134
PID 5724 wrote to memory of 2440	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	136
PID 5724 wrote to memory of 2440	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	136
PID 5724 wrote to memory of 3428	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	137
PID 5724 wrote to memory of 3428	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	137
PID 5724 wrote to memory of 3200	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	139
PID 5724 wrote to memory of 3200	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	139
PID 5724 wrote to memory of 3520	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	140
PID 5724 wrote to memory of 3520	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	140
PID 5724 wrote to memory of 2656	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	141
PID 5724 wrote to memory of 2656	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	141
PID 5724 wrote to memory of 2760	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	142
PID 5724 wrote to memory of 2760	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	142
PID 5724 wrote to memory of 3104	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	145
PID 5724 wrote to memory of 3104	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	145
PID 5724 wrote to memory of 3704	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	146
PID 5724 wrote to memory of 3704	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	146
PID 5724 wrote to memory of 1720	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	148
PID 5724 wrote to memory of 1720	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	148
PID 5724 wrote to memory of 4184	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	150
PID 5724 wrote to memory of 4184	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	150
PID 5724 wrote to memory of 4348	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	152
PID 5724 wrote to memory of 4348	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	152
PID 5724 wrote to memory of 5160	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	161
PID 5724 wrote to memory of 5160	5724	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	161
PID 5160 wrote to memory of 4236	5160	cmd.exe	163
PID 5160 wrote to memory of 4236	5160	cmd.exe	163
PID 5160 wrote to memory of 5256	5160	cmd.exe	165
PID 5160 wrote to memory of 5256	5160	cmd.exe	165
PID 5256 wrote to memory of 3744	5256	lsass.exe	166
PID 5256 wrote to memory of 3744	5256	lsass.exe	166
PID 5256 wrote to memory of 5280	5256	lsass.exe	167
PID 5256 wrote to memory of 5280	5256	lsass.exe	167
PID 3744 wrote to memory of 3652	3744	WScript.exe	168
PID 3744 wrote to memory of 3652	3744	WScript.exe	168
PID 3652 wrote to memory of 3196	3652	lsass.exe	169
PID 3652 wrote to memory of 3196	3652	lsass.exe	169
PID 3652 wrote to memory of 3180	3652	lsass.exe	170
PID 3652 wrote to memory of 3180	3652	lsass.exe	170
PID 3196 wrote to memory of 4916	3196	WScript.exe	179
PID 3196 wrote to memory of 4916	3196	WScript.exe	179
PID 4916 wrote to memory of 5248	4916	lsass.exe	180
PID 4916 wrote to memory of 5248	4916	lsass.exe	180
PID 4916 wrote to memory of 3388	4916	lsass.exe	181
PID 4916 wrote to memory of 3388	4916	lsass.exe	181
PID 3492 wrote to memory of 4564	3492	lsass.exe	183
PID 3492 wrote to memory of 4564	3492	lsass.exe	183
PID 3492 wrote to memory of 2180	3492	lsass.exe	184
PID 3492 wrote to memory of 2180	3492	lsass.exe	184
PID 4564 wrote to memory of 4752	4564	WScript.exe	185
PID 4564 wrote to memory of 4752	4564	WScript.exe	185
PID 4752 wrote to memory of 6040	4752	lsass.exe	186
PID 4752 wrote to memory of 6040	4752	lsass.exe	186
PID 4752 wrote to memory of 3428	4752	lsass.exe	187
PID 4752 wrote to memory of 3428	4752	lsass.exe	187
PID 6040 wrote to memory of 3308	6040	WScript.exe	188
PID 6040 wrote to memory of 3308	6040	WScript.exe	188
PID 3308 wrote to memory of 5292	3308	lsass.exe	189
PID 3308 wrote to memory of 5292	3308	lsass.exe	189

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
"C:\Users\Admin\AppData\Local\Temp\e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\en-US\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\ELS\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Music\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4348
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tjCtAJTq7w.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5160
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4236
- - C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe
    "C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5256
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93f7b750-feb1-48b5-bffe-7670ee3964cc.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3744
    - - C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3652
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6534051e-4916-44b8-a6fa-f3e8137d0f3a.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d587084-2e19-4a63-8890-bf7a93a85b4a.vbs"
        8⤵
        
        PID:5248
        
        C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1dc1f5c1-63e6-4997-84a1-10d93685880f.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d1868a5-3819-4880-96f2-9305822c8c20.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:6040
        
        C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00faca7a-cc80-48a4-8f96-da90095799ec.vbs"
        14⤵
        
        PID:5292
        
        C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddc3511d-0249-485e-afb2-354f268e0ab0.vbs"
        16⤵
        
        PID:4844
        
        C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a58e031-96e3-4302-a52e-760a55d3bfbf.vbs"
        18⤵
        
        PID:2276
        
        C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a386253-aba0-4e63-9121-799c786bebbd.vbs"
        20⤵
        
        PID:5308
        
        C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3219cdd8-a77b-4791-b220-89481538c3f8.vbs"
        22⤵
        
        PID:4408
        
        C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc9fbf6a-74df-4811-8b99-3083fcd4dd02.vbs"
        24⤵
        
        PID:3632
        
        C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c88eb7ae-b340-4bfe-9230-ae9b18f928a8.vbs"
        26⤵
        
        PID:1812
        
        C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb63b257-49bd-4164-b70b-11b78e6c4d03.vbs"
        28⤵
        
        PID:5952
        
        C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad15c8aa-f9f1-4617-ae46-68d4a96f2a49.vbs"
        30⤵
        
        PID:5968
        
        C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\098058f3-1d12-4932-a4a0-4eecb99ac2e7.vbs"
        30⤵
        
        PID:4596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbd069c1-5774-4991-9cb9-4e7b50374fd5.vbs"
        28⤵
        
        PID:4472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\541b24ab-3c65-415e-92ad-774a192ac169.vbs"
        26⤵
        
        PID:5176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d9d449f-6baa-4357-873c-eacc9146b208.vbs"
        24⤵
        
        PID:1100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ebc6e14-cfae-400c-a7b2-00b9d505d294.vbs"
        22⤵
        
        PID:5636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cae724f1-f70c-4c23-9ff5-e7609960849d.vbs"
        20⤵
        
        PID:1300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15d0dffe-c9a2-433b-94ea-2215eda2cd75.vbs"
        18⤵
        
        PID:460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00c23bc7-2280-4632-a24f-8d65bd250392.vbs"
        16⤵
        
        PID:1188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d9d4b04-d914-4c4e-9637-ed1d8200b419.vbs"
        14⤵
        
        PID:2516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\233c4ab2-d407-46dd-bc5b-3ccbc7777586.vbs"
        12⤵
        
        PID:3428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71339280-ba27-4c4a-a679-a37ce4453b09.vbs"
        10⤵
        
        PID:2180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d7e1a82-4504-4478-b2bd-1b56dcfcc9fa.vbs"
        8⤵
        
        PID:3388
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3995d180-0e8a-4d82-b191-7763337a4827.vbs"
        6⤵
        
        PID:3180
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75f1fd12-f033-4a25-b837-d980a519b2c8.vbs"
      4⤵
      PID:5280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\SendTo\dllhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\SendTo\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\SendTo\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\spoolsv.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\SppExtComObj.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\de-DE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Windows\de-DE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\dwm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Globalization\ELS\winlogon.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Globalization\ELS\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Globalization\ELS\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Music\TextInputHost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Music\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\sysmon.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\sysmon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\sysmon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\backgroundTaskHost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Common Files\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe

Filesize
1.6MB

MD5
ee51b6dce9a16dec78afa6caf414cffd

SHA1
9090763844bbdeb9f5833d8a4631919dbd9736ad

SHA256
87b75470b7aefe5289f0b9c3e26c4616b517e2e1cf116beb5c2635cd9268b011

SHA512
7057e7c6423c8f278f1dd32e8dedd8a2303a140a9f3ecc5924e4f36741e1f9ca549e44b32b50f9074b436ca7244911b066f4d7ad22d0c62ef2f690696ef3e8b2

Download Submit
C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\dwm.exe

Filesize
1.6MB

MD5
2496cce00ae5c7b38c9cd21ba3779106

SHA1
cce1bc270fb92a6dd63f31c02887dcaf409229c9

SHA256
6d6ca14279ffa146c349875a9e0bd89681666edbb35382e870a04f8ad937868d

SHA512
2739e9f60444e1ab71837452e7cd449fa109dd352573c346d46c3eea54da73f5f95504379408651eb3f13b436f605abcee926d48a185248cd105d32b8f7b3aff

Download Submit
C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\sysmon.exe

Filesize
1.6MB

MD5
04e9440c60b995ebdb877be32fa80118

SHA1
178bf45398fed9f3cedfcbe886d057023f004d49

SHA256
954e87f16b2f0d1f5e5a401a52669cacf5d36065a2ad5306319a4e13fb2aa9f9

SHA512
6459d1909a76b9599aaf80b006a7e544254c8f38e09bf68a81fde0a4ae202be043c3c66b2e2934e880ce45750326c3e58fc99fe4c7d4b29baedf276d7dcb6de9

Download Submit
C:\Program Files (x86)\Windows Media Player\en-US\spoolsv.exe

Filesize
1.6MB

MD5
b497d77de1b8f0f3b20ef084b3b5772e

SHA1
36f929ba57e293bc2bd9291bd545a41402f23110

SHA256
a110e15ac30f29e7abf791eea1fd5d4b1735fb7c0b36dd7e05e247d1c0495759

SHA512
18c39c9df976804c6faea6af91cba274415160470aab94071e3efd3af149195e372528f5e1efd29a85db361106d0ec214168c084ad4826ed6296b135ce32b951

Download Submit
C:\Recovery\WindowsRE\services.exe

Filesize
1.6MB

MD5
8d6d93a9a58705ce0ad5b17e3ae32a3a

SHA1
c9d03dbd39b6d2bb53b6652cf99d0ed81744d9c7

SHA256
504e7ec58576e08caf7e17af0c7101c14d1b6309e0ed9b4fd91b27ea80721d6a

SHA512
9ed58e68f49134346bfba8378fc5e6dd15140931f137aba1566e517a1606ccac79811d9d4aebe120d408b25f9507f9447dad6731cd2a0befdbd95f5d6c403dfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9191187d695b2965f2ceb651f0b37ee8

SHA1
b50a4038fb94c8aa7cff8d6941a4329b5b2ae8c7

SHA256
654a46452391ae3310ff9c6a4c820774e950276014fea044c41f007f6c335833

SHA512
90094f44f83470c88c4fcecb239f70e8e791b3b3da628c00676e3c4791766808b4e31c12beef2a7bc7d6a12d05bd8150888461ed1ef7e9eebc8697f6955d63bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
643f98db244717856667bfd771e9db1c

SHA1
5434950e3506ae0cca216690c8fb5d2b38dd591d

SHA256
5e01aecf68e759cce4264330c3b7bc5b30b0d6c17718e558543c87530cf78256

SHA512
886d498dfce303f191b32d7001197aad7bd5eec12b5885ef620be32750902da2369536b10f451e712380bd7b420c051447b998d42f53ffae9b6a358c4db66a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba8a00bf6995531451ca4ff43fecb0b9

SHA1
b590fcea37aded3a4b083ec2d39252fe10b97a61

SHA256
0211a4649daa040751a5aa8f42a3a677da906daf541fed80c2aa19c5f77e9a60

SHA512
e0cfd06cca6fca6d1b742ecc354c2dd9c0e72ab456525086c2af388cb533ff5baae6ff83fa4347dfbc28edc1a2c1b97ef986c2923af9634fd6d967e913fbfc4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
56addce8ad0788fa7ed121c8239f965f

SHA1
ac9482a712ad866d8d8ba241489613344883ba32

SHA256
cf8f4a84a53607b45f9dfed75c34776b03777d64ac3c44112ccc5638957557d8

SHA512
ecb98df46c6ccec6e9f401f1c8456b26cf38afe82e2bea885c8dc10619fcbaba9e89432f055b1bdbcce40254b06b1e20e330ea4ac724e4f0c673a5697c548521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9faf1842282b23924fdccd705e391cb3

SHA1
1d1a188f2e755578ecd01b3175f8847398781369

SHA256
27f0d74169a38ec53713307526298109ddfce4629163203edba5d001a7365a63

SHA512
a080b1314e2fc6b5b7babe371bd982ea7dd557b82286d976f2f713318780f4f72ae7ce66c59878d6540bd2aa7f361f191d4ab04e92b314ed164d7134a8ebe848

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
414d3c7be38a289ed476cbb4ac51ae02

SHA1
da5113d85edeefb5a20093e40bb548356316f3d4

SHA256
d8ce1dc945725e1a003fcad77de1db795d498003228c088506d286c613cd2e31

SHA512
a6db753e6e9515ad845b8073e725b2d0182697c6dd77475291aefd19e7331d78039c00b9d41ee8cccfabe9a2e0e2ab25753ebf9a865c4a3c18d77ee27cbbae93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7ebbb17f3791dea62cf267d83cf036a4

SHA1
266c27acf64b85afd8380277f767cc54f91ab2b0

SHA256
2345628c466a33c557a0fba468c06436ce7121c56e6260492c5d6ce52d05ba19

SHA512
6e519f44c8d4e9fe752471f19ec9956e3cd6d73f741496d09bb0fb0c8f0048636b6a52204fa475436c0403d022500fd33452e0ad8f18b3ed2245b24b5bd7bb51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
82da496008a09abc336bf9adbe6453dd

SHA1
a57df6c2432c6bf7ab549a4333e636f9d9dfebd2

SHA256
69def38d01c34269e4e7be79130fc62befb01815c783fef6d4dc116672306810

SHA512
86d1efaf512d5ffc0af6a4508e63ffaa646971192762461957c0a544e77f9f24bbd0576927a6a996a87f147bcd6562bdc27a57caac6aad64354f485a7a7a7197

Download Submit
C:\Users\Admin\AppData\Local\Temp\00faca7a-cc80-48a4-8f96-da90095799ec.vbs

Filesize
742B

MD5
e4bec0b8212816c23b1ee386c182f8e5

SHA1
0ded8f3ffd2a969b0fd464b185c92038220439e5

SHA256
8a29f20403e56f580eee6eea051d5afebbb25b4a57e195282caafe382910ea76

SHA512
12f8bd72eb8f112415da1c568c2db6c9786cfa8381954c2081a05b90c2d76da8dd1d456e9ef8c5916fc4a606f4aac557a64694b0988df6d8e6f46cd6d4e8ccc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d1868a5-3819-4880-96f2-9305822c8c20.vbs

Filesize
742B

MD5
02ce7f239717961c4c6f3fa744f75586

SHA1
a6e4e2be73a2c7333940c7cc38b5f2f53fcc6b70

SHA256
978cd0712121c9e23cad9ce7dbd7dc2b008a8e6d3169a6bcb3cbd8dabadec4d0

SHA512
af314adc1c7f2867d3dbff0aecd072bfb5d7e78c568fd68918084886c9917486b132f56f1fe19678f9a55c4c7854436301502248e46114c45cb2cf58f49be6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1dc1f5c1-63e6-4997-84a1-10d93685880f.vbs

Filesize
742B

MD5
cd755bac05c6cd903c164b7d5676cfab

SHA1
d4963e131725e2014b8224fe4f48e37f4c77858c

SHA256
b4aa51d6d6eb36eb92e8118b0e0570bce1ad822dc1a18b10785cd86bc4bd973b

SHA512
5118d2deea3ebc50ad740e4a537e48089646dbd76704d2a00cf7e79001d8a91eaf19a4950c9f667bfd04fb363eba1c4267b48430cb05732f819eca77285c86ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\3219cdd8-a77b-4791-b220-89481538c3f8.vbs

Filesize
742B

MD5
f7eab74b8f60f0454df7e19c2fc33c06

SHA1
62de9e55197dc0187872b2da36756ec534a04772

SHA256
4bd5cae2fbd6ff957cfabbb625ff09be11fdd7f194cc38586f4599905961c190

SHA512
9de3c72ee9aaa0c02301587c2ab515c8116741c702da9662cbe125d49c8198f0b38e3b124bed3bbd5a547ea7f0c76e8050265878b45353eb7f69c9c8232151ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a386253-aba0-4e63-9121-799c786bebbd.vbs

Filesize
742B

MD5
2020e478c16bc5ace5c0c30dd51e92a9

SHA1
b3f9d275965574d3bb9b0af92d06c1214dde2ca3

SHA256
ebe27c78af0d324fce3f6ceaa5e97bff78e8fe59d452913a614b55bc9fd07e1c

SHA512
1df0de5c82a3efbeee3e8ce4062a09b49b5822a1381091194e8b83b43727410274e94ca26a917a107d28803289cbe58f631a1d1140ace2ba400555f22fec58d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\6534051e-4916-44b8-a6fa-f3e8137d0f3a.vbs

Filesize
742B

MD5
f6deb4ae58ef69acd03126664d4cae7c

SHA1
0c1ef87d3e2047fda60a996e2b7a5a67a386e8ff

SHA256
c71fc9c9fa3e4e7a36104727ce4b9f2cf32aa1364574c8ae19ff6a8efd3ec577

SHA512
f465ed5a1251ea2b5e7c9f9e4662a64b63b77dd990c410367cbdd7dad86c8c6076d5bcc0f8053dba0d42379048c35363cb04af0f295f6d3e2db7f8912f98ea20

Download Submit
C:\Users\Admin\AppData\Local\Temp\75f1fd12-f033-4a25-b837-d980a519b2c8.vbs

Filesize
518B

MD5
2bd19cc7f7b64bb4b8cb15207b7dd245

SHA1
5724548457da1437e032742e1ff6336cb5ae2fd9

SHA256
794ca6efa5054c0fea3f36dc8d523d3bea7e7dedcfb76664726970b917645bd4

SHA512
f1c56df4c31b03cb9cc7528ea64fd30393ab0c5de30f1f4c079772ecde67eb41964d717f03b791bb5c9e2fb00fcd0605e9edde1d1d17372979eeb5809718ae4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a58e031-96e3-4302-a52e-760a55d3bfbf.vbs

Filesize
742B

MD5
0416c11adc6c6aa82181f17a4ea218ba

SHA1
b4c54d456ba452e4bee6d3ebec846426e78577f0

SHA256
3573df5240e5e6ee1761e26565fc1cd0dd57b0ba930f419cd9fb670732c9e589

SHA512
afbc20363a8c429290867082bb7299941ecd26896a6eece05762495d2b7de774e2e70e068c61e0c9359eb61d8f7ea9db9cb4e0e139a1c8ea9fd38fb75a4566ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\93f7b750-feb1-48b5-bffe-7670ee3964cc.vbs

Filesize
742B

MD5
d2ff457dbca05af276a45122df5146a3

SHA1
ee192198129b1f3fb3978639798199a33f3292f2

SHA256
f8d821b934bcd7b4b6eacd789ffaebd78b9c09257a07959f696e6b88f1fb26ec

SHA512
48a4030382e09adf9fc006eceae64384519da5ae27fb4819713375cc69f0d7c69d144e190b9a25a6acea5eeea6aefc70d0d379d38ec2af6ce0304ec8eeacb035

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1xdjsys3.2u2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c88eb7ae-b340-4bfe-9230-ae9b18f928a8.vbs

Filesize
742B

MD5
2128f96d68e6fa64fd8f4cdea747fb91

SHA1
ecc1df1496d181ba0104bf5ffa56373446b6e033

SHA256
445425d26bb266c256182c6d899910d9d8a14ec6c4648637b85b72ff7b11313a

SHA512
45089f899eb03d86a391b57625520c0f46eb3b5d57fbfe7d5113da721553ad59e36d6ab5e2489d2effdbe4318d78ce7ff5a463f51b69a6162e8bb85424d7a4ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc9fbf6a-74df-4811-8b99-3083fcd4dd02.vbs

Filesize
742B

MD5
82f1cb03f53c2ddb4dbc5bd5d513f62a

SHA1
b54234c4111b3eb0bb730635053e16cc4046c49e

SHA256
67eddedaf5494b99ef5c324302d0883272d148240d9bfab494b4958158ce278e

SHA512
57f9ddf4e3d8ce4006f36028e68b8c23310712a8c45e4e6d4f3c2d2e0d3e95185efb5fab3b8df1ece5c679caa12ae71fd4d88e57c299ba87bc1e1268ea85e12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddc3511d-0249-485e-afb2-354f268e0ab0.vbs

Filesize
742B

MD5
fd7560e0165dc00fcb98958687478667

SHA1
0b7ffb7cede52bef03c6c7291518b2ed8c3251b1

SHA256
7e7ceeea0238317246c9271b7e5a4251f068e0a91bab3eafd1648728982bc4db

SHA512
79835f075afa8e50fadee31e512e40612d2238ed8b7eda75f46a54c2bcc3d91f13c71c5580474f605e7ecd661b474ceabdc28efc9eee4e2fea86e24e5b6a06a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjCtAJTq7w.bat

Filesize
231B

MD5
63835195e22438814b4a4c316a46922d

SHA1
485af724f18335ca20044c2246fde657cf0c1fab

SHA256
b92575f4bdf0985c1d76fac581b0d5e521e45e680ace9c06e3dc1e31b28e3d12

SHA512
54c0bbf31eb8977a7cff3bfe27cf6e8a6aa901b6be3e7adaed7af6e874a650276ce866f368f47cfa7590f05f675f018440291f74c12172c4ff47459c1fa9d5ec

Download Submit
C:\Windows\de-DE\SppExtComObj.exe

Filesize
1.6MB

MD5
d49f9f0f5730138879ce947728596fe0

SHA1
4757810dc00db1570dfd3508acaf6fd47b925e07

SHA256
e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b

SHA512
099508a93873b25601ab8e187cc731a00d6248455a3e60738bfc0f0d9eb23504f21cdb121b30fdd63d82eb5fd597f7f2a4629f489551dc7b08cf96acb68dbe9b

Download Submit
memory/2808-212-0x0000022CACC50000-0x0000022CACC72000-memory.dmp

Filesize
136KB

Download
memory/5724-12-0x000000001C290000-0x000000001C29A000-memory.dmp

Filesize
40KB

Download
memory/5724-16-0x000000001C4D0000-0x000000001C4DA000-memory.dmp

Filesize
40KB

Download
memory/5724-7-0x0000000003260000-0x0000000003268000-memory.dmp

Filesize
32KB

Download
memory/5724-8-0x000000001C270000-0x000000001C280000-memory.dmp

Filesize
64KB

Download
memory/5724-9-0x0000000003270000-0x0000000003278000-memory.dmp

Filesize
32KB

Download
memory/5724-10-0x000000001C260000-0x000000001C26C000-memory.dmp

Filesize
48KB

Download
memory/5724-1-0x0000000000E40000-0x0000000000FE2000-memory.dmp

Filesize
1.6MB

Download
memory/5724-13-0x000000001C2A0000-0x000000001C2AE000-memory.dmp

Filesize
56KB

Download
memory/5724-4-0x000000001C2B0000-0x000000001C300000-memory.dmp

Filesize
320KB

Download
memory/5724-6-0x0000000003230000-0x0000000003246000-memory.dmp

Filesize
88KB

Download
memory/5724-14-0x000000001C4B0000-0x000000001C4B8000-memory.dmp

Filesize
32KB

Download
memory/5724-17-0x000000001C4E0000-0x000000001C4EC000-memory.dmp

Filesize
48KB

Download
memory/5724-15-0x000000001C4C0000-0x000000001C4C8000-memory.dmp

Filesize
32KB

Download
memory/5724-11-0x000000001C280000-0x000000001C28C000-memory.dmp

Filesize
48KB

Download
memory/5724-3-0x0000000003200000-0x000000000321C000-memory.dmp

Filesize
112KB

Download
memory/5724-5-0x00000000018A0000-0x00000000018B0000-memory.dmp

Filesize
64KB

Download
memory/5724-2-0x00007FFFF5850000-0x00007FFFF6311000-memory.dmp

Filesize
10.8MB

Download
memory/5724-0-0x00007FFFF5853000-0x00007FFFF5855000-memory.dmp

Filesize
8KB

Download
memory/5724-196-0x00007FFFF5853000-0x00007FFFF5855000-memory.dmp

Filesize
8KB

Download
memory/5724-213-0x00007FFFF5850000-0x00007FFFF6311000-memory.dmp

Filesize
10.8MB

Download