dcrat | 8e52ba8956d643c96cdeb75c43492302cf710a3d2acc852442930dedbe9ea1bb

Analysis

max time kernel
79s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb00f484dd8074177d1c4ad20203982a.exe
Size

1.6MB
MD5

eb00f484dd8074177d1c4ad20203982a
SHA1

9f3ac964a1c915cf7b2954dca26acb17baa73586
SHA256

64cf79a4ca419db52372e76dea60756bd9b17e62c3c416145b37e88d1fe17def
SHA512

20664145ca390fe8bd9028e772e9263a83063ee2ff460d44fa2653f38879c00d9311ff0c7dc4a84735d952761fb1e5f9da95ec39070e459371b4675fd52a4551
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5704	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3336	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5756	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5572	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5428	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6124	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5688	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5968	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5832	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5788	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3484	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5584	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	4576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	4576	schtasks.exe	86

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral18/memory/5204-1-0x0000000000F50000-0x00000000010F2000-memory.dmp	dcrat
behavioral18/files/0x00060000000227cb-28.dat	dcrat
behavioral18/files/0x0009000000022edd-47.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1796	powershell.exe
5052	powershell.exe
4496	powershell.exe
4504	powershell.exe
1656	powershell.exe
1892	powershell.exe
5900	powershell.exe
5828	powershell.exe
4548	powershell.exe
948	powershell.exe
1508	powershell.exe
1792	powershell.exe
3200	powershell.exe
5784	powershell.exe
5292	powershell.exe
5188	powershell.exe
3084	powershell.exe
1920	powershell.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	eb00f484dd8074177d1c4ad20203982a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	eb00f484dd8074177d1c4ad20203982a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe

Executes dropped EXE 7 IoCs

pid	Process
3124	eb00f484dd8074177d1c4ad20203982a.exe
1464	SppExtComObj.exe
5832	SppExtComObj.exe
4936	SppExtComObj.exe
2364	SppExtComObj.exe
3096	SppExtComObj.exe
1852	SppExtComObj.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\edge_BITS_4492_4245689\csrss.exe	eb00f484dd8074177d1c4ad20203982a.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\services.exe	eb00f484dd8074177d1c4ad20203982a.exe
File created	C:\Program Files\VideoLAN\VLC\explorer.exe	eb00f484dd8074177d1c4ad20203982a.exe
File created	C:\Program Files (x86)\Windows Portable Devices\conhost.exe	eb00f484dd8074177d1c4ad20203982a.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\WaaSMedicAgent.exe	eb00f484dd8074177d1c4ad20203982a.exe
File created	C:\Program Files (x86)\Windows Portable Devices\088424020bedd6	eb00f484dd8074177d1c4ad20203982a.exe
File created	C:\Program Files\edge_BITS_4492_4245689\csrss.exe	eb00f484dd8074177d1c4ad20203982a.exe
File created	C:\Program Files\edge_BITS_4492_4245689\886983d96e3d3e	eb00f484dd8074177d1c4ad20203982a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\explorer.exe	eb00f484dd8074177d1c4ad20203982a.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\conhost.exe	eb00f484dd8074177d1c4ad20203982a.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\9e8d7a4ca61bd9	eb00f484dd8074177d1c4ad20203982a.exe
File created	C:\Program Files\VideoLAN\VLC\7a0fd90576e088	eb00f484dd8074177d1c4ad20203982a.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\c82b8037eab33d	eb00f484dd8074177d1c4ad20203982a.exe
File created	C:\Program Files\Windows Media Player\ja-JP\services.exe	eb00f484dd8074177d1c4ad20203982a.exe
File created	C:\Program Files\Windows Media Player\ja-JP\c5b4cb5e9653cc	eb00f484dd8074177d1c4ad20203982a.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe	eb00f484dd8074177d1c4ad20203982a.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe	eb00f484dd8074177d1c4ad20203982a.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Registration\WaaSMedicAgent.exe	eb00f484dd8074177d1c4ad20203982a.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\de-DE\csrss.exe	eb00f484dd8074177d1c4ad20203982a.exe
File created	C:\Windows\apppatch\de-DE\886983d96e3d3e	eb00f484dd8074177d1c4ad20203982a.exe
File opened for modification	C:\Windows\apppatch\de-DE\RCX4B07.tmp	eb00f484dd8074177d1c4ad20203982a.exe
File opened for modification	C:\Windows\apppatch\de-DE\RCX4B75.tmp	eb00f484dd8074177d1c4ad20203982a.exe
File opened for modification	C:\Windows\apppatch\de-DE\csrss.exe	eb00f484dd8074177d1c4ad20203982a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	eb00f484dd8074177d1c4ad20203982a.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	eb00f484dd8074177d1c4ad20203982a.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1908	schtasks.exe
2084	schtasks.exe
5584	schtasks.exe
1940	schtasks.exe
3276	schtasks.exe
4164	schtasks.exe
4084	schtasks.exe
4088	schtasks.exe
3628	schtasks.exe
5756	schtasks.exe
548	schtasks.exe
4676	schtasks.exe
1260	schtasks.exe
3352	schtasks.exe
4656	schtasks.exe
1452	schtasks.exe
6124	schtasks.exe
5832	schtasks.exe
5788	schtasks.exe
2212	schtasks.exe
4296	schtasks.exe
448	schtasks.exe
2180	schtasks.exe
1080	schtasks.exe
5968	schtasks.exe
1876	schtasks.exe
3396	schtasks.exe
4744	schtasks.exe
2444	schtasks.exe
3636	schtasks.exe
1352	schtasks.exe
1684	schtasks.exe
556	schtasks.exe
1996	schtasks.exe
5704	schtasks.exe
3336	schtasks.exe
4804	schtasks.exe
5688	schtasks.exe
3484	schtasks.exe
2216	schtasks.exe
2796	schtasks.exe
5104	schtasks.exe
1664	schtasks.exe
5572	schtasks.exe
5428	schtasks.exe
4756	schtasks.exe
3532	schtasks.exe
1040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5204	eb00f484dd8074177d1c4ad20203982a.exe
948	powershell.exe
5900	powershell.exe
948	powershell.exe
5900	powershell.exe
1920	powershell.exe
1920	powershell.exe
3124	eb00f484dd8074177d1c4ad20203982a.exe
3124	eb00f484dd8074177d1c4ad20203982a.exe
3124	eb00f484dd8074177d1c4ad20203982a.exe
3124	eb00f484dd8074177d1c4ad20203982a.exe
3124	eb00f484dd8074177d1c4ad20203982a.exe
3124	eb00f484dd8074177d1c4ad20203982a.exe
3124	eb00f484dd8074177d1c4ad20203982a.exe
3124	eb00f484dd8074177d1c4ad20203982a.exe
3124	eb00f484dd8074177d1c4ad20203982a.exe
3124	eb00f484dd8074177d1c4ad20203982a.exe
3124	eb00f484dd8074177d1c4ad20203982a.exe
3124	eb00f484dd8074177d1c4ad20203982a.exe
3124	eb00f484dd8074177d1c4ad20203982a.exe
1656	powershell.exe
1656	powershell.exe
5292	powershell.exe
5292	powershell.exe
4504	powershell.exe
4504	powershell.exe
4496	powershell.exe
4496	powershell.exe
1892	powershell.exe
1892	powershell.exe
5052	powershell.exe
5052	powershell.exe
1796	powershell.exe
1796	powershell.exe
5828	powershell.exe
5828	powershell.exe
5188	powershell.exe
5188	powershell.exe
3084	powershell.exe
3084	powershell.exe
5784	powershell.exe
5784	powershell.exe
1508	powershell.exe
1508	powershell.exe
1792	powershell.exe
1792	powershell.exe
3200	powershell.exe
3200	powershell.exe
4548	powershell.exe
4548	powershell.exe
1792	powershell.exe
4496	powershell.exe
5292	powershell.exe
5292	powershell.exe
4504	powershell.exe
4504	powershell.exe
5052	powershell.exe
1656	powershell.exe
1656	powershell.exe
1796	powershell.exe
1892	powershell.exe
5828	powershell.exe
3084	powershell.exe
5188	powershell.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	5204	eb00f484dd8074177d1c4ad20203982a.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	5900	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	3124	eb00f484dd8074177d1c4ad20203982a.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	5292	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	5828	powershell.exe
Token: SeDebugPrivilege	5188	powershell.exe
Token: SeDebugPrivilege	3084	powershell.exe
Token: SeDebugPrivilege	5784	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	1464	SppExtComObj.exe
Token: SeDebugPrivilege	5832	SppExtComObj.exe
Token: SeDebugPrivilege	4936	SppExtComObj.exe
Token: SeDebugPrivilege	2364	SppExtComObj.exe
Token: SeDebugPrivilege	3096	SppExtComObj.exe
Token: SeDebugPrivilege	1852	SppExtComObj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5204 wrote to memory of 5900	5204	eb00f484dd8074177d1c4ad20203982a.exe	93
PID 5204 wrote to memory of 5900	5204	eb00f484dd8074177d1c4ad20203982a.exe	93
PID 5204 wrote to memory of 1920	5204	eb00f484dd8074177d1c4ad20203982a.exe	94
PID 5204 wrote to memory of 1920	5204	eb00f484dd8074177d1c4ad20203982a.exe	94
PID 5204 wrote to memory of 948	5204	eb00f484dd8074177d1c4ad20203982a.exe	95
PID 5204 wrote to memory of 948	5204	eb00f484dd8074177d1c4ad20203982a.exe	95
PID 5204 wrote to memory of 1896	5204	eb00f484dd8074177d1c4ad20203982a.exe	99
PID 5204 wrote to memory of 1896	5204	eb00f484dd8074177d1c4ad20203982a.exe	99
PID 1896 wrote to memory of 5624	1896	cmd.exe	101
PID 1896 wrote to memory of 5624	1896	cmd.exe	101
PID 1896 wrote to memory of 3124	1896	cmd.exe	106
PID 1896 wrote to memory of 3124	1896	cmd.exe	106
PID 3124 wrote to memory of 5828	3124	eb00f484dd8074177d1c4ad20203982a.exe	151
PID 3124 wrote to memory of 5828	3124	eb00f484dd8074177d1c4ad20203982a.exe	151
PID 3124 wrote to memory of 1796	3124	eb00f484dd8074177d1c4ad20203982a.exe	152
PID 3124 wrote to memory of 1796	3124	eb00f484dd8074177d1c4ad20203982a.exe	152
PID 3124 wrote to memory of 5292	3124	eb00f484dd8074177d1c4ad20203982a.exe	153
PID 3124 wrote to memory of 5292	3124	eb00f484dd8074177d1c4ad20203982a.exe	153
PID 3124 wrote to memory of 5052	3124	eb00f484dd8074177d1c4ad20203982a.exe	154
PID 3124 wrote to memory of 5052	3124	eb00f484dd8074177d1c4ad20203982a.exe	154
PID 3124 wrote to memory of 4496	3124	eb00f484dd8074177d1c4ad20203982a.exe	155
PID 3124 wrote to memory of 4496	3124	eb00f484dd8074177d1c4ad20203982a.exe	155
PID 3124 wrote to memory of 4504	3124	eb00f484dd8074177d1c4ad20203982a.exe	156
PID 3124 wrote to memory of 4504	3124	eb00f484dd8074177d1c4ad20203982a.exe	156
PID 3124 wrote to memory of 1508	3124	eb00f484dd8074177d1c4ad20203982a.exe	157
PID 3124 wrote to memory of 1508	3124	eb00f484dd8074177d1c4ad20203982a.exe	157
PID 3124 wrote to memory of 4548	3124	eb00f484dd8074177d1c4ad20203982a.exe	158
PID 3124 wrote to memory of 4548	3124	eb00f484dd8074177d1c4ad20203982a.exe	158
PID 3124 wrote to memory of 1656	3124	eb00f484dd8074177d1c4ad20203982a.exe	159
PID 3124 wrote to memory of 1656	3124	eb00f484dd8074177d1c4ad20203982a.exe	159
PID 3124 wrote to memory of 5188	3124	eb00f484dd8074177d1c4ad20203982a.exe	160
PID 3124 wrote to memory of 5188	3124	eb00f484dd8074177d1c4ad20203982a.exe	160
PID 3124 wrote to memory of 5784	3124	eb00f484dd8074177d1c4ad20203982a.exe	161
PID 3124 wrote to memory of 5784	3124	eb00f484dd8074177d1c4ad20203982a.exe	161
PID 3124 wrote to memory of 3200	3124	eb00f484dd8074177d1c4ad20203982a.exe	162
PID 3124 wrote to memory of 3200	3124	eb00f484dd8074177d1c4ad20203982a.exe	162
PID 3124 wrote to memory of 1792	3124	eb00f484dd8074177d1c4ad20203982a.exe	163
PID 3124 wrote to memory of 1792	3124	eb00f484dd8074177d1c4ad20203982a.exe	163
PID 3124 wrote to memory of 3084	3124	eb00f484dd8074177d1c4ad20203982a.exe	164
PID 3124 wrote to memory of 3084	3124	eb00f484dd8074177d1c4ad20203982a.exe	164
PID 3124 wrote to memory of 1892	3124	eb00f484dd8074177d1c4ad20203982a.exe	166
PID 3124 wrote to memory of 1892	3124	eb00f484dd8074177d1c4ad20203982a.exe	166
PID 3124 wrote to memory of 4888	3124	eb00f484dd8074177d1c4ad20203982a.exe	181
PID 3124 wrote to memory of 4888	3124	eb00f484dd8074177d1c4ad20203982a.exe	181
PID 4888 wrote to memory of 5772	4888	cmd.exe	183
PID 4888 wrote to memory of 5772	4888	cmd.exe	183
PID 4888 wrote to memory of 1464	4888	cmd.exe	184
PID 4888 wrote to memory of 1464	4888	cmd.exe	184
PID 1464 wrote to memory of 3412	1464	SppExtComObj.exe	185
PID 1464 wrote to memory of 3412	1464	SppExtComObj.exe	185
PID 1464 wrote to memory of 3004	1464	SppExtComObj.exe	186
PID 1464 wrote to memory of 3004	1464	SppExtComObj.exe	186
PID 3412 wrote to memory of 5832	3412	WScript.exe	190
PID 3412 wrote to memory of 5832	3412	WScript.exe	190
PID 5832 wrote to memory of 3080	5832	SppExtComObj.exe	193
PID 5832 wrote to memory of 3080	5832	SppExtComObj.exe	193
PID 5832 wrote to memory of 2852	5832	SppExtComObj.exe	194
PID 5832 wrote to memory of 2852	5832	SppExtComObj.exe	194
PID 3080 wrote to memory of 4936	3080	WScript.exe	199
PID 3080 wrote to memory of 4936	3080	WScript.exe	199
PID 4936 wrote to memory of 1516	4936	SppExtComObj.exe	200
PID 4936 wrote to memory of 1516	4936	SppExtComObj.exe	200
PID 4936 wrote to memory of 6128	4936	SppExtComObj.exe	201
PID 4936 wrote to memory of 6128	4936	SppExtComObj.exe	201

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\eb00f484dd8074177d1c4ad20203982a.exe
"C:\Users\Admin\AppData\Local\Temp\eb00f484dd8074177d1c4ad20203982a.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\eb00f484dd8074177d1c4ad20203982a.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\apppatch\de-DE\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TJHXkWh8sx.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5624
- - C:\Users\Admin\AppData\Local\Temp\eb00f484dd8074177d1c4ad20203982a.exe
    "C:\Users\Admin\AppData\Local\Temp\eb00f484dd8074177d1c4ad20203982a.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\eb00f484dd8074177d1c4ad20203982a.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5828
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\explorer.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5292
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TrustedInstaller.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4504
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\Local\History\lsass.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Configuration\Registration\WaaSMedicAgent.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Favorites\Links\eb00f484dd8074177d1c4ad20203982a.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5188
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\aff403968f1bfcc42131676322798b50\SppExtComObj.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\sysmon.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4492_4245689\csrss.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1792
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Saved Games\SppExtComObj.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\ja-JP\services.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1892
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wb5MF5Nv4v.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4888
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:5772
    - - C:\Users\Admin\Saved Games\SppExtComObj.exe
        
        "C:\Users\Admin\Saved Games\SppExtComObj.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1464
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62b65c19-1c9e-4bbb-bb47-d730dea24e50.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Users\Admin\Saved Games\SppExtComObj.exe
        
        "C:\Users\Admin\Saved Games\SppExtComObj.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6479e445-e585-4ccd-a398-ded05948d6c0.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Users\Admin\Saved Games\SppExtComObj.exe
        
        "C:\Users\Admin\Saved Games\SppExtComObj.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52ec3cdb-c4eb-457b-948d-9343d6b565da.vbs"
        10⤵
        
        PID:1516
        
        C:\Users\Admin\Saved Games\SppExtComObj.exe
        
        "C:\Users\Admin\Saved Games\SppExtComObj.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f95ae8a8-7021-4619-8cf7-457929e91ee9.vbs"
        12⤵
        
        PID:5016
        
        C:\Users\Admin\Saved Games\SppExtComObj.exe
        
        "C:\Users\Admin\Saved Games\SppExtComObj.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f82078e-bf88-4c22-b603-07bd9710f6bb.vbs"
        14⤵
        
        PID:436
        
        C:\Users\Admin\Saved Games\SppExtComObj.exe
        
        "C:\Users\Admin\Saved Games\SppExtComObj.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e50485d-2b28-4eb6-be11-ecaf007b0369.vbs"
        16⤵
        
        PID:732
        
        C:\Users\Admin\Saved Games\SppExtComObj.exe
        
        "C:\Users\Admin\Saved Games\SppExtComObj.exe"
        17⤵
        
        PID:2444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d71c78b3-a297-44d3-8332-f48366ce7312.vbs"
        18⤵
        
        PID:5508
        
        C:\Users\Admin\Saved Games\SppExtComObj.exe
        
        "C:\Users\Admin\Saved Games\SppExtComObj.exe"
        19⤵
        
        PID:5412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6c78069-2cde-4d10-8142-5f0a74a569d9.vbs"
        20⤵
        
        PID:6116
        
        C:\Users\Admin\Saved Games\SppExtComObj.exe
        
        "C:\Users\Admin\Saved Games\SppExtComObj.exe"
        21⤵
        
        PID:5880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab923206-eb42-44b0-80fe-01e3ea54b66e.vbs"
        22⤵
        
        PID:5236
        
        C:\Users\Admin\Saved Games\SppExtComObj.exe
        
        "C:\Users\Admin\Saved Games\SppExtComObj.exe"
        23⤵
        
        PID:4732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c6fab49-6ca1-45af-a958-cd3a5d7ffac4.vbs"
        24⤵
        
        PID:5088
        
        C:\Users\Admin\Saved Games\SppExtComObj.exe
        
        "C:\Users\Admin\Saved Games\SppExtComObj.exe"
        25⤵
        
        PID:4488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf2b3208-2bff-478d-9fe3-cdf477adb458.vbs"
        26⤵
        
        PID:4684
        
        C:\Users\Admin\Saved Games\SppExtComObj.exe
        
        "C:\Users\Admin\Saved Games\SppExtComObj.exe"
        27⤵
        
        PID:2256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a125acb-856c-41ad-a474-28d236424c7d.vbs"
        28⤵
        
        PID:6012
        
        C:\Users\Admin\Saved Games\SppExtComObj.exe
        
        "C:\Users\Admin\Saved Games\SppExtComObj.exe"
        29⤵
        
        PID:5064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11e65988-5c9e-447c-b9c8-f2995820ed36.vbs"
        30⤵
        
        PID:4028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\348786a3-b5ef-401e-afcf-afaae9ca0ff8.vbs"
        30⤵
        
        PID:2952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88e13228-e8e0-40f0-a531-95dbed7c2498.vbs"
        28⤵
        
        PID:1364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47b968fe-b397-4e70-a518-737987da7b18.vbs"
        26⤵
        
        PID:3956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\542afdea-1dd1-42f3-97ea-f9705211aa2c.vbs"
        24⤵
        
        PID:1148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c69ead4c-273a-4dab-aedf-23b7f9649780.vbs"
        22⤵
        
        PID:4728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\405e8000-13cb-4983-9771-2198b03b1d5a.vbs"
        20⤵
        
        PID:5040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b13c3ed7-1500-4076-996b-0d500b644dc3.vbs"
        18⤵
        
        PID:1876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72e0c1a6-879c-44cb-abf6-2aa2610ee3af.vbs"
        16⤵
        
        PID:3076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8baeaa26-bb14-4171-94da-d3696b23090f.vbs"
        14⤵
        
        PID:3824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ee4bd9a-bdbe-4ec5-b530-3396d4e69ab9.vbs"
        12⤵
        
        PID:832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffba2eb8-be25-4aab-95d6-66f7e7f3fa8c.vbs"
        10⤵
        
        PID:6128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8de8f14-ebaf-4df6-9016-0ced8c36432c.vbs"
        8⤵
        
        PID:2852
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab34cd5f-3872-4604-8daa-356a27ff875c.vbs"
        6⤵
        
        PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\apppatch\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\apppatch\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\apppatch\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default\AppData\Local\History\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\AppData\Local\History\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default\AppData\Local\History\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "eb00f484dd8074177d1c4ad20203982ae" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Favorites\Links\eb00f484dd8074177d1c4ad20203982a.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "eb00f484dd8074177d1c4ad20203982a" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links\eb00f484dd8074177d1c4ad20203982a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "eb00f484dd8074177d1c4ad20203982ae" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Favorites\Links\eb00f484dd8074177d1c4ad20203982a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\aff403968f1bfcc42131676322798b50\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\aff403968f1bfcc42131676322798b50\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Start Menu\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\edge_BITS_4492_4245689\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4492_4245689\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\edge_BITS_4492_4245689\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Saved Games\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Saved Games\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\ja-JP\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\it-IT\lsass.exe

Filesize
1.6MB

MD5
eb00f484dd8074177d1c4ad20203982a

SHA1
9f3ac964a1c915cf7b2954dca26acb17baa73586

SHA256
64cf79a4ca419db52372e76dea60756bd9b17e62c3c416145b37e88d1fe17def

SHA512
20664145ca390fe8bd9028e772e9263a83063ee2ff460d44fa2653f38879c00d9311ff0c7dc4a84735d952761fb1e5f9da95ec39070e459371b4675fd52a4551

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\eb00f484dd8074177d1c4ad20203982a.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
085e0a3b869f290afea5688a8ac4e7c5

SHA1
0fedef5057708908bcca9e7572be8f46cef4f3ca

SHA256
1fed2c9bc05b3fcb93f493124dbf1680c6445f67e3d49680257183132514509c

SHA512
bbac0555a05dbe83154a90caa44a653c8a05c87594a211548b165c5b1d231e3818830e754c0b6de3e5cb64dba3a5ad18bebae05cb9157e1dd46bce2a86d18ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3bdf0f0bc4de32a6f32ecb8a32ba5df1

SHA1
900c6a905984e5e16f3efe01ce2b2cc725fc64f1

SHA256
c893092af552e973c44e0596d1509605a393896a0c1eae64f11456dc956ba40e

SHA512
680d8f42fd4cb1fffa52e1f7cc483e8afc79c8f3e25ebfe5324c7c277d88499cc58324313599e307e47ba3ee4004de7554192203413cb061a29170cd9bc889c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
21bfc799247c23be8c83723a21d31bb5

SHA1
53b308a69a2e57ce004951c978ea8e008e29ca56

SHA256
eab1228d3d5af575fdf617768fdd5371ca706e4f48a8f9f4583b58663fbc5be3

SHA512
19e9ed32a3c302ea7d4ff23df4f6dfc7ba72775e18ce47f284db22f9059309448d77fd123984adcef11e647403a01f3cf45bd463857af77ae882be885001e746

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
32b16440fab3a1055d9c22b90935bdfb

SHA1
ee350c4a65b81468487a3660dfe4f373660b9070

SHA256
ee68b728a82fefc941eba10390d9d70f5aeb442039c901eaf9a18477761cfd35

SHA512
5a1f36ab56e25548fd2875d364cfec39830e855b89628718f786bb8158147ee6fd66f2b7477d1b57b0d8cec5b8f10d173face18f4131ecec0dc67ca9ae56216c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
145039ee65251da29aa337556cab6c61

SHA1
5dce5405ea3ab3c00a5ff7044c8bb7b684f9973e

SHA256
26bbedffe13d17dc90fda8ee3423a05695ef2d9d10cad9f537334074ec105788

SHA512
d6536c7c31ce564a80c45d4acff414c5426a777ec5bbd8a9f3eb19f6a82ca25dda557f15a600df81b5b2472881d6b266cd1be93dfedcf44a244ce47904e3c46e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
150616521d490e160cd33b97d678d206

SHA1
71594f5b97a4a61fe5f120eb10bcd6b73d7e6e78

SHA256
94595c05912cbb8380f7ed34499eb01fb91707a1ed1c02c02002a4361e889827

SHA512
7043dc4b336b1688205fbe762e731478ecaa0036c9f5e0434c79b8a6f8fa58b0705c8674fd6a047e6009edc52c37ce4e2ce81694e13b79a3e8183a32307f3815

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
89b9b22e2cb6f0b903e7f8755f49d7be

SHA1
e13b62b19dccdbacb5fec9227e34f21e34fe5cad

SHA256
17b31393e036af7d83e6ea288a0bbad0278c404f5e0698b3a28f2fa1faa99537

SHA512
f4817348aa7f297c7c81db010bc0ce09c9193c32f0f7c2b0592df0c7731921830b5a3868486f986edfd863d7d82815e67598392b94782b9d317b7066b9fb7064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f0a41fc9c1123bb127e55ecc66c8f052

SHA1
57152411758fa3df2623cc8a4df6d9fea73652f8

SHA256
a4fe2be2c449e841f6a12d32114672b097fc1058b6f2971a03521220a0228745

SHA512
e3e967adac361ddcf8240cf641f3e77eacfefc61dec725b8ae12e6a94f7d2ebd937fb9eb3cd068a0b3d4306e163dc87773b322bc2dd8b7df93b8103d0e99a900

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e5bc7c4040866757da1b3c692f4f7f05

SHA1
03e2d99a5c342acf5c7117931f4d30a82292a866

SHA256
8e455a9363bf7700b5a9cc7c297cdd5cc18aa0d3eed5f7f2950a6904cdbb8277

SHA512
7b75dc1b7af489f718a62a9366bf4bec239806a46d2776bc1f658d858b68eefbf9fc6c04337ffba786034bd8ddd5bfdeda8f49e8d6db9a6fc121bca9504f4042

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dcee2c4799aaf7d786c7a18e235934c4

SHA1
92b08222812d2c4392cd5babf316c6509a1d202c

SHA256
33fb8b90e373768d57f2726dc808e2a6319dcea75ed4be819316a4bc3c2f85c1

SHA512
05986414ab12b9b52335528dc4dc1ef6fee378afa09a2858b0ea77cb0c9aaf4339ccae272bbc760ff63d31ad27e8a8206ae0152be82015f49c177cb62b515f32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
029fbf628b046653ab7ff10b31deeeb2

SHA1
93c2cb1905c8f5e71f5ea97a1e8a8c891eae077c

SHA256
85f6b0971e94daf9fd4e39413824f162851a9f5ce7f989bd92c903a4dbcbef26

SHA512
d4e3626dba2572bd1e53446b384962f955cc0c7e56a72cacf50a845d74714ec1020bcb0fdcc50636a1dfd4f08dc34143dbb5638dd90180df6aa31dab9228c98c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a1a5cd54a073fcc6f996c5bf8eae9ab4

SHA1
f51b3b1fe5ec1ace8641c99d2769a0f9f93f640f

SHA256
d0cc04ed0b546b1d7f405da38b5c1addd1fbc26591027e76b9745a9c1daf584e

SHA512
6804bc8a338f7727396b107ee58e418dae2c086aa85c8edb4d4a90f7398963dc63bab06574ed8b3c593e76d7740ecacec63d1643c6f26058a5d947caafb7673c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f82078e-bf88-4c22-b603-07bd9710f6bb.vbs

Filesize
719B

MD5
1fba6a9fc5d90b35baf8460d5f392c83

SHA1
8c02ef8ff2a6aa8b3a2fed44e392a03246382e7c

SHA256
a33b990a11b37d43d34fcea91cd0a08096fd2ff89c5a94ce686b53408bcee098

SHA512
d9d43dd81b809191f415604c3efca8d1e0e71c34358bd530dbfe53323d95c887742269285669c7ec5421f1c8f919ae84afe5dd705cd1316a76d6f5fb09be1bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\52ec3cdb-c4eb-457b-948d-9343d6b565da.vbs

Filesize
719B

MD5
c791f0c8956c81c55c8374258d0e61ee

SHA1
5c5c42cbba09c0e6e1019463aa215d509c224f98

SHA256
741fef6a00c73bc7b15070e27f84111b7f726fdba7acc353e23247e8cce2e6f9

SHA512
c966bce7d6ca71d8f3920807040f51a20d259cfa45be8ea30ec656975c3b654054ee951a8b0396bd87e017ac5c8c8d7d35142d4b2971169a3ade5d102d4e7f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\62b65c19-1c9e-4bbb-bb47-d730dea24e50.vbs

Filesize
719B

MD5
9d254db01030bf9cac3a0012657c7efe

SHA1
086b2b34baccc7a30db72edbce257632e4f9deb1

SHA256
77ef0a6da9f1793b94d5970da70b95335b76d5b3ab63e49fa50a5b0600415cf6

SHA512
a05df93dbe86516a34ba5d0fb43e5dd684fa2dcb678cdbdd8b2babe855871c4c3e3d087fdc5dfad5b4a51db533b9716e8bdc9d363c02dd5f2bdc9f516b266d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\6479e445-e585-4ccd-a398-ded05948d6c0.vbs

Filesize
719B

MD5
a25fae753fd89a35dc6875ea8d0d7928

SHA1
92e105cca14e657a4585ee545071b2a71428fd37

SHA256
1f3b4ea63d0ed9e5e51ae8ac6313d2aec39e43d42011294bee17bdd8add6be98

SHA512
05970144e81fe13b1a8343ab55deaa76496fed71176af23ea103ce4e9d59eddf51b02b1754d2023343b0f2c96763c7b6f934732f740295a486aa2bc2c34e24c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e50485d-2b28-4eb6-be11-ecaf007b0369.vbs

Filesize
719B

MD5
a2ff39d942cded11ca995e22c62f8b85

SHA1
f108976e675f1e7531d214539abc5480ecf69127

SHA256
a68c10b4d877e049072bebdead1aa14fa5291b29e7bd7b86674133d706538d29

SHA512
d2410defe18f7b4454a989c0a22e37cc5a774872e2fc28d2cae3043776a1432f61e008dacddce0e5cea8341ad4be8b39e625276b10b5f915bf0eb880a5a9fbae

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c6fab49-6ca1-45af-a958-cd3a5d7ffac4.vbs

Filesize
719B

MD5
fe79f486b392a6985aea457a6c4b605a

SHA1
ba823a03f1598bbf8cb9f1f30b513d00d1b82088

SHA256
ae30cb6bbd58aab3e39466ef46df5fa9d7ab0d3a6dbcebcd088483994a6e948d

SHA512
e7d26d294417e40ca81332efd78fcdf3457df171f6e58d5e3d17ea8f15b99c926a9efbbdb17cab33ac67424433c00f9ef4ead60c7ba9e7d240f31be6b8dc2540

Download Submit
C:\Users\Admin\AppData\Local\Temp\TJHXkWh8sx.bat

Filesize
235B

MD5
67014f799e10ba157325750619cfa12d

SHA1
dc530c61df20ee98fd2e3bd0e3002ab7bdadb9a7

SHA256
0d12ca3cb3a4ed3c4c170ced5984cce1a6752419aac7a2532300c143b691c9db

SHA512
7742151c45dddf77cac9dae7b3388ca73de46c880f1cad36fd84107f4b1b332752138712b2693b89db3396cf1fb4b0d159c333238be18d2d949bc43b06655c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r0csy4hu.pgr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab34cd5f-3872-4604-8daa-356a27ff875c.vbs

Filesize
495B

MD5
8e3779ea140c56efaed3a3ccb86bc87e

SHA1
15e2745ae615d86576de1a768f2d36b91272815f

SHA256
8eb88c06f02e57856b79292f0e240475d5bfcd9d88b5e8b3bf77b177c91579f3

SHA512
8fadc491f973f125391b5a9312866690af29d4682200e5a7d8f37b9d368006ed2159343aecc8b90cfaf5caed2c42ab187a329cd2d85c0987e9f82255ea4d51d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab923206-eb42-44b0-80fe-01e3ea54b66e.vbs

Filesize
719B

MD5
0ab7fa317a3464ef768a93652a8ef065

SHA1
d3c73bb29789cb48b7cef29c94db15c296c4527a

SHA256
853b5c2398ad7e9d5097a97adcb3a1df418866a15b617a2a6c28b31568f7090f

SHA512
f059e7cda26edadf24f6729520791c3887be29a0c339b0b6e3d91a2595a4356cd02b453ac0958211afdb3c973312ee231be1dfe848f6e98d4b61d2d1c037d5a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6c78069-2cde-4d10-8142-5f0a74a569d9.vbs

Filesize
719B

MD5
93b793daec0a7eb362b7ee4fd4f65bcb

SHA1
2774e3691ecd62b099fb3b1fa9f5a2a596015288

SHA256
b494cbba6e3a11c9ea7d2117050d7bc2ffc63ef6fde7c39c408ad951f3a5f159

SHA512
5f241c1b290322db85991fea0ec31704609d8b3c9a5e7bfba25202a75c6d4197defdf19c8a99aa0206cfb606c2b9f6ae95d9bfa6a0a2c43245406c185225dea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d71c78b3-a297-44d3-8332-f48366ce7312.vbs

Filesize
719B

MD5
703e85ab8e5990fe5c19c6c45054895e

SHA1
6cfd453b217b2eae2a0e340b6b6449769b04048f

SHA256
9540515523400f4c0d718a2c7e3c3882d05c322529a3f3fdac5ce82ea24f0f92

SHA512
2bdcb44a4270537b648fc4c8e2018178dc4f47521811392a01769518b25ead2552e29e0bc0d88ea389761d2cc54b4cfb3964ae1da72067efd82a0ea0a2ef39ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\f95ae8a8-7021-4619-8cf7-457929e91ee9.vbs

Filesize
719B

MD5
c6d84bb617803f1073634bfbafb1d7fe

SHA1
ba8c652a0e89d60dc12bccd17e80b51fb7c63897

SHA256
53176a5c45ad68280133d2006613e3eb77d9bbd520ed6597117e7db56f74f393

SHA512
70c0985b49a4171828e720386d91f08a7e17ee827ded53b35880b949e461f5366973062dff661301e19b6052fc0c141eea5f482978ea5ed751fce6ca67507af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wb5MF5Nv4v.bat

Filesize
208B

MD5
f40f4b2ef62fc670adfc466df0b1ed2c

SHA1
2d365fe39d704b854f1f56671a88d47ab86b312f

SHA256
c59e427f3330f93cfb08507968adc8e47fd9c9b8e3c731758e5bee3645b4ce18

SHA512
dce49dffd0fed8d47fe7a7be22957b7dcfa7d8e54cd57c9dadd2e73942dc625961d0034947441ee0a69f4117b901ed14d45cd4a2d00c6d8ea0d5a9edd8f4f0a5

Download Submit
C:\Windows\apppatch\de-DE\csrss.exe

Filesize
1.6MB

MD5
e9c3df3c53ee08dac8f0c87473fa6ff8

SHA1
3dce403f91cc7fdbab5b9841ea15ed4234bba9f7

SHA256
0864b7513fdd0c78843d83d71a76a1c4589859910af1ee073e700d8668d30006

SHA512
98fbef07ab641a0d04bc465d2c099bd6b4cdd5c2adefa54c1ec8619f4a45b7718e67a4ed85fa8542bec7f61651e81eea23084e484d8afee59ad025ea0cd75481

Download Submit
memory/948-54-0x000002298FEA0000-0x000002298FEC2000-memory.dmp

Filesize
136KB

Download
memory/5204-15-0x000000001C480000-0x000000001C488000-memory.dmp

Filesize
32KB

Download
memory/5204-1-0x0000000000F50000-0x00000000010F2000-memory.dmp

Filesize
1.6MB

Download
memory/5204-7-0x000000001C350000-0x000000001C358000-memory.dmp

Filesize
32KB

Download
memory/5204-8-0x000000001C360000-0x000000001C370000-memory.dmp

Filesize
64KB

Download
memory/5204-4-0x000000001C380000-0x000000001C3D0000-memory.dmp

Filesize
320KB

Download
memory/5204-5-0x000000001BCD0000-0x000000001BCE0000-memory.dmp

Filesize
64KB

Download
memory/5204-2-0x00007FFB1AAE0000-0x00007FFB1B5A1000-memory.dmp

Filesize
10.8MB

Download
memory/5204-3-0x000000001BCB0000-0x000000001BCCC000-memory.dmp

Filesize
112KB

Download
memory/5204-10-0x000000001C4D0000-0x000000001C4DC000-memory.dmp

Filesize
48KB

Download
memory/5204-6-0x000000001C330000-0x000000001C346000-memory.dmp

Filesize
88KB

Download
memory/5204-11-0x000000001C440000-0x000000001C44C000-memory.dmp

Filesize
48KB

Download
memory/5204-9-0x000000001C370000-0x000000001C378000-memory.dmp

Filesize
32KB

Download
memory/5204-16-0x000000001C490000-0x000000001C49A000-memory.dmp

Filesize
40KB

Download
memory/5204-0-0x00007FFB1AAE3000-0x00007FFB1AAE5000-memory.dmp

Filesize
8KB

Download
memory/5204-14-0x000000001C470000-0x000000001C478000-memory.dmp

Filesize
32KB

Download
memory/5204-84-0x00007FFB1AAE0000-0x00007FFB1B5A1000-memory.dmp

Filesize
10.8MB

Download
memory/5204-17-0x000000001C4A0000-0x000000001C4AC000-memory.dmp

Filesize
48KB

Download
memory/5204-12-0x000000001C450000-0x000000001C45A000-memory.dmp

Filesize
40KB

Download
memory/5204-13-0x000000001C460000-0x000000001C46E000-memory.dmp

Filesize
56KB

Download