dcrat | 8e52ba8956d643c96cdeb75c43492302cf710a3d2acc852442930dedbe9ea1bb

Analysis

max time kernel
149s
max time network
160s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebe2e28a80ef59e70bca6e005782732e.exe
Size

885KB
MD5

ebe2e28a80ef59e70bca6e005782732e
SHA1

fd22205faabb86821db5c7f5d626ea8784d39731
SHA256

53b4ab4625fc60780e7ef00317080ded6f6ec02dcdbb6d681f8665918abd6b91
SHA512

6e5331f768f709e4f9b5a3a2d85d381e3c6d8b0e04fe3237bae6ade2a3ad4b4831cf93518705119226f70b735d90c44abf4c38ea2eb44d2a8d8c58b7da085aec
SSDEEP

12288:8lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:8lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2944	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	2944	schtasks.exe	29

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral31/memory/2792-1-0x0000000001050000-0x0000000001134000-memory.dmp	dcrat
behavioral31/files/0x000500000001a475-21.dat	dcrat
behavioral31/memory/2388-150-0x0000000000250000-0x0000000000334000-memory.dmp	dcrat
behavioral31/files/0x000800000001a47d-208.dat	dcrat
behavioral31/files/0x000600000001c879-290.dat	dcrat
behavioral31/files/0x000700000001c856-305.dat	dcrat
behavioral31/files/0x000a00000001c85e-376.dat	dcrat
behavioral31/files/0x000500000001c908-392.dat	dcrat
behavioral31/memory/2156-408-0x00000000012C0000-0x00000000013A4000-memory.dmp	dcrat
behavioral31/memory/1220-430-0x0000000000130000-0x0000000000214000-memory.dmp	dcrat
behavioral31/memory/1704-442-0x0000000000370000-0x0000000000454000-memory.dmp	dcrat
behavioral31/memory/2844-454-0x0000000000F30000-0x0000000001014000-memory.dmp	dcrat
behavioral31/memory/3032-466-0x0000000000F50000-0x0000000001034000-memory.dmp	dcrat
behavioral31/memory/1728-478-0x0000000000090000-0x0000000000174000-memory.dmp	dcrat
behavioral31/memory/1048-490-0x0000000001370000-0x0000000001454000-memory.dmp	dcrat

Executes dropped EXE 10 IoCs

pid	Process
2156	System.exe
1260	System.exe
1220	System.exe
1704	System.exe
2844	System.exe
3032	System.exe
1728	System.exe
1048	System.exe
1056	System.exe
2856	System.exe

Drops file in Program Files directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\RCX5C18.tmp	ebe2e28a80ef59e70bca6e005782732e.exe
File created	C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe	ebe2e28a80ef59e70bca6e005782732e.exe
File created	C:\Program Files (x86)\Google\7a0fd90576e088	ebe2e28a80ef59e70bca6e005782732e.exe
File opened for modification	C:\Program Files (x86)\Google\RCX98EC.tmp	ebe2e28a80ef59e70bca6e005782732e.exe
File opened for modification	C:\Program Files (x86)\Google\RCX98ED.tmp	ebe2e28a80ef59e70bca6e005782732e.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\69ddcba757bf72	ebe2e28a80ef59e70bca6e005782732e.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\wininit.exe	ebe2e28a80ef59e70bca6e005782732e.exe
File opened for modification	C:\Program Files\MSBuild\RCX966B.tmp	ebe2e28a80ef59e70bca6e005782732e.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\RCX9782.tmp	ebe2e28a80ef59e70bca6e005782732e.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCX9848.tmp	ebe2e28a80ef59e70bca6e005782732e.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe	ebe2e28a80ef59e70bca6e005782732e.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\24dbde2999530e	ebe2e28a80ef59e70bca6e005782732e.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCX9859.tmp	ebe2e28a80ef59e70bca6e005782732e.exe
File created	C:\Program Files (x86)\Windows Portable Devices\0a1fd5f707cd16	ebe2e28a80ef59e70bca6e005782732e.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX96AD.tmp	ebe2e28a80ef59e70bca6e005782732e.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\services.exe	ebe2e28a80ef59e70bca6e005782732e.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RCX5C4A.tmp	ebe2e28a80ef59e70bca6e005782732e.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\RCX96F5.tmp	ebe2e28a80ef59e70bca6e005782732e.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\RCX5C07.tmp	ebe2e28a80ef59e70bca6e005782732e.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\24dbde2999530e	ebe2e28a80ef59e70bca6e005782732e.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe	ebe2e28a80ef59e70bca6e005782732e.exe
File opened for modification	C:\Program Files\MSBuild\RCX966A.tmp	ebe2e28a80ef59e70bca6e005782732e.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX96E0.tmp	ebe2e28a80ef59e70bca6e005782732e.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\services.exe	ebe2e28a80ef59e70bca6e005782732e.exe
File created	C:\Program Files (x86)\Google\explorer.exe	ebe2e28a80ef59e70bca6e005782732e.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX96AC.tmp	ebe2e28a80ef59e70bca6e005782732e.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\c5b4cb5e9653cc	ebe2e28a80ef59e70bca6e005782732e.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RCX5C49.tmp	ebe2e28a80ef59e70bca6e005782732e.exe
File created	C:\Program Files\MSBuild\csrss.exe	ebe2e28a80ef59e70bca6e005782732e.exe
File created	C:\Program Files\MSBuild\886983d96e3d3e	ebe2e28a80ef59e70bca6e005782732e.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\56085415360792	ebe2e28a80ef59e70bca6e005782732e.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX96DF.tmp	ebe2e28a80ef59e70bca6e005782732e.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\smss.exe	ebe2e28a80ef59e70bca6e005782732e.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\RCX96F2.tmp	ebe2e28a80ef59e70bca6e005782732e.exe
File created	C:\Windows\Performance\WinSAT\DataStore\wininit.exe	ebe2e28a80ef59e70bca6e005782732e.exe
File created	C:\Windows\Performance\WinSAT\DataStore\56085415360792	ebe2e28a80ef59e70bca6e005782732e.exe
File opened for modification	C:\Windows\Media\RCX969C.tmp	ebe2e28a80ef59e70bca6e005782732e.exe
File created	C:\Windows\Microsoft.NET\authman\101b941d020240	ebe2e28a80ef59e70bca6e005782732e.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\RCX7586.tmp	ebe2e28a80ef59e70bca6e005782732e.exe
File opened for modification	C:\Windows\Microsoft.NET\authman\RCX7597.tmp	ebe2e28a80ef59e70bca6e005782732e.exe
File created	C:\Windows\Media\lsass.exe	ebe2e28a80ef59e70bca6e005782732e.exe
File opened for modification	C:\Windows\Media\RCX969B.tmp	ebe2e28a80ef59e70bca6e005782732e.exe
File opened for modification	C:\Windows\Logs\DPX\RCX96E1.tmp	ebe2e28a80ef59e70bca6e005782732e.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\RCX7596.tmp	ebe2e28a80ef59e70bca6e005782732e.exe
File opened for modification	C:\Windows\Microsoft.NET\authman\RCX75A8.tmp	ebe2e28a80ef59e70bca6e005782732e.exe
File created	C:\Windows\Logs\DPX\24dbde2999530e	ebe2e28a80ef59e70bca6e005782732e.exe
File created	C:\Windows\Microsoft.NET\authman\lsm.exe	ebe2e28a80ef59e70bca6e005782732e.exe
File created	C:\Windows\Media\6203df4a6bafc7	ebe2e28a80ef59e70bca6e005782732e.exe
File created	C:\Windows\Logs\DPX\WmiPrvSE.exe	ebe2e28a80ef59e70bca6e005782732e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2228	schtasks.exe
2180	schtasks.exe
2764	schtasks.exe
2248	schtasks.exe
976	schtasks.exe
368	schtasks.exe
1612	schtasks.exe
3032	schtasks.exe
2608	schtasks.exe
3004	schtasks.exe
1848	schtasks.exe
2284	schtasks.exe
2436	schtasks.exe
1552	schtasks.exe
1076	schtasks.exe
2584	schtasks.exe
2368	schtasks.exe
1056	schtasks.exe
2724	schtasks.exe
2116	schtasks.exe
2776	schtasks.exe
1632	schtasks.exe
2484	schtasks.exe
2752	schtasks.exe
2852	schtasks.exe
1064	schtasks.exe
2260	schtasks.exe
2592	schtasks.exe
2408	schtasks.exe
1688	schtasks.exe
2540	schtasks.exe
2240	schtasks.exe
2296	schtasks.exe
2880	schtasks.exe
1524	schtasks.exe
2192	schtasks.exe
2508	schtasks.exe
1172	schtasks.exe
2216	schtasks.exe
2820	schtasks.exe
2512	schtasks.exe
1716	schtasks.exe
2128	schtasks.exe
1724	schtasks.exe
2812	schtasks.exe
2416	schtasks.exe
1312	schtasks.exe
2204	schtasks.exe
2404	schtasks.exe
592	schtasks.exe
952	schtasks.exe
2784	schtasks.exe
2600	schtasks.exe
2224	schtasks.exe
1060	schtasks.exe
1016	schtasks.exe
1620	schtasks.exe
340	schtasks.exe
1820	schtasks.exe
1772	schtasks.exe
2360	schtasks.exe
1692	schtasks.exe
2212	schtasks.exe
1776	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2792	ebe2e28a80ef59e70bca6e005782732e.exe
1148	ebe2e28a80ef59e70bca6e005782732e.exe
1148	ebe2e28a80ef59e70bca6e005782732e.exe
1148	ebe2e28a80ef59e70bca6e005782732e.exe
2388	ebe2e28a80ef59e70bca6e005782732e.exe
2388	ebe2e28a80ef59e70bca6e005782732e.exe
2388	ebe2e28a80ef59e70bca6e005782732e.exe
2388	ebe2e28a80ef59e70bca6e005782732e.exe
2388	ebe2e28a80ef59e70bca6e005782732e.exe
2156	System.exe
1260	System.exe
1220	System.exe
1704	System.exe
2844	System.exe
3032	System.exe
1728	System.exe
1048	System.exe
1056	System.exe
2856	System.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	ebe2e28a80ef59e70bca6e005782732e.exe
Token: SeDebugPrivilege	1148	ebe2e28a80ef59e70bca6e005782732e.exe
Token: SeDebugPrivilege	2388	ebe2e28a80ef59e70bca6e005782732e.exe
Token: SeDebugPrivilege	2156	System.exe
Token: SeDebugPrivilege	1260	System.exe
Token: SeDebugPrivilege	1220	System.exe
Token: SeDebugPrivilege	1704	System.exe
Token: SeDebugPrivilege	2844	System.exe
Token: SeDebugPrivilege	3032	System.exe
Token: SeDebugPrivilege	1728	System.exe
Token: SeDebugPrivilege	1048	System.exe
Token: SeDebugPrivilege	1056	System.exe
Token: SeDebugPrivilege	2856	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2004	2792	ebe2e28a80ef59e70bca6e005782732e.exe	42
PID 2792 wrote to memory of 2004	2792	ebe2e28a80ef59e70bca6e005782732e.exe	42
PID 2792 wrote to memory of 2004	2792	ebe2e28a80ef59e70bca6e005782732e.exe	42
PID 2004 wrote to memory of 1312	2004	cmd.exe	44
PID 2004 wrote to memory of 1312	2004	cmd.exe	44
PID 2004 wrote to memory of 1312	2004	cmd.exe	44
PID 2004 wrote to memory of 1148	2004	cmd.exe	45
PID 2004 wrote to memory of 1148	2004	cmd.exe	45
PID 2004 wrote to memory of 1148	2004	cmd.exe	45
PID 1148 wrote to memory of 1740	1148	ebe2e28a80ef59e70bca6e005782732e.exe	61
PID 1148 wrote to memory of 1740	1148	ebe2e28a80ef59e70bca6e005782732e.exe	61
PID 1148 wrote to memory of 1740	1148	ebe2e28a80ef59e70bca6e005782732e.exe	61
PID 1740 wrote to memory of 2276	1740	cmd.exe	63
PID 1740 wrote to memory of 2276	1740	cmd.exe	63
PID 1740 wrote to memory of 2276	1740	cmd.exe	63
PID 1740 wrote to memory of 2388	1740	cmd.exe	64
PID 1740 wrote to memory of 2388	1740	cmd.exe	64
PID 1740 wrote to memory of 2388	1740	cmd.exe	64
PID 2388 wrote to memory of 2080	2388	ebe2e28a80ef59e70bca6e005782732e.exe	122
PID 2388 wrote to memory of 2080	2388	ebe2e28a80ef59e70bca6e005782732e.exe	122
PID 2388 wrote to memory of 2080	2388	ebe2e28a80ef59e70bca6e005782732e.exe	122
PID 2080 wrote to memory of 2088	2080	cmd.exe	124
PID 2080 wrote to memory of 2088	2080	cmd.exe	124
PID 2080 wrote to memory of 2088	2080	cmd.exe	124
PID 2080 wrote to memory of 2156	2080	cmd.exe	125
PID 2080 wrote to memory of 2156	2080	cmd.exe	125
PID 2080 wrote to memory of 2156	2080	cmd.exe	125
PID 2156 wrote to memory of 1916	2156	System.exe	126
PID 2156 wrote to memory of 1916	2156	System.exe	126
PID 2156 wrote to memory of 1916	2156	System.exe	126
PID 2156 wrote to memory of 1020	2156	System.exe	127
PID 2156 wrote to memory of 1020	2156	System.exe	127
PID 2156 wrote to memory of 1020	2156	System.exe	127
PID 1916 wrote to memory of 1260	1916	WScript.exe	128
PID 1916 wrote to memory of 1260	1916	WScript.exe	128
PID 1916 wrote to memory of 1260	1916	WScript.exe	128
PID 1260 wrote to memory of 2516	1260	System.exe	129
PID 1260 wrote to memory of 2516	1260	System.exe	129
PID 1260 wrote to memory of 2516	1260	System.exe	129
PID 1260 wrote to memory of 3040	1260	System.exe	130
PID 1260 wrote to memory of 3040	1260	System.exe	130
PID 1260 wrote to memory of 3040	1260	System.exe	130
PID 2516 wrote to memory of 1220	2516	WScript.exe	131
PID 2516 wrote to memory of 1220	2516	WScript.exe	131
PID 2516 wrote to memory of 1220	2516	WScript.exe	131
PID 1220 wrote to memory of 2180	1220	System.exe	132
PID 1220 wrote to memory of 2180	1220	System.exe	132
PID 1220 wrote to memory of 2180	1220	System.exe	132
PID 1220 wrote to memory of 1736	1220	System.exe	133
PID 1220 wrote to memory of 1736	1220	System.exe	133
PID 1220 wrote to memory of 1736	1220	System.exe	133
PID 2180 wrote to memory of 1704	2180	WScript.exe	134
PID 2180 wrote to memory of 1704	2180	WScript.exe	134
PID 2180 wrote to memory of 1704	2180	WScript.exe	134
PID 1704 wrote to memory of 2032	1704	System.exe	135
PID 1704 wrote to memory of 2032	1704	System.exe	135
PID 1704 wrote to memory of 2032	1704	System.exe	135
PID 1704 wrote to memory of 2056	1704	System.exe	136
PID 1704 wrote to memory of 2056	1704	System.exe	136
PID 1704 wrote to memory of 2056	1704	System.exe	136
PID 2032 wrote to memory of 2844	2032	WScript.exe	137
PID 2032 wrote to memory of 2844	2032	WScript.exe	137
PID 2032 wrote to memory of 2844	2032	WScript.exe	137
PID 2844 wrote to memory of 2092	2844	System.exe	138

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ebe2e28a80ef59e70bca6e005782732e.exe
"C:\Users\Admin\AppData\Local\Temp\ebe2e28a80ef59e70bca6e005782732e.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3DwaTFc6qk.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1312
- - C:\Users\Admin\AppData\Local\Temp\ebe2e28a80ef59e70bca6e005782732e.exe
    "C:\Users\Admin\AppData\Local\Temp\ebe2e28a80ef59e70bca6e005782732e.exe"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dhnZNzwT1Q.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1740
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2276
    - - C:\Users\Admin\AppData\Local\Temp\ebe2e28a80ef59e70bca6e005782732e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ebe2e28a80ef59e70bca6e005782732e.exe"
        5⤵
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BWw2qr2Xqb.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2088
        
        C:\Users\Public\Favorites\System.exe
        
        "C:\Users\Public\Favorites\System.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a849c088-0bac-4eb1-815c-852e2a55b6f2.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Users\Public\Favorites\System.exe
        
        C:\Users\Public\Favorites\System.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58fae609-c7b5-40db-a238-a361a0fcdcb9.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Users\Public\Favorites\System.exe
        
        C:\Users\Public\Favorites\System.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9f57c5a-ea73-4d34-8ecb-1d93c6601c4c.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Users\Public\Favorites\System.exe
        
        C:\Users\Public\Favorites\System.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\824f5186-1dcb-4d7d-a8f1-76d1fe96de7f.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Users\Public\Favorites\System.exe
        
        C:\Users\Public\Favorites\System.exe
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f78ba8d-8b0a-4883-9824-e300fe11f4c6.vbs"
        16⤵
        
        PID:2092
        
        C:\Users\Public\Favorites\System.exe
        
        C:\Users\Public\Favorites\System.exe
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3951fc62-7878-4603-8442-290184d6e326.vbs"
        18⤵
        
        PID:1136
        
        C:\Users\Public\Favorites\System.exe
        
        C:\Users\Public\Favorites\System.exe
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4dc1594-c8c7-46c4-85bf-6d242d99ba67.vbs"
        20⤵
        
        PID:2160
        
        C:\Users\Public\Favorites\System.exe
        
        C:\Users\Public\Favorites\System.exe
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\306286af-7dfd-4bf0-8966-b4e0b8975c0a.vbs"
        22⤵
        
        PID:956
        
        C:\Users\Public\Favorites\System.exe
        
        C:\Users\Public\Favorites\System.exe
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc13276c-2fa9-4aff-b859-668204c200b2.vbs"
        24⤵
        
        PID:2316
        
        C:\Users\Public\Favorites\System.exe
        
        C:\Users\Public\Favorites\System.exe
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c191a3b2-e9f8-4034-abf3-90e274ba9f86.vbs"
        26⤵
        
        PID:1144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7de1682c-03d7-41bf-988f-c7efad302197.vbs"
        26⤵
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f7dee28-44bf-4a3e-b9a6-d2fa92a35da5.vbs"
        24⤵
        
        PID:1160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\653392e4-f564-44c7-8818-6853074f06e1.vbs"
        22⤵
        
        PID:2332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e66c4209-62af-40fc-aefe-64b8dbe3c072.vbs"
        20⤵
        
        PID:1776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ee87095-c1ea-4642-b2a4-d3ca6693a9d8.vbs"
        18⤵
        
        PID:2024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddc4e751-09f3-4295-a1cc-d03f8a326da1.vbs"
        16⤵
        
        PID:2384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1b49c27-5a35-43bf-a94a-aad260b68767.vbs"
        14⤵
        
        PID:2056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19b3a159-a1f1-4f03-937c-b015812af01a.vbs"
        12⤵
        
        PID:1736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\358ffbbf-85d5-4302-b02d-901d53a89568.vbs"
        10⤵
        
        PID:3040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a4c7ef5-684f-441f-8fb4-d45d4ee1b6e4.vbs"
        8⤵
        
        PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\services.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\Performance\WinSAT\DataStore\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\Performance\WinSAT\DataStore\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\Microsoft.NET\authman\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\authman\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\authman\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\Media\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Media\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\Media\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Favorites\System.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Favorites\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Favorites\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\DPX\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Logs\DPX\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\Logs\DPX\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\My Documents\taskhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\My Documents\taskhost.exe'" /rl HIGHEST /f
1⤵
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'" /f
1⤵
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\System.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\explorer.exe'" /f
1⤵
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\RCX9802.tmp

Filesize
885KB

MD5
76ba61d43309ed7854783c6526f67999

SHA1
eea48f9941d0f6209cf142bfa6996722a57d5752

SHA256
de6f546aa6b4713673b4625f74025d3ee1988ac7858f3c751cca7b10945086e3

SHA512
702e64c4754b3aa9f2558df268995be56aef141c7c98ca115954676f06c0858dd5a68c4be3dbb2efe83bc24953a9b7cc58c4f707e3afae575bff0b3fa8161d9f

Download Submit
C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\wininit.exe

Filesize
885KB

MD5
f5a0da53304ac3d8929f44c62bf0c9b3

SHA1
cbe35812b2e5db50042d4c0839d5bc94c4b597c3

SHA256
b80af69528d078907fff4e8b35ad1f6c8c15c80b3423ae57084a16dafc35c6c5

SHA512
ea0a906be21415ae7e6393093bf5ecb19f385792a5728a2c4178c530d93d64aa2690550237fa92607c698b0f2c21cda0865ca54f7a30bb204092e72eab104c1f

Download Submit
C:\Program Files (x86)\Google\RCX98EC.tmp

Filesize
885KB

MD5
8766734759264588ac87321dd95b1f11

SHA1
acdf41698a75229967c6bc5c3787eac1b0abfa95

SHA256
3b951191a9c11b1bf4173514e074e55d43c010412616f8d255e8fe046e488d4e

SHA512
359b23a62d16ae1f71cf9d043c830e56474b3336b267c314c58c1b75c491e054893e05cbc756d529080264cf320d935b0352dec15c5cd61143545e8c97bc5f22

Download Submit
C:\Program Files\MSBuild\RCX966A.tmp

Filesize
885KB

MD5
0d4597b69d3b78c9301a3f059e925afe

SHA1
ec86e6b45fd2bed2c53a7b9e9fe3efb397c3af08

SHA256
fc67dd56751b6437d4a16f4dda5f5b06b156039af7bedb48377335014417a6fa

SHA512
523a670671ceaa3d4169ff406b13de7fcbf56207727a8dd8d79c0c8e68e8bbfd6f4e9d66b5a9789a4c2d0d3b3883a76b42c225ca8186f791c97efcac743c4c97

Download Submit
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe

Filesize
885KB

MD5
545045d038f77f7ba50f4722579c9652

SHA1
9570c249d8c16e6d6eda4db21604253881bbceb2

SHA256
2eb1192497bc9830d864fc4a998e9ff4c00fdc36262dea0d73d1fbe1d2c8ebaf

SHA512
a3c09e55821c421f517b281107da58ba64007a03802117743f8d62243384a52e456cc66785111eda190c6b37577330a740f2e1a44d1f5c2ad2a3ad56356de801

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a4c7ef5-684f-441f-8fb4-d45d4ee1b6e4.vbs

Filesize
488B

MD5
a6f816e9bb397813db46dbec845dfab6

SHA1
0faa343509d68f1b99d29af67313eac44ca12f93

SHA256
56901a5e0f9349a0cb6f7368e8ca336c952f101ac40f9f87f3729374469e4af4

SHA512
abe6b5f884c3d9861bcb69c4215929997e0b08f724688b23b3c10c18961cf9dd71c5da9fe715384af6807ed51186971f72a0e448260bdb6ded01267a4dd88831

Download Submit
C:\Users\Admin\AppData\Local\Temp\306286af-7dfd-4bf0-8966-b4e0b8975c0a.vbs

Filesize
712B

MD5
2bcd3dbe4d04d02f1167801543c0d40b

SHA1
69980f378a98734a9e99cbec60d80d414a8a8f71

SHA256
479668bd850fd5e1969c584c25c2ed33979db80086bfabdc5aa59b414d701eef

SHA512
a42dcdbf56fe2748270335fe132b8b14179c73804fa2685a2fcc64d022c58b3a8521a4a5fbb5ba285dd937549ffc4bfd8ec6c81a4464a5589b2ac0e1df180792

Download Submit
C:\Users\Admin\AppData\Local\Temp\3951fc62-7878-4603-8442-290184d6e326.vbs

Filesize
712B

MD5
05c18d831d53e63bcdd849241fad1e93

SHA1
231ccd08fa1a8d1ac52bb05c025344021700817c

SHA256
ab44fbb50b8651e9402e6e6a6965a0da7c571821d5947e448af2faab3122166b

SHA512
9f4eb04ed5efa0eb34946d5eb26faba0cdd2b0ecace292cfa9ca01d1471d5bca411554a8f77f1e6d1af9443711f1fb3a855cbb7a172f6d58cb1f96cc02c39dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\3DwaTFc6qk.bat

Filesize
235B

MD5
9a2651ec6b40b33313ba93b7feb9b5d1

SHA1
01762079b133ad9bc88c28ac9380ee6f341ba1f1

SHA256
83c19aa768de2f792763d3cae5325b92dabc3c52645ba0e17c4b7ea22baa2a1e

SHA512
75e61bb0a47bf9c92d2952441f1e5110252fc9957b33bf656e3accbb256d9ad8ef1fc6ae6ba68eeeda0afbcf5b0d7cd9c6d3f7e3135b8c425f461ae21da7425d

Download Submit
C:\Users\Admin\AppData\Local\Temp\58fae609-c7b5-40db-a238-a361a0fcdcb9.vbs

Filesize
712B

MD5
d8527caa853661141e730f0fbbd23f52

SHA1
67e9655f8c20df18444c4df2c96aff678822b9e9

SHA256
8b782058923d384b1927ae5f3e5e8dd62241c788371e36f83777fba644c3ff3b

SHA512
b3172838bd5c0fafa7e7144b42c2b4ba8d233b94c65ea9a94a9eca0c3c9542450dc65a29093fb6a976a538e10dba3c01aabf785c4ef81f92a12000ad9cbe04f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\824f5186-1dcb-4d7d-a8f1-76d1fe96de7f.vbs

Filesize
712B

MD5
8d2197e314fce32bc1570879aca251b1

SHA1
bc1621ddb1b40ae219ab924e20676f0f62cd2206

SHA256
813a1432e7d3125075dde14e6c69d7a43aaac4ab5822b612d7353ce0d0ffe2a7

SHA512
ff7673c727a43307e6ed445107c34acdc11c6d9c4d313df7280e5d2260d144f51714a30ec09e272b71b189e7a7268b2a3ed625864d7cc13db5285451aaed3fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f78ba8d-8b0a-4883-9824-e300fe11f4c6.vbs

Filesize
712B

MD5
4fc746deee2d59b1af8807bfd14b38ab

SHA1
a69966f05fe97292ea63d0a26611f7e6557f4759

SHA256
0493404c02cd1724b739f1d8c0d9630b3a4734eab4dd9fc451904f78f8bc0474

SHA512
18cf70e4fc08946693c5b9ad210c7e7f9e37a1362acdf9c785f3612ef528f71e7a59ba76331b5810fcca5bdc74b4e4165f90685dfa980ca2194105857bd22247

Download Submit
C:\Users\Admin\AppData\Local\Temp\BWw2qr2Xqb.bat

Filesize
201B

MD5
af5a3fa83254d17e90ad8827ab8c0253

SHA1
de64422d81b36398ce24a743c389ca691f02dc7a

SHA256
5a5b777d2478022c9b9a366830cadd71d58edd151def760039df848d3134130f

SHA512
3fa83c4d8bf79f20b0cbbacf443e9e1aa245754be3632da11598f8bc8ae5915fbf363eb1a454143354e63976e3f4db50eabf78101f6e946aa9727458ce03acb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX5BF6.tmp

Filesize
885KB

MD5
ebe2e28a80ef59e70bca6e005782732e

SHA1
fd22205faabb86821db5c7f5d626ea8784d39731

SHA256
53b4ab4625fc60780e7ef00317080ded6f6ec02dcdbb6d681f8665918abd6b91

SHA512
6e5331f768f709e4f9b5a3a2d85d381e3c6d8b0e04fe3237bae6ade2a3ad4b4831cf93518705119226f70b735d90c44abf4c38ea2eb44d2a8d8c58b7da085aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\a849c088-0bac-4eb1-815c-852e2a55b6f2.vbs

Filesize
712B

MD5
caef0fbe00e155edbdd22e9c2217fbbc

SHA1
549aa44085773d17a22215e0f790c6ffc19a9b9b

SHA256
84f067622de9662a37a84d467834c36127e37b07e74c0c04fb78cc7ab3244881

SHA512
c0ec957daef86c09a2bd081804ccb58d505f351e1df9aae6d5866b9be45e2f1b03f90ecd15d0a8d51b1a1ecbe1363dd2f47e20bcf0126914be916e446a065a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4dc1594-c8c7-46c4-85bf-6d242d99ba67.vbs

Filesize
712B

MD5
4cc6433d29cf0de4368d67af8f3dc283

SHA1
302a8e3145a7d60246241e0c93a8abc21c5fec0c

SHA256
a799cede6fae7bec201538e7d226162484039346210c25247efd8f820fadb222

SHA512
de4707e97e67dc3f05912dd94350986a2a031830cfafa030b3fa232f10072877b068db1cb1499698d901d3de36c3124531f2add596a66e8b5cf3c11d23f16c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9f57c5a-ea73-4d34-8ecb-1d93c6601c4c.vbs

Filesize
712B

MD5
77e0f87487797b996d3d5bf698d500d4

SHA1
a4af4d1108e762a66a3f9afe49d2deed28248c12

SHA256
9a790e6a98672732c6c917c74a7cc386b9a5f1388e87f151c65e835e8f3a976a

SHA512
77c19a24f1d50d5c83d2b7894590a7cf7144e0e822e2e7b4e9aac06be549adaeb9ff7f03f2cd735364563f282bf927d649b9ca632e8f5271c71db306ec1c2d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\c191a3b2-e9f8-4034-abf3-90e274ba9f86.vbs

Filesize
712B

MD5
8b087d0f1c9003b98f3d0ec3b85afaeb

SHA1
1c8f2759f78882b63d2246fe8cb66dcf803832e9

SHA256
cfe6e7c38571701b8660b39adf9cba0c364275867b083a499f814921228b950a

SHA512
94e8f384b28516c996f00bfef6b12ed392a0387a0f591b436a5a9142c5efe57cd16514a060746e29dc7ba22f3f98ce0c842d6e1595a6d5ccddf5754b95fd4a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc13276c-2fa9-4aff-b859-668204c200b2.vbs

Filesize
712B

MD5
29bae484ab3798e689798e92438dbca7

SHA1
0064a0736f478afe9f45c7d4aabc3f91fb2e082c

SHA256
cce7a30437fc4a23769abbd52f364060e67010db467d5073487f4d31f51df6bd

SHA512
f9582caeb78da090dbdca5c58b4d3c09a53e08cddfb52618f7b5ccf60b3fbcf40b3e38d49a5072cbe1365a5f74b08c31c080f36f33debcf69e2c4d88f6a78ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhnZNzwT1Q.bat

Filesize
235B

MD5
5d1c85ab9466559b49a176cf6ebd3b5e

SHA1
95343a0f940a6f78321806cbbcbba480ee470be2

SHA256
ab5e836ff745fa4717c67284c411fbfa6521d3622c39778dbc27a3d746332537

SHA512
3d17aeadc26faf8a46b2baaeefd16a1d8a228928b6cf095a70df3db51852d3e5cdb246e5dc456fe0b9a7f97d73f601fa82364e0b8b93db903e4b2d487e2d6af2

Download Submit
memory/1048-490-0x0000000001370000-0x0000000001454000-memory.dmp

Filesize
912KB

Download
memory/1220-430-0x0000000000130000-0x0000000000214000-memory.dmp

Filesize
912KB

Download
memory/1704-442-0x0000000000370000-0x0000000000454000-memory.dmp

Filesize
912KB

Download
memory/1728-478-0x0000000000090000-0x0000000000174000-memory.dmp

Filesize
912KB

Download
memory/2156-408-0x00000000012C0000-0x00000000013A4000-memory.dmp

Filesize
912KB

Download
memory/2388-150-0x0000000000250000-0x0000000000334000-memory.dmp

Filesize
912KB

Download
memory/2792-4-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2792-0-0x000007FEF5E03000-0x000007FEF5E04000-memory.dmp

Filesize
4KB

Download
memory/2792-8-0x00000000009F0000-0x00000000009F8000-memory.dmp

Filesize
32KB

Download
memory/2792-7-0x00000000009E0000-0x00000000009EE000-memory.dmp

Filesize
56KB

Download
memory/2792-6-0x00000000009D0000-0x00000000009DA000-memory.dmp

Filesize
40KB

Download
memory/2792-9-0x0000000000A00000-0x0000000000A0C000-memory.dmp

Filesize
48KB

Download
memory/2792-5-0x0000000000510000-0x0000000000526000-memory.dmp

Filesize
88KB

Download
memory/2792-73-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-3-0x00000000004E0000-0x00000000004FC000-memory.dmp

Filesize
112KB

Download
memory/2792-2-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-1-0x0000000001050000-0x0000000001134000-memory.dmp

Filesize
912KB

Download
memory/2844-454-0x0000000000F30000-0x0000000001014000-memory.dmp

Filesize
912KB

Download
memory/3032-466-0x0000000000F50000-0x0000000001034000-memory.dmp

Filesize
912KB

Download