dcrat | 1364e3f0b350e7b83a82e9d75745a14b1d88ee737583dcf3450ec719fadf6ad8

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09b5a73b30c3c0c56d3b973a837a6284.exe
Size

885KB
MD5

09b5a73b30c3c0c56d3b973a837a6284
SHA1

2684da78d21f04c153436304950448a41e989f69
SHA256

0993169c4eec852201fcf3719983b5a00a356111c2ad86b89b293ef157a2e712
SHA512

49ecb467a265f962e9634e3cad074e95534e8389673c9dd70cbe738677b9770878c088273d22cc4303b4a54b8f4acf876b504d4e0ce1b09b8b7a8ab12a639dc3
SSDEEP

12288:clNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:clNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2320	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2320	schtasks.exe	30

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral11/memory/2268-1-0x00000000012A0000-0x0000000001384000-memory.dmp	dcrat
behavioral11/files/0x0005000000019609-18.dat	dcrat
behavioral11/files/0x000700000001a518-332.dat	dcrat
behavioral11/memory/1648-424-0x0000000001180000-0x0000000001264000-memory.dmp	dcrat
behavioral11/memory/2756-435-0x00000000001B0000-0x0000000000294000-memory.dmp	dcrat
behavioral11/memory/2916-447-0x00000000008F0000-0x00000000009D4000-memory.dmp	dcrat
behavioral11/memory/2104-459-0x0000000000BB0000-0x0000000000C94000-memory.dmp	dcrat
behavioral11/memory/1380-504-0x0000000000F50000-0x0000000001034000-memory.dmp	dcrat
behavioral11/memory/1976-538-0x0000000000080000-0x0000000000164000-memory.dmp	dcrat
behavioral11/memory/3060-550-0x00000000003B0000-0x0000000000494000-memory.dmp	dcrat

Executes dropped EXE 12 IoCs

pid	Process
1648	wininit.exe
2756	wininit.exe
2916	wininit.exe
2104	wininit.exe
2936	wininit.exe
1108	wininit.exe
2708	wininit.exe
1380	wininit.exe
1588	wininit.exe
1860	wininit.exe
1976	wininit.exe
3060	wininit.exe

Drops file in Program Files directory 37 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\1610b97d3ab4a7	09b5a73b30c3c0c56d3b973a837a6284.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\RCXAD17.tmp	09b5a73b30c3c0c56d3b973a837a6284.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXAD7B.tmp	09b5a73b30c3c0c56d3b973a837a6284.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\taskhost.exe	09b5a73b30c3c0c56d3b973a837a6284.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXC5ED.tmp	09b5a73b30c3c0c56d3b973a837a6284.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe	09b5a73b30c3c0c56d3b973a837a6284.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXAD6A.tmp	09b5a73b30c3c0c56d3b973a837a6284.exe
File created	C:\Program Files\Windows Defender\en-US\explorer.exe	09b5a73b30c3c0c56d3b973a837a6284.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\RCXC5C5.tmp	09b5a73b30c3c0c56d3b973a837a6284.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\de-DE\RCXC5DA.tmp	09b5a73b30c3c0c56d3b973a837a6284.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\csrss.exe	09b5a73b30c3c0c56d3b973a837a6284.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RCXAD04.tmp	09b5a73b30c3c0c56d3b973a837a6284.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\101b941d020240	09b5a73b30c3c0c56d3b973a837a6284.exe
File created	C:\Program Files\Windows Media Player\es-ES\69ddcba757bf72	09b5a73b30c3c0c56d3b973a837a6284.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\RCXAD18.tmp	09b5a73b30c3c0c56d3b973a837a6284.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\RCXAD66.tmp	09b5a73b30c3c0c56d3b973a837a6284.exe
File created	C:\Program Files\Common Files\System\es-ES\wininit.exe	09b5a73b30c3c0c56d3b973a837a6284.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\RCXC5D6.tmp	09b5a73b30c3c0c56d3b973a837a6284.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\de-DE\RCXC5D9.tmp	09b5a73b30c3c0c56d3b973a837a6284.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXC5EC.tmp	09b5a73b30c3c0c56d3b973a837a6284.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\RCXAD65.tmp	09b5a73b30c3c0c56d3b973a837a6284.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXAD69.tmp	09b5a73b30c3c0c56d3b973a837a6284.exe
File created	C:\Program Files\Windows Defender\en-US\7a0fd90576e088	09b5a73b30c3c0c56d3b973a837a6284.exe
File created	C:\Program Files\Windows Portable Devices\24dbde2999530e	09b5a73b30c3c0c56d3b973a837a6284.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\RCXC645.tmp	09b5a73b30c3c0c56d3b973a837a6284.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\lsm.exe	09b5a73b30c3c0c56d3b973a837a6284.exe
File created	C:\Program Files\7-Zip\Lang\OSPPSVC.exe	09b5a73b30c3c0c56d3b973a837a6284.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\b75386f1303e64	09b5a73b30c3c0c56d3b973a837a6284.exe
File created	C:\Program Files\Windows Portable Devices\WmiPrvSE.exe	09b5a73b30c3c0c56d3b973a837a6284.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\RCXC644.tmp	09b5a73b30c3c0c56d3b973a837a6284.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\lsm.exe	09b5a73b30c3c0c56d3b973a837a6284.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\886983d96e3d3e	09b5a73b30c3c0c56d3b973a837a6284.exe
File created	C:\Program Files\Windows Media Player\es-ES\smss.exe	09b5a73b30c3c0c56d3b973a837a6284.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RCXAD03.tmp	09b5a73b30c3c0c56d3b973a837a6284.exe
File created	C:\Program Files\7-Zip\Lang\1610b97d3ab4a7	09b5a73b30c3c0c56d3b973a837a6284.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXAD7C.tmp	09b5a73b30c3c0c56d3b973a837a6284.exe
File created	C:\Program Files\Common Files\System\es-ES\56085415360792	09b5a73b30c3c0c56d3b973a837a6284.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\Vss\Writers\Application\6ccacd8608530f	09b5a73b30c3c0c56d3b973a837a6284.exe
File created	C:\Windows\Tasks\WmiPrvSE.exe	09b5a73b30c3c0c56d3b973a837a6284.exe
File created	C:\Windows\Tasks\24dbde2999530e	09b5a73b30c3c0c56d3b973a837a6284.exe
File created	C:\Windows\Media\f3b6ecef712a24	09b5a73b30c3c0c56d3b973a837a6284.exe
File created	C:\Windows\tracing\WmiPrvSE.exe	09b5a73b30c3c0c56d3b973a837a6284.exe
File created	C:\Windows\tracing\24dbde2999530e	09b5a73b30c3c0c56d3b973a837a6284.exe
File opened for modification	C:\Windows\tracing\RCXC5FE.tmp	09b5a73b30c3c0c56d3b973a837a6284.exe
File opened for modification	C:\Windows\Tasks\RCXC600.tmp	09b5a73b30c3c0c56d3b973a837a6284.exe
File opened for modification	C:\Windows\Tasks\RCXC601.tmp	09b5a73b30c3c0c56d3b973a837a6284.exe
File created	C:\Windows\Vss\Writers\Application\Idle.exe	09b5a73b30c3c0c56d3b973a837a6284.exe
File opened for modification	C:\Windows\Vss\Writers\Application\RCXAD05.tmp	09b5a73b30c3c0c56d3b973a837a6284.exe
File created	C:\Windows\Boot\Fonts\WmiPrvSE.exe	09b5a73b30c3c0c56d3b973a837a6284.exe
File opened for modification	C:\Windows\tracing\RCXC5FF.tmp	09b5a73b30c3c0c56d3b973a837a6284.exe
File created	C:\Windows\Media\spoolsv.exe	09b5a73b30c3c0c56d3b973a837a6284.exe
File opened for modification	C:\Windows\Vss\Writers\Application\RCXAD16.tmp	09b5a73b30c3c0c56d3b973a837a6284.exe
File opened for modification	C:\Windows\Media\RCXAD2D.tmp	09b5a73b30c3c0c56d3b973a837a6284.exe
File opened for modification	C:\Windows\Media\RCXAD3D.tmp	09b5a73b30c3c0c56d3b973a837a6284.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2864	schtasks.exe
1396	schtasks.exe
2204	schtasks.exe
1508	schtasks.exe
2652	schtasks.exe
2280	schtasks.exe
592	schtasks.exe
1004	schtasks.exe
1272	schtasks.exe
2380	schtasks.exe
692	schtasks.exe
3036	schtasks.exe
2808	schtasks.exe
320	schtasks.exe
468	schtasks.exe
2884	schtasks.exe
1380	schtasks.exe
2300	schtasks.exe
1652	schtasks.exe
2012	schtasks.exe
612	schtasks.exe
2376	schtasks.exe
1188	schtasks.exe
284	schtasks.exe
2648	schtasks.exe
2920	schtasks.exe
1848	schtasks.exe
2132	schtasks.exe
3064	schtasks.exe
2544	schtasks.exe
468	schtasks.exe
2736	schtasks.exe
1520	schtasks.exe
800	schtasks.exe
2780	schtasks.exe
2664	schtasks.exe
1992	schtasks.exe
1596	schtasks.exe
2760	schtasks.exe
2748	schtasks.exe
1560	schtasks.exe
1616	schtasks.exe
1660	schtasks.exe
976	schtasks.exe
2284	schtasks.exe
1588	schtasks.exe
2524	schtasks.exe
1260	schtasks.exe
1956	schtasks.exe
2648	schtasks.exe
1108	schtasks.exe
2632	schtasks.exe
2620	schtasks.exe
2680	schtasks.exe
1388	schtasks.exe
824	schtasks.exe
2412	schtasks.exe
1828	schtasks.exe
2872	schtasks.exe
2644	schtasks.exe
2096	schtasks.exe
1684	schtasks.exe
2900	schtasks.exe
1524	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2268	09b5a73b30c3c0c56d3b973a837a6284.exe
2268	09b5a73b30c3c0c56d3b973a837a6284.exe
2268	09b5a73b30c3c0c56d3b973a837a6284.exe
2268	09b5a73b30c3c0c56d3b973a837a6284.exe
2268	09b5a73b30c3c0c56d3b973a837a6284.exe
3048	09b5a73b30c3c0c56d3b973a837a6284.exe
1648	wininit.exe
2756	wininit.exe
2916	wininit.exe
2104	wininit.exe
2936	wininit.exe
1108	wininit.exe
2708	wininit.exe
1380	wininit.exe
1588	wininit.exe
1860	wininit.exe
1976	wininit.exe
3060	wininit.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2268	09b5a73b30c3c0c56d3b973a837a6284.exe
Token: SeDebugPrivilege	3048	09b5a73b30c3c0c56d3b973a837a6284.exe
Token: SeDebugPrivilege	1648	wininit.exe
Token: SeDebugPrivilege	2756	wininit.exe
Token: SeDebugPrivilege	2916	wininit.exe
Token: SeDebugPrivilege	2104	wininit.exe
Token: SeDebugPrivilege	2936	wininit.exe
Token: SeDebugPrivilege	1108	wininit.exe
Token: SeDebugPrivilege	2708	wininit.exe
Token: SeDebugPrivilege	1380	wininit.exe
Token: SeDebugPrivilege	1588	wininit.exe
Token: SeDebugPrivilege	1860	wininit.exe
Token: SeDebugPrivilege	1976	wininit.exe
Token: SeDebugPrivilege	3060	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 1388	2268	09b5a73b30c3c0c56d3b973a837a6284.exe	82
PID 2268 wrote to memory of 1388	2268	09b5a73b30c3c0c56d3b973a837a6284.exe	82
PID 2268 wrote to memory of 1388	2268	09b5a73b30c3c0c56d3b973a837a6284.exe	82
PID 1388 wrote to memory of 1168	1388	cmd.exe	84
PID 1388 wrote to memory of 1168	1388	cmd.exe	84
PID 1388 wrote to memory of 1168	1388	cmd.exe	84
PID 1388 wrote to memory of 3048	1388	cmd.exe	85
PID 1388 wrote to memory of 3048	1388	cmd.exe	85
PID 1388 wrote to memory of 3048	1388	cmd.exe	85
PID 3048 wrote to memory of 572	3048	09b5a73b30c3c0c56d3b973a837a6284.exe	125
PID 3048 wrote to memory of 572	3048	09b5a73b30c3c0c56d3b973a837a6284.exe	125
PID 3048 wrote to memory of 572	3048	09b5a73b30c3c0c56d3b973a837a6284.exe	125
PID 572 wrote to memory of 2920	572	cmd.exe	127
PID 572 wrote to memory of 2920	572	cmd.exe	127
PID 572 wrote to memory of 2920	572	cmd.exe	127
PID 572 wrote to memory of 1648	572	cmd.exe	129
PID 572 wrote to memory of 1648	572	cmd.exe	129
PID 572 wrote to memory of 1648	572	cmd.exe	129
PID 1648 wrote to memory of 1412	1648	wininit.exe	130
PID 1648 wrote to memory of 1412	1648	wininit.exe	130
PID 1648 wrote to memory of 1412	1648	wininit.exe	130
PID 1648 wrote to memory of 268	1648	wininit.exe	131
PID 1648 wrote to memory of 268	1648	wininit.exe	131
PID 1648 wrote to memory of 268	1648	wininit.exe	131
PID 1412 wrote to memory of 2756	1412	WScript.exe	132
PID 1412 wrote to memory of 2756	1412	WScript.exe	132
PID 1412 wrote to memory of 2756	1412	WScript.exe	132
PID 2756 wrote to memory of 1908	2756	wininit.exe	133
PID 2756 wrote to memory of 1908	2756	wininit.exe	133
PID 2756 wrote to memory of 1908	2756	wininit.exe	133
PID 2756 wrote to memory of 1184	2756	wininit.exe	134
PID 2756 wrote to memory of 1184	2756	wininit.exe	134
PID 2756 wrote to memory of 1184	2756	wininit.exe	134
PID 1908 wrote to memory of 2916	1908	WScript.exe	135
PID 1908 wrote to memory of 2916	1908	WScript.exe	135
PID 1908 wrote to memory of 2916	1908	WScript.exe	135
PID 2916 wrote to memory of 3064	2916	wininit.exe	136
PID 2916 wrote to memory of 3064	2916	wininit.exe	136
PID 2916 wrote to memory of 3064	2916	wininit.exe	136
PID 2916 wrote to memory of 1552	2916	wininit.exe	137
PID 2916 wrote to memory of 1552	2916	wininit.exe	137
PID 2916 wrote to memory of 1552	2916	wininit.exe	137
PID 3064 wrote to memory of 2104	3064	WScript.exe	138
PID 3064 wrote to memory of 2104	3064	WScript.exe	138
PID 3064 wrote to memory of 2104	3064	WScript.exe	138
PID 2104 wrote to memory of 1548	2104	wininit.exe	139
PID 2104 wrote to memory of 1548	2104	wininit.exe	139
PID 2104 wrote to memory of 1548	2104	wininit.exe	139
PID 2104 wrote to memory of 936	2104	wininit.exe	140
PID 2104 wrote to memory of 936	2104	wininit.exe	140
PID 2104 wrote to memory of 936	2104	wininit.exe	140
PID 1548 wrote to memory of 2936	1548	WScript.exe	141
PID 1548 wrote to memory of 2936	1548	WScript.exe	141
PID 1548 wrote to memory of 2936	1548	WScript.exe	141
PID 2936 wrote to memory of 2508	2936	wininit.exe	142
PID 2936 wrote to memory of 2508	2936	wininit.exe	142
PID 2936 wrote to memory of 2508	2936	wininit.exe	142
PID 2936 wrote to memory of 348	2936	wininit.exe	143
PID 2936 wrote to memory of 348	2936	wininit.exe	143
PID 2936 wrote to memory of 348	2936	wininit.exe	143
PID 2508 wrote to memory of 1108	2508	WScript.exe	144
PID 2508 wrote to memory of 1108	2508	WScript.exe	144
PID 2508 wrote to memory of 1108	2508	WScript.exe	144
PID 1108 wrote to memory of 2664	1108	wininit.exe	145

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\09b5a73b30c3c0c56d3b973a837a6284.exe
"C:\Users\Admin\AppData\Local\Temp\09b5a73b30c3c0c56d3b973a837a6284.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jwGStwjEmF.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1168
- - C:\Users\Admin\AppData\Local\Temp\09b5a73b30c3c0c56d3b973a837a6284.exe
    "C:\Users\Admin\AppData\Local\Temp\09b5a73b30c3c0c56d3b973a837a6284.exe"
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GCz4Ehy5lY.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:572
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2920
    - - C:\Program Files\Common Files\System\es-ES\wininit.exe
        
        "C:\Program Files\Common Files\System\es-ES\wininit.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1648
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ba96ec3-ebee-4f0f-ba20-8045a5167945.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Program Files\Common Files\System\es-ES\wininit.exe
        
        "C:\Program Files\Common Files\System\es-ES\wininit.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68a50077-1b43-4b01-a4b3-3cf373e66694.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Program Files\Common Files\System\es-ES\wininit.exe
        
        "C:\Program Files\Common Files\System\es-ES\wininit.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d28eaff8-caf9-4aa4-8ced-235957b92ee7.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Program Files\Common Files\System\es-ES\wininit.exe
        
        "C:\Program Files\Common Files\System\es-ES\wininit.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b153b691-26c6-404a-91a7-a50541c27cd1.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Program Files\Common Files\System\es-ES\wininit.exe
        
        "C:\Program Files\Common Files\System\es-ES\wininit.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb990bb3-bb9f-4565-8a00-4a88d8955cf9.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Program Files\Common Files\System\es-ES\wininit.exe
        
        "C:\Program Files\Common Files\System\es-ES\wininit.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31839094-e6d4-430a-adef-15eb53a35ddc.vbs"
        16⤵
        
        PID:2664
        
        C:\Program Files\Common Files\System\es-ES\wininit.exe
        
        "C:\Program Files\Common Files\System\es-ES\wininit.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd2b910b-684c-4915-9a40-34add5214846.vbs"
        18⤵
        
        PID:1584
        
        C:\Program Files\Common Files\System\es-ES\wininit.exe
        
        "C:\Program Files\Common Files\System\es-ES\wininit.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\089223f0-fb58-4d39-8c65-1a2dc6a6e0dc.vbs"
        20⤵
        
        PID:1272
        
        C:\Program Files\Common Files\System\es-ES\wininit.exe
        
        "C:\Program Files\Common Files\System\es-ES\wininit.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\046875e3-5ebf-4084-9df2-436377393fc7.vbs"
        22⤵
        
        PID:776
        
        C:\Program Files\Common Files\System\es-ES\wininit.exe
        
        "C:\Program Files\Common Files\System\es-ES\wininit.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a5b7345-e8d5-44b3-9c0e-e5bf2d314175.vbs"
        24⤵
        
        PID:2200
        
        C:\Program Files\Common Files\System\es-ES\wininit.exe
        
        "C:\Program Files\Common Files\System\es-ES\wininit.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e0cd9ee-00a7-432a-94d5-d67cce1277d6.vbs"
        26⤵
        
        PID:2428
        
        C:\Program Files\Common Files\System\es-ES\wininit.exe
        
        "C:\Program Files\Common Files\System\es-ES\wininit.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0117ecf6-d264-4491-8b03-76380775df42.vbs"
        28⤵
        
        PID:1988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b97cd90f-0eab-43e6-ba16-c23540d11196.vbs"
        28⤵
        
        PID:1200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e58f903-12df-4270-978f-d8ca08beb9c3.vbs"
        26⤵
        
        PID:1044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e7cd52d-b6a3-4478-9fe8-254c2334c6f0.vbs"
        24⤵
        
        PID:1416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b0ddde9-9577-44b5-92b6-ae1b44c6468b.vbs"
        22⤵
        
        PID:868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\220c87b1-55e2-41b7-8449-9cf530837d17.vbs"
        20⤵
        
        PID:1168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77cbbe0b-1c6f-46d3-a222-ae78b4246032.vbs"
        18⤵
        
        PID:2444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e3d5a2e-596e-4e4e-8c5f-2c89134807aa.vbs"
        16⤵
        
        PID:2840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36d67c1e-8c10-4d8e-b57a-f14bff5c27db.vbs"
        14⤵
        
        PID:348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da40bad0-3ca7-45ee-b847-f252a5c7ae1e.vbs"
        12⤵
        
        PID:936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9da8f96d-4b43-435c-a3cc-4f5c261d353f.vbs"
        10⤵
        
        PID:1552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d737e0ef-101e-4d01-86c9-516ad1714a80.vbs"
        8⤵
        
        PID:1184
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\baacd8b3-9158-41d3-a2ad-20ee277bad86.vbs"
        6⤵
        
        PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\Application\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\Vss\Writers\Application\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Documents\My Pictures\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Documents\My Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Media\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "09b5a73b30c3c0c56d3b973a837a62840" /sc MINUTE /mo 11 /tr "'C:\Users\Default\09b5a73b30c3c0c56d3b973a837a6284.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "09b5a73b30c3c0c56d3b973a837a6284" /sc ONLOGON /tr "'C:\Users\Default\09b5a73b30c3c0c56d3b973a837a6284.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "09b5a73b30c3c0c56d3b973a837a62840" /sc MINUTE /mo 6 /tr "'C:\Users\Default\09b5a73b30c3c0c56d3b973a837a6284.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\es-ES\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Application Data\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\Application Data\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Application Data\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\en-US\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Recorded TV\Sample Media\winlogon.exe'" /f
1⤵
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Recorded TV\Sample Media\winlogon.exe'" /rl HIGHEST /f
1⤵
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\WmiPrvSE.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\tracing\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\WmiPrvSE.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Tasks\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Favorites\lsm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Favorites\lsm.exe'" /rl HIGHEST /f
1⤵
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\NetHood\Idle.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\NetHood\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\System\es-ES\wininit.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\System\es-ES\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Updater6\lsm.exe'" /f
1⤵
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\lsm.exe'" /rl HIGHEST /f
1⤵
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\Updater6\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\smss.exe

Filesize
885KB

MD5
09b5a73b30c3c0c56d3b973a837a6284

SHA1
2684da78d21f04c153436304950448a41e989f69

SHA256
0993169c4eec852201fcf3719983b5a00a356111c2ad86b89b293ef157a2e712

SHA512
49ecb467a265f962e9634e3cad074e95534e8389673c9dd70cbe738677b9770878c088273d22cc4303b4a54b8f4acf876b504d4e0ce1b09b8b7a8ab12a639dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0117ecf6-d264-4491-8b03-76380775df42.vbs

Filesize
730B

MD5
7bc34bb907c3c943692dda1863199c00

SHA1
6d8979343180e0341be2e5200887f177aab72ca4

SHA256
29fbc5c988b434654cdfb9ca458a74e6e84cd63572ac15de7c913b3d06ec6a48

SHA512
846171c0022e1f7e4f3293e55ebbcf96e740be909309fd9ac65e8ae44271994390a0f77a0d7292a2a57904c5b165da10c2d08ec269e9b7ce91205bc9a0b58ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\046875e3-5ebf-4084-9df2-436377393fc7.vbs

Filesize
730B

MD5
bb6ad39dc39920ef15889dfa4f058bae

SHA1
71415c48ec3c5a3d5a9a5451db0fde732a410672

SHA256
ddad2e489f593f05eb32458931b1400d00cca4ae4ee8de58773b8ee85b8cd8bb

SHA512
c66eacfa009a6800e2761bd020fd9c73692eab2e6056eb43bff33c23c2cf71208b21d36cc66c763c3c7fb9928f61354e34f866ea8ba545eca678d7ace03d16cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\089223f0-fb58-4d39-8c65-1a2dc6a6e0dc.vbs

Filesize
730B

MD5
c60ffe2f3e3a9b9c084cd0d30f824346

SHA1
b9b959a43270fafd3b44bf59c7a58cc155b067a1

SHA256
5073cc941c73e118e2e2af86c3fdce33b39d5602f8e0a0b988100f73c42ed47f

SHA512
5cf0092479a9343d3b7c2406e70c03f8d4de587e94f60f2ff804c58f65f4d80c7b7ce359f654c1e0c6aac543a8e8ece33decc01d7ab79ad2b17f7cfd04978009

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839094-e6d4-430a-adef-15eb53a35ddc.vbs

Filesize
730B

MD5
08d3595eec129a6739b36b1ea4f4a303

SHA1
bd2844bb81131f8def4d679e540cce9509d44998

SHA256
0f8910d833c744ec71692e2bc72d919a4571cad9763723c963f023fd14a031fa

SHA512
fff5b127f3989c325b293fa954abd13746806427e43732a1db490b014815b781c0df829bf3ec7f1f09e3e37750815702221ccb22448110f032f1eeaee4f86c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e0cd9ee-00a7-432a-94d5-d67cce1277d6.vbs

Filesize
730B

MD5
307122fce98038463af374698b7ea202

SHA1
71ae958eb4625138872c190ca32ad6a65e988b55

SHA256
80446d4ffd9a58bbbc681e270afeafaad1a5532c768c4a96a412005d7f1259b6

SHA512
5348f02de4b220215d607f31daacc6b785b2d9d22a9165c4ce73760b61290e8021cbf927b496c45f755246c00617edfd22802a1fdee3d563f3f83ab46d4d9cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\68a50077-1b43-4b01-a4b3-3cf373e66694.vbs

Filesize
730B

MD5
44759c3cb27c3a64e446f19803bab93c

SHA1
bff96f8ecb712f5be5e5bebd23d123e4d2b91956

SHA256
45fefef316ae7e4dcb96e5d02f82859f4d72fe7d37e607a2ea3b3a48f48150c0

SHA512
0b8b7ce92190e4cdddb0c78993849b2765d0c90863a70adde21a7a1d50bc433dd7cc12b27130df8564d1c81b14b02b7417d77cb135212df8ce1e907768e4533a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ba96ec3-ebee-4f0f-ba20-8045a5167945.vbs

Filesize
730B

MD5
2778ee90af035d3f522a7b4a192174d8

SHA1
c10ce3f7047f91de46690b25383246ea35849678

SHA256
f01c9e4084ac5cf42e05296b1666e9ca815dd2e82cb6ca8184ca23a766e2c9a7

SHA512
c07d70686007291209fb7eb3f403e2915b7b9dfe5d38c342e0ca3c91171bd26e870d295b916697077357d2ef481dfd55557f55619425e8c40cd90d53bf1091a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a5b7345-e8d5-44b3-9c0e-e5bf2d314175.vbs

Filesize
730B

MD5
d8dce142800f29db64ae67f0e50bcd1a

SHA1
dda85aa67ec7ecd7e22d9d6bb896f18944995361

SHA256
bbaa7ca4b0247a32145a56b1aa724a936966ce5364aa7a633c377ee87d5e38a8

SHA512
93083474305b29669f5ee4980ba093c2f9aa28420b26bfbf68179e668501ea9d5bc8acc842782595788eb557037a420f3c4f7ccee8ff6b68f29804047afe7330

Download Submit
C:\Users\Admin\AppData\Local\Temp\GCz4Ehy5lY.bat

Filesize
219B

MD5
c91c3cc4ad85d7e9802ee1ae8b51e01d

SHA1
6f55220baab978e9f9578889ab9e4fc1a98e44f0

SHA256
febe98f47cf6cd0ab5dee0749b085b54cecf78833a9d023e2a03c7826b102468

SHA512
f36383de6c0cc750ad196276a21aced30a1873d2b0dc27c369cd7e9178567ad15d4ae9c240c942b19c5268f4c7d6889f8ade6951d71366570d75ac6f40285417

Download Submit
C:\Users\Admin\AppData\Local\Temp\b153b691-26c6-404a-91a7-a50541c27cd1.vbs

Filesize
730B

MD5
79922b0b1b2087c55f9a17290d7e3c16

SHA1
eb07e3a3758c1925aa5157d9e8be33e652c61b9a

SHA256
207d2ddce649f689c6729e948f4a32d9818ad8d51a5f0aa7597d1de7799abda7

SHA512
1d82196db195c8365ac6ccce4c4a3be9774d2a74a671a791c67f14123290b60f322f4037daa825b1b4a2a4bfcbd7a3ae0b59da0e6e50f30bc1323baf0377e997

Download Submit
C:\Users\Admin\AppData\Local\Temp\baacd8b3-9158-41d3-a2ad-20ee277bad86.vbs

Filesize
506B

MD5
75b5a5284eae1bebed36650dbd0b998b

SHA1
f4e6a34998438bcf4ab964f0fcffc756b926e9b6

SHA256
112a6dc4563c3ee997c2999438784852e30debe1dbda4a8624411672a7c662db

SHA512
eb8925c31b1ade18a25af30228a9b9af1a26d246ea9878da8e548c0e53b571bdcaefdc68693860415a00124cffefc437796de4af283168ab31e570e1221f17ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb990bb3-bb9f-4565-8a00-4a88d8955cf9.vbs

Filesize
730B

MD5
ed11e53f1a95d897746238177df0e16f

SHA1
1914667c8e30d82f6eaff7d3b41bcd153d1d5edc

SHA256
204857999834a9f1b6e95699406f39c7e161547d7fbb187dd70510edd7e22f4a

SHA512
bbb08d05b39276f0e6f0b77cde66b183208dcb97fd222c1efc181ed4c9590c018de63711ffaac32ea69aa2de2e5704f5f6aedb75830ea3290ef5a52a4a59f5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd2b910b-684c-4915-9a40-34add5214846.vbs

Filesize
730B

MD5
0553ab6f3393794935f1f207219c095c

SHA1
38281c96512fbfc010ab102f0bf9d9f9354b2cda

SHA256
a2264453ef58123f2da4ad20c79aec23809ffd4fc9ef184ccbc3066a903cd7db

SHA512
ba78d4394e3991956d160bbf23bc75e7a5cbe50ca699e4de6d8a68fd299fbead0b9fe246c334a0e8fb0601281344b408c3b3656d581cf17edfe8187743eccf09

Download Submit
C:\Users\Admin\AppData\Local\Temp\d28eaff8-caf9-4aa4-8ced-235957b92ee7.vbs

Filesize
730B

MD5
466485f338bfdfc79710cf321ab73717

SHA1
3792e2bf9c211ce43f97863bc5d120ac48d6ca23

SHA256
d6bc85a9ddfc432f3dca6a481653b7f438610075d7d00f1b307d7ae7a5884b1b

SHA512
82fd2a9a9d02d6e4d29af648b9698a01a0cf647bc0829e921a5c6b081e13912edc95802d51169b4c75cb42d7df8fa8f8144d8537c98bb7ae2be44dff666aec32

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwGStwjEmF.bat

Filesize
235B

MD5
250bf7430ce279b0b5e5935d05e451e5

SHA1
229d414e2954faa91168d5dbc798735251f34dfe

SHA256
29fecc970b8047b67435a761b9b6c02467ba5989841e0fbbd8aff28965f769c2

SHA512
444b280a818d4ab65ee25335c91476a13e9d8ded8c9369bcfb9caf7186cf0a2fee81e51ed0624bd2b77332a02c956725f3af711f6b6ecf6b826db9a8561bfac0

Download Submit
C:\Users\Public\Recorded TV\Sample Media\RCXC5DB.tmp

Filesize
885KB

MD5
4418b5e95d52bd96491e62e656e8009e

SHA1
22c95361d5fd9c9ac2b02c67518613fec5af6508

SHA256
342da454828302aea29c676a27c9a060caf184af3c7ae37114fd805f40d0b063

SHA512
f81abbb9da2442c9ab8b7ca6cce606d1f0852e80be1ff0828c938abb2a8af29b77fbc853e6a788de63eac3a0915ec9f22225156892cf468f1eb4a5d5313defb3

Download Submit
memory/1380-504-0x0000000000F50000-0x0000000001034000-memory.dmp

Filesize
912KB

Download
memory/1648-424-0x0000000001180000-0x0000000001264000-memory.dmp

Filesize
912KB

Download
memory/1976-538-0x0000000000080000-0x0000000000164000-memory.dmp

Filesize
912KB

Download
memory/2104-459-0x0000000000BB0000-0x0000000000C94000-memory.dmp

Filesize
912KB

Download
memory/2268-5-0x0000000000710000-0x0000000000726000-memory.dmp

Filesize
88KB

Download
memory/2268-9-0x0000000000B90000-0x0000000000B9C000-memory.dmp

Filesize
48KB

Download
memory/2268-6-0x0000000000730000-0x000000000073A000-memory.dmp

Filesize
40KB

Download
memory/2268-0-0x000007FEF5983000-0x000007FEF5984000-memory.dmp

Filesize
4KB

Download
memory/2268-7-0x0000000000AF0000-0x0000000000AFE000-memory.dmp

Filesize
56KB

Download
memory/2268-8-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/2268-1-0x00000000012A0000-0x0000000001384000-memory.dmp

Filesize
912KB

Download
memory/2268-2-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download
memory/2268-4-0x0000000000700000-0x0000000000710000-memory.dmp

Filesize
64KB

Download
memory/2268-3-0x00000000006E0000-0x00000000006FC000-memory.dmp

Filesize
112KB

Download
memory/2268-241-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download
memory/2756-435-0x00000000001B0000-0x0000000000294000-memory.dmp

Filesize
912KB

Download
memory/2916-447-0x00000000008F0000-0x00000000009D4000-memory.dmp

Filesize
912KB

Download
memory/3060-550-0x00000000003B0000-0x0000000000494000-memory.dmp

Filesize
912KB

Download