dcrat | 1364e3f0b350e7b83a82e9d75745a14b1d88ee737583dcf3450ec719fadf6ad8

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a7efdf437b268455f4d328ffb164701.exe
Size

1.6MB
MD5

0a7efdf437b268455f4d328ffb164701
SHA1

c8004052c57affe1a1dcd8a4c85d1df28f980fc9
SHA256

4fbccd0e2aec34305c845e4f50ff90aeef7701d2e94e866ba47f9e4b0beb2b92
SHA512

2fe6c1531ac2fe4ef6a128b132dad6bca73db277d884924433e814e2b7b89757ef7fc9b6d127fdf29b4776f8b3c5ea80d5593d3476db3116efcfc0b778d23720
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2924	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2924	schtasks.exe	30

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral25/memory/2112-1-0x0000000000E70000-0x0000000001012000-memory.dmp	dcrat
behavioral25/files/0x000500000001a4b9-25.dat	dcrat
behavioral25/files/0x000600000001c8c4-74.dat	dcrat
behavioral25/files/0x000900000001a48d-97.dat	dcrat
behavioral25/files/0x000a00000001a4af-131.dat	dcrat
behavioral25/files/0x000700000001a4bd-142.dat	dcrat
behavioral25/files/0x000600000001a4cb-164.dat	dcrat
behavioral25/files/0x000800000001a4d5-187.dat	dcrat
behavioral25/files/0x000800000001a4de-199.dat	dcrat
behavioral25/memory/2116-244-0x0000000000A20000-0x0000000000BC2000-memory.dmp	dcrat
behavioral25/memory/2704-333-0x0000000000B70000-0x0000000000D12000-memory.dmp	dcrat
behavioral25/memory/636-345-0x0000000000020000-0x00000000001C2000-memory.dmp	dcrat
behavioral25/memory/2780-357-0x0000000000B10000-0x0000000000CB2000-memory.dmp	dcrat
behavioral25/memory/2100-369-0x0000000000CC0000-0x0000000000E62000-memory.dmp	dcrat
behavioral25/memory/2996-381-0x00000000013A0000-0x0000000001542000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1756	powershell.exe
2312	powershell.exe
2256	powershell.exe
2020	powershell.exe
1156	powershell.exe
800	powershell.exe
2500	powershell.exe
2452	powershell.exe
1524	powershell.exe
1612	powershell.exe
1376	powershell.exe
1432	powershell.exe
2936	powershell.exe
2524	powershell.exe
1188	powershell.exe
956	powershell.exe
1632	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2116	winlogon.exe
2704	winlogon.exe
636	winlogon.exe
2780	winlogon.exe
2100	winlogon.exe
2996	winlogon.exe
1644	winlogon.exe
1284	winlogon.exe
3052	winlogon.exe
2084	winlogon.exe
1888	winlogon.exe
1828	winlogon.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe	0a7efdf437b268455f4d328ffb164701.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\RCXBD4C.tmp	0a7efdf437b268455f4d328ffb164701.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe	0a7efdf437b268455f4d328ffb164701.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\wininit.exe	0a7efdf437b268455f4d328ffb164701.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\RCXCFE1.tmp	0a7efdf437b268455f4d328ffb164701.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXD264.tmp	0a7efdf437b268455f4d328ffb164701.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe	0a7efdf437b268455f4d328ffb164701.exe
File created	C:\Program Files (x86)\Uninstall Information\wininit.exe	0a7efdf437b268455f4d328ffb164701.exe
File created	C:\Program Files (x86)\Uninstall Information\56085415360792	0a7efdf437b268455f4d328ffb164701.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXCD70.tmp	0a7efdf437b268455f4d328ffb164701.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\csrss.exe	0a7efdf437b268455f4d328ffb164701.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe	0a7efdf437b268455f4d328ffb164701.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\f3b6ecef712a24	0a7efdf437b268455f4d328ffb164701.exe
File created	C:\Program Files\DVD Maker\de-DE\csrss.exe	0a7efdf437b268455f4d328ffb164701.exe
File created	C:\Program Files\DVD Maker\de-DE\886983d96e3d3e	0a7efdf437b268455f4d328ffb164701.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe	0a7efdf437b268455f4d328ffb164701.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe	0a7efdf437b268455f4d328ffb164701.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RCXC1D2.tmp	0a7efdf437b268455f4d328ffb164701.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXCD6F.tmp	0a7efdf437b268455f4d328ffb164701.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\69ddcba757bf72	0a7efdf437b268455f4d328ffb164701.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\886983d96e3d3e	0a7efdf437b268455f4d328ffb164701.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\RCXBCDD.tmp	0a7efdf437b268455f4d328ffb164701.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RCXC164.tmp	0a7efdf437b268455f4d328ffb164701.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\RCXD04F.tmp	0a7efdf437b268455f4d328ffb164701.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXD263.tmp	0a7efdf437b268455f4d328ffb164701.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\taskhost.exe	0a7efdf437b268455f4d328ffb164701.exe
File opened for modification	C:\Windows\inf\RemoteAccess\RCXDB51.tmp	0a7efdf437b268455f4d328ffb164701.exe
File opened for modification	C:\Windows\inf\RemoteAccess\dwm.exe	0a7efdf437b268455f4d328ffb164701.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\System.exe	0a7efdf437b268455f4d328ffb164701.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\System.exe	0a7efdf437b268455f4d328ffb164701.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\27d1bcfc3c54e0	0a7efdf437b268455f4d328ffb164701.exe
File created	C:\Windows\Speech\Engines\SR\es-ES\wininit.exe	0a7efdf437b268455f4d328ffb164701.exe
File created	C:\Windows\inf\RemoteAccess\6cb0b6c459d5d3	0a7efdf437b268455f4d328ffb164701.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\RCXBAD9.tmp	0a7efdf437b268455f4d328ffb164701.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\RCXBADA.tmp	0a7efdf437b268455f4d328ffb164701.exe
File opened for modification	C:\Windows\inf\RemoteAccess\RCXDB50.tmp	0a7efdf437b268455f4d328ffb164701.exe
File created	C:\Windows\inf\RemoteAccess\dwm.exe	0a7efdf437b268455f4d328ffb164701.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
936	schtasks.exe
2344	schtasks.exe
2044	schtasks.exe
1976	schtasks.exe
2236	schtasks.exe
2800	schtasks.exe
1616	schtasks.exe
1960	schtasks.exe
1932	schtasks.exe
772	schtasks.exe
2820	schtasks.exe
1636	schtasks.exe
1520	schtasks.exe
2092	schtasks.exe
2976	schtasks.exe
2980	schtasks.exe
2912	schtasks.exe
952	schtasks.exe
2996	schtasks.exe
292	schtasks.exe
2568	schtasks.exe
1672	schtasks.exe
1096	schtasks.exe
800	schtasks.exe
2572	schtasks.exe
560	schtasks.exe
544	schtasks.exe
2540	schtasks.exe
2868	schtasks.exe
2888	schtasks.exe
684	schtasks.exe
284	schtasks.exe
2952	schtasks.exe
1824	schtasks.exe
1008	schtasks.exe
1952	schtasks.exe
2616	schtasks.exe
2676	schtasks.exe
668	schtasks.exe
1192	schtasks.exe
1388	schtasks.exe
2060	schtasks.exe
2016	schtasks.exe
2184	schtasks.exe
2836	schtasks.exe
2640	schtasks.exe
2584	schtasks.exe
1796	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2112	0a7efdf437b268455f4d328ffb164701.exe
2112	0a7efdf437b268455f4d328ffb164701.exe
2112	0a7efdf437b268455f4d328ffb164701.exe
2112	0a7efdf437b268455f4d328ffb164701.exe
2112	0a7efdf437b268455f4d328ffb164701.exe
2112	0a7efdf437b268455f4d328ffb164701.exe
2112	0a7efdf437b268455f4d328ffb164701.exe
1524	powershell.exe
2020	powershell.exe
1756	powershell.exe
2256	powershell.exe
1188	powershell.exe
2500	powershell.exe
2524	powershell.exe
1376	powershell.exe
2452	powershell.exe
2936	powershell.exe
1156	powershell.exe
1432	powershell.exe
1632	powershell.exe
2312	powershell.exe
800	powershell.exe
956	powershell.exe
1612	powershell.exe
2116	winlogon.exe
2704	winlogon.exe
636	winlogon.exe
2780	winlogon.exe
2100	winlogon.exe
2996	winlogon.exe
1644	winlogon.exe
1284	winlogon.exe
3052	winlogon.exe
2084	winlogon.exe
1888	winlogon.exe
1828	winlogon.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	0a7efdf437b268455f4d328ffb164701.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	2116	winlogon.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	2704	winlogon.exe
Token: SeDebugPrivilege	636	winlogon.exe
Token: SeDebugPrivilege	2780	winlogon.exe
Token: SeDebugPrivilege	2100	winlogon.exe
Token: SeDebugPrivilege	2996	winlogon.exe
Token: SeDebugPrivilege	1644	winlogon.exe
Token: SeDebugPrivilege	1284	winlogon.exe
Token: SeDebugPrivilege	3052	winlogon.exe
Token: SeDebugPrivilege	2084	winlogon.exe
Token: SeDebugPrivilege	1888	winlogon.exe
Token: SeDebugPrivilege	1828	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 1188	2112	0a7efdf437b268455f4d328ffb164701.exe	80
PID 2112 wrote to memory of 1188	2112	0a7efdf437b268455f4d328ffb164701.exe	80
PID 2112 wrote to memory of 1188	2112	0a7efdf437b268455f4d328ffb164701.exe	80
PID 2112 wrote to memory of 956	2112	0a7efdf437b268455f4d328ffb164701.exe	81
PID 2112 wrote to memory of 956	2112	0a7efdf437b268455f4d328ffb164701.exe	81
PID 2112 wrote to memory of 956	2112	0a7efdf437b268455f4d328ffb164701.exe	81
PID 2112 wrote to memory of 1156	2112	0a7efdf437b268455f4d328ffb164701.exe	82
PID 2112 wrote to memory of 1156	2112	0a7efdf437b268455f4d328ffb164701.exe	82
PID 2112 wrote to memory of 1156	2112	0a7efdf437b268455f4d328ffb164701.exe	82
PID 2112 wrote to memory of 800	2112	0a7efdf437b268455f4d328ffb164701.exe	83
PID 2112 wrote to memory of 800	2112	0a7efdf437b268455f4d328ffb164701.exe	83
PID 2112 wrote to memory of 800	2112	0a7efdf437b268455f4d328ffb164701.exe	83
PID 2112 wrote to memory of 2500	2112	0a7efdf437b268455f4d328ffb164701.exe	84
PID 2112 wrote to memory of 2500	2112	0a7efdf437b268455f4d328ffb164701.exe	84
PID 2112 wrote to memory of 2500	2112	0a7efdf437b268455f4d328ffb164701.exe	84
PID 2112 wrote to memory of 2452	2112	0a7efdf437b268455f4d328ffb164701.exe	85
PID 2112 wrote to memory of 2452	2112	0a7efdf437b268455f4d328ffb164701.exe	85
PID 2112 wrote to memory of 2452	2112	0a7efdf437b268455f4d328ffb164701.exe	85
PID 2112 wrote to memory of 1632	2112	0a7efdf437b268455f4d328ffb164701.exe	86
PID 2112 wrote to memory of 1632	2112	0a7efdf437b268455f4d328ffb164701.exe	86
PID 2112 wrote to memory of 1632	2112	0a7efdf437b268455f4d328ffb164701.exe	86
PID 2112 wrote to memory of 1612	2112	0a7efdf437b268455f4d328ffb164701.exe	87
PID 2112 wrote to memory of 1612	2112	0a7efdf437b268455f4d328ffb164701.exe	87
PID 2112 wrote to memory of 1612	2112	0a7efdf437b268455f4d328ffb164701.exe	87
PID 2112 wrote to memory of 1756	2112	0a7efdf437b268455f4d328ffb164701.exe	88
PID 2112 wrote to memory of 1756	2112	0a7efdf437b268455f4d328ffb164701.exe	88
PID 2112 wrote to memory of 1756	2112	0a7efdf437b268455f4d328ffb164701.exe	88
PID 2112 wrote to memory of 1376	2112	0a7efdf437b268455f4d328ffb164701.exe	89
PID 2112 wrote to memory of 1376	2112	0a7efdf437b268455f4d328ffb164701.exe	89
PID 2112 wrote to memory of 1376	2112	0a7efdf437b268455f4d328ffb164701.exe	89
PID 2112 wrote to memory of 1524	2112	0a7efdf437b268455f4d328ffb164701.exe	90
PID 2112 wrote to memory of 1524	2112	0a7efdf437b268455f4d328ffb164701.exe	90
PID 2112 wrote to memory of 1524	2112	0a7efdf437b268455f4d328ffb164701.exe	90
PID 2112 wrote to memory of 2312	2112	0a7efdf437b268455f4d328ffb164701.exe	91
PID 2112 wrote to memory of 2312	2112	0a7efdf437b268455f4d328ffb164701.exe	91
PID 2112 wrote to memory of 2312	2112	0a7efdf437b268455f4d328ffb164701.exe	91
PID 2112 wrote to memory of 2256	2112	0a7efdf437b268455f4d328ffb164701.exe	92
PID 2112 wrote to memory of 2256	2112	0a7efdf437b268455f4d328ffb164701.exe	92
PID 2112 wrote to memory of 2256	2112	0a7efdf437b268455f4d328ffb164701.exe	92
PID 2112 wrote to memory of 2524	2112	0a7efdf437b268455f4d328ffb164701.exe	93
PID 2112 wrote to memory of 2524	2112	0a7efdf437b268455f4d328ffb164701.exe	93
PID 2112 wrote to memory of 2524	2112	0a7efdf437b268455f4d328ffb164701.exe	93
PID 2112 wrote to memory of 2020	2112	0a7efdf437b268455f4d328ffb164701.exe	94
PID 2112 wrote to memory of 2020	2112	0a7efdf437b268455f4d328ffb164701.exe	94
PID 2112 wrote to memory of 2020	2112	0a7efdf437b268455f4d328ffb164701.exe	94
PID 2112 wrote to memory of 1432	2112	0a7efdf437b268455f4d328ffb164701.exe	95
PID 2112 wrote to memory of 1432	2112	0a7efdf437b268455f4d328ffb164701.exe	95
PID 2112 wrote to memory of 1432	2112	0a7efdf437b268455f4d328ffb164701.exe	95
PID 2112 wrote to memory of 2936	2112	0a7efdf437b268455f4d328ffb164701.exe	96
PID 2112 wrote to memory of 2936	2112	0a7efdf437b268455f4d328ffb164701.exe	96
PID 2112 wrote to memory of 2936	2112	0a7efdf437b268455f4d328ffb164701.exe	96
PID 2112 wrote to memory of 2116	2112	0a7efdf437b268455f4d328ffb164701.exe	114
PID 2112 wrote to memory of 2116	2112	0a7efdf437b268455f4d328ffb164701.exe	114
PID 2112 wrote to memory of 2116	2112	0a7efdf437b268455f4d328ffb164701.exe	114
PID 2116 wrote to memory of 2124	2116	winlogon.exe	115
PID 2116 wrote to memory of 2124	2116	winlogon.exe	115
PID 2116 wrote to memory of 2124	2116	winlogon.exe	115
PID 2116 wrote to memory of 1604	2116	winlogon.exe	116
PID 2116 wrote to memory of 1604	2116	winlogon.exe	116
PID 2116 wrote to memory of 1604	2116	winlogon.exe	116
PID 2124 wrote to memory of 2704	2124	WScript.exe	117
PID 2124 wrote to memory of 2704	2124	WScript.exe	117
PID 2124 wrote to memory of 2704	2124	WScript.exe	117
PID 2704 wrote to memory of 1720	2704	winlogon.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0a7efdf437b268455f4d328ffb164701.exe
"C:\Users\Admin\AppData\Local\Temp\0a7efdf437b268455f4d328ffb164701.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0a7efdf437b268455f4d328ffb164701.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Documents\My Videos\0a7efdf437b268455f4d328ffb164701.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Windows\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Application Data\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\de-DE\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\0a7efdf437b268455f4d328ffb164701.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\RemoteAccess\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe
  "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d329ebae-f726-4f25-9775-40f126b84eef.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe
      C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36e3f2a8-6b5a-4568-b4aa-6c38b98fc18a.vbs"
        5⤵
        
        PID:1720
      - C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bc23130-ce07-4fda-95d2-5c58e5872ab9.vbs"
        7⤵
        
        PID:2268
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9e1bca8-386f-46bf-a786-939ccbe273ca.vbs"
        9⤵
        
        PID:2280
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7783fe4-c4bf-4d01-a4f0-4965bb5e228c.vbs"
        11⤵
        
        PID:2568
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6dcc0815-6a35-42f2-8776-b9a9dc2470bc.vbs"
        13⤵
        
        PID:1092
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f5d67e6-e404-4bd3-88f6-d506dc049eb3.vbs"
        15⤵
        
        PID:2416
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d347b560-ebcc-450c-a503-92c9b8e7fac9.vbs"
        17⤵
        
        PID:1072
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f736be30-f5e3-4652-8890-2b0a0887568c.vbs"
        19⤵
        
        PID:2172
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd54b639-cbea-4dab-82a5-376857cdf230.vbs"
        21⤵
        
        PID:1676
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04a0b8a3-7139-4d09-9a96-cf914630c2b3.vbs"
        23⤵
        
        PID:1272
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63676b69-eade-491d-8e04-efa82bda4df7.vbs"
        23⤵
        
        PID:2352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5f17b6c-45bf-47d9-b846-cfba25cf48e9.vbs"
        21⤵
        
        PID:2124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5e79197-9e2b-483e-98e9-17b99c78622f.vbs"
        19⤵
        
        PID:2264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e71be25-c123-4eeb-a628-c6c4dbd52f5e.vbs"
        17⤵
        
        PID:2968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0559b71-27af-43d5-91de-5b8526c5fd63.vbs"
        15⤵
        
        PID:2900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c5b95db-b7cb-4c6c-83da-6ea8d020a4be.vbs"
        13⤵
        
        PID:876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44df1661-c1d9-4ee3-b554-d269bc42c8ce.vbs"
        11⤵
        
        PID:2236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35b0496f-48a7-426a-9b01-797a1bddd783.vbs"
        9⤵
        
        PID:2608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51d93cbf-7f54-4b69-ab03-f32d7c6266e8.vbs"
        7⤵
        
        PID:2700
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\181ed1e9-5be2-4f2a-bc32-28020c2bb108.vbs"
        5⤵
        
        PID:2428
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4be94eb-46c1-4103-8bbf-38a670535810.vbs"
    3⤵
    PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0a7efdf437b268455f4d328ffb1647010" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Documents\My Videos\0a7efdf437b268455f4d328ffb164701.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0a7efdf437b268455f4d328ffb164701" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Videos\0a7efdf437b268455f4d328ffb164701.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0a7efdf437b268455f4d328ffb1647010" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Documents\My Videos\0a7efdf437b268455f4d328ffb164701.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\Windows\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Windows\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\Windows\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Application Data\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Application Data\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0a7efdf437b268455f4d328ffb1647010" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\0a7efdf437b268455f4d328ffb164701.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0a7efdf437b268455f4d328ffb164701" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\0a7efdf437b268455f4d328ffb164701.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0a7efdf437b268455f4d328ffb1647010" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\0a7efdf437b268455f4d328ffb164701.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\inf\RemoteAccess\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\inf\RemoteAccess\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\inf\RemoteAccess\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe

Filesize
1.6MB

MD5
0a7efdf437b268455f4d328ffb164701

SHA1
c8004052c57affe1a1dcd8a4c85d1df28f980fc9

SHA256
4fbccd0e2aec34305c845e4f50ff90aeef7701d2e94e866ba47f9e4b0beb2b92

SHA512
2fe6c1531ac2fe4ef6a128b132dad6bca73db277d884924433e814e2b7b89757ef7fc9b6d127fdf29b4776f8b3c5ea80d5593d3476db3116efcfc0b778d23720

Download Submit
C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe

Filesize
1.6MB

MD5
0035ee74e79ff53c3aa37bc57fc0dfb0

SHA1
5f9f43e51629f31ef2b6dfdec7ed61ede6ddb4b1

SHA256
bb54db34b07aa867deb2e48f1c073caeaf93c04eb0fb7ad0b849fb89716f0782

SHA512
a6189fc09a1aeeddc0b70717e47e8fcbc98b517fea3d605c14fcbe625408a8dadab6068c3352f06d7876994401fbc4f62e45dbb2e8beb8118f6a28cee425af8c

Download Submit
C:\Program Files\DVD Maker\de-DE\csrss.exe

Filesize
1.6MB

MD5
77bb9b8c1730ab620cbc6fa1cfdbb9bd

SHA1
205a0bb2feb8c89f1bbdeb982381b36314f433d3

SHA256
e250474ee43c07a73b72e692ade11752a3ff216ea9dc3772b4bf3f296bcf7e4d

SHA512
0c01bc83ee1bbeb17c3c059594f9e466ae378035503d92c686dcd3d6f1064071bc5c062c6c84c178a20aa1186f958e20a60c189c0790f77b52f9fc2f31961f13

Download Submit
C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe

Filesize
1.6MB

MD5
e77a5ac43484b00d37ab33b166e3e8c8

SHA1
b1f676c0277e2c337369303b068a97aa1617d9c2

SHA256
44657fd0367f0db26f41c66cac085861bd714a5db9b2629c4eed7fd2f40be6fc

SHA512
cf7ba07b4f7a669ed0a20a7e8d680e3dd64a0f42c2ea7bf3eb9297001bcb9f26817b0965e9364823459a2e7adbd0fa0b7c7d55e1ff5d066c01c1be33be0e9367

Download Submit
C:\ProgramData\Microsoft\Windows\OSPPSVC.exe

Filesize
1.6MB

MD5
08342e21dfe33cd8d5d00a01f56b8a07

SHA1
66750aa328c9ff009fe8419a26437544776a0971

SHA256
444d8388da2f66baa7cbedb1fcd667bcf8e7e6a936100ca6cda298ffe28cf360

SHA512
0ccce55f98f6d40ea104768bf2fd58434a3dde2b0a8ac33bfad7b595dc168f6fe853de1ee445428642a8cfd27c3dbf6bba911e5d2876ee04036ce8752481a068

Download Submit
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe

Filesize
1.6MB

MD5
5881e943c02bc5bfb81cbcd32c0726ad

SHA1
2eacc9b4af1200ff65118875ebf10257d0dde7a7

SHA256
50099aafd61397dff003533ce280cfcdfe923704491f4ffc33ab5f23715a2ba9

SHA512
20db53f507f620528f8ace1837626cc387a1efe0cfdeacc9d826465c185ac131be3d06bf9aa796376d1b50831e387f43e40047f14485ab4ca91414f857791cbd

Download Submit
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe

Filesize
1.6MB

MD5
703cd57dccc3cc48be0cb1857fa06475

SHA1
06ff6305104c6c901693847656f9bd025299069d

SHA256
3afbdb5248d23b5f98c140e6df6ed77da603164877ea068e743ba3317459e40f

SHA512
8661a3b39ee4a7cb20ca227efc4fcb64c3b250eeef6c7cec4c13381c5e8d2b4fd73dbf1df9d20ab0db0f05d80e6d08c4b4036f19591819302777e990f1a03c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\04a0b8a3-7139-4d09-9a96-cf914630c2b3.vbs

Filesize
737B

MD5
05acbbbd91f61be5ca56f2aaf0e3b823

SHA1
8a0901208765b79eeda818bcbc16fc676021d1c4

SHA256
203bc93b70b45e873e8ffe20cec8a9b53ff1679028892b2ecdb927afd4500289

SHA512
69f91ab9c752ffc03c8cb5bb8df3ef2a879991198a70c14d6cc155f42169485e38219c42cab61530e909fbc878c9a8c5e3aa5a21e7225995d536ba1a7be2daec

Download Submit
C:\Users\Admin\AppData\Local\Temp\36e3f2a8-6b5a-4568-b4aa-6c38b98fc18a.vbs

Filesize
737B

MD5
05779ab244baf223b1f8dbadb0a4e25a

SHA1
88cfaf11d69dee1983f6b16672fedd67f50f3eeb

SHA256
2ff065003b15cde6e40b48b9e53ee085be81490796d1a13b3d99cbb91e37761f

SHA512
ded5474ce8ce56bd77c5d6537ecdbace365c3a3119dd2d7d585913a49f8640a68d32b19a0a1a0514fd21ff10521ffe7b6950bcf44eca25508285fa3720911629

Download Submit
C:\Users\Admin\AppData\Local\Temp\4bc23130-ce07-4fda-95d2-5c58e5872ab9.vbs

Filesize
736B

MD5
6439f63e7b62ab4dacf7a92b1dcf9a47

SHA1
3734897145fdd2ed7086e8d794a55501d969b56f

SHA256
388d9b26ea9e47b3d0fbddbad57e2583005b7e1471377e43694c3794d44a4da3

SHA512
b262d4711fd7e9d916e2a691a4a679ebcac8a88cf1e3dbeaa2dda509d133ec9b8ef9b5695135b18719de4892495565753a3f96cffc7d4ace84a25f784b4aeda9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dcc0815-6a35-42f2-8776-b9a9dc2470bc.vbs

Filesize
737B

MD5
e80c79cf0d1fb4ebee3c7b5f9f64d5f0

SHA1
d96ed4957d4e65cc63921e6d794de4ea84f4fa86

SHA256
fe31958f30f9a4aa610293fb9ca710fe08794dc4ceb3c47079337acb85d85315

SHA512
b36c7bf6f1911a9044dc0e01f5210b375fef6df6a0747d862c78256735b7bfdf4d31e57a275d68425feb18f8c3e0b8d0f605b923c3d04c0172f7cb344dbf5a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f5d67e6-e404-4bd3-88f6-d506dc049eb3.vbs

Filesize
737B

MD5
9f0f6a6ec0d745a496295c36de4921a4

SHA1
06908714501486504cd1ffd75c8d73e50c343ce3

SHA256
b70196c1dd284cb3b1bd0d1c6b78bc1a205acc9c9f6dd30e4ee0c20cf487048b

SHA512
de80e0abcd84aa0d2a043c4546a656d217e5c2918ea2fbd1501e4c08e110b8c8f33fda6e4e0250b3687f18c3995637c869594c077e258854eccf7f0049bd1890

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7783fe4-c4bf-4d01-a4f0-4965bb5e228c.vbs

Filesize
737B

MD5
d249530cc91f5c960d41d1dd67702007

SHA1
57433bafb090a69a183530abd7185e2aa60212f9

SHA256
36566f245e4223dd6feba76969af888c7bd80c7bc98ae4bcb0d9c5260d96f391

SHA512
a9b294356f06e971d756f43e30fa77b1c9081207c983c6372544fd4d3a740386cd2fe5737fd401869f996bddbbe4ba203af8a3143bf22b6fc9d3a4cb0dbea7a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4be94eb-46c1-4103-8bbf-38a670535810.vbs

Filesize
513B

MD5
5336f060c23aec83f9716c29fe5aa03d

SHA1
e2886c66d2a2a2958d30de4097e1a1b880be4d72

SHA256
2191838336434d19a26ee1d5b5294856dbe52a4aeb30dfbbe450d3331664619c

SHA512
6b0b9bbe0261115b95e99441a99ad644e3e66e29a88b2bdf213af5a04b6eb7042309400a620b1d2b880886b6c62dc9358a22adf9fe8ed2cd60261901c4d14357

Download Submit
C:\Users\Admin\AppData\Local\Temp\d329ebae-f726-4f25-9775-40f126b84eef.vbs

Filesize
737B

MD5
2fa435c5b394b1f86e76bbbf11734906

SHA1
e4d7105bec36d7c699f4c23700fba7e12c4c33de

SHA256
6c2b657442f64e68556659d357b0346dc7b57dd21f23e3edc23bf0f4f47ae36c

SHA512
e9109c0c1ceaa929c0a23bd233c44f751f1ec0bba9c47e959be644bd42a067258971fad2dd76413bf995ad8fedef85cec483c62a71e63075bbb413ea6a9dcc98

Download Submit
C:\Users\Admin\AppData\Local\Temp\d347b560-ebcc-450c-a503-92c9b8e7fac9.vbs

Filesize
737B

MD5
6fc39ae399999f0ede85843105951b0a

SHA1
8882bbb76841e010321682c4dd004d14e78461e5

SHA256
f9d66cbbf3ddb50e20e49ae627dd94643a9c075e8272cb765ed6a114f0015655

SHA512
34a753d30afe2e5e42774bb5df613964d437feff14bddf6757ce5abab72dece4f64b71f57bf6c8348ba31a2f5477758e79c9b5a7ed3454d828e1fc725e0742fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9e1bca8-386f-46bf-a786-939ccbe273ca.vbs

Filesize
737B

MD5
312866cb22f035f2a9c00cc8c35f22ea

SHA1
6c969a12dcf4ffbf29c6e47e22f0cbed6b3726c0

SHA256
227802eb4dd09c6e10264c8253cd18da1102e5e0a7f4e4a9bd9ca1fb83bbddc0

SHA512
a3a9bb23f390a009d7e8ea93319acf8d29e6046597106856b467a2fad23019c6daa46c66383406e2b2cf30a05ac93ca5173a70e54d0912f76b48bad3c57f2ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\f736be30-f5e3-4652-8890-2b0a0887568c.vbs

Filesize
737B

MD5
313623aa0c2edc312e6cc9f08584bdc8

SHA1
0d965173f5e7a32f3f0575074913da2c6871db87

SHA256
c2cca1d8064d28ea91113bb38a495c94f5ed4c98effec076c9aacf60fea98326

SHA512
c3b8c1ef75b3576d50f96fd544b51883d3492f086cd7d734a94c3680edc1b59aae33060853c8fe874b20a112526bad97add31347a6bbb62c136ae8a30209994e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd54b639-cbea-4dab-82a5-376857cdf230.vbs

Filesize
737B

MD5
31e7ade2f82849690985ba74c3a531d3

SHA1
b6468eefd0a34281af3a30ca55ffb7ff40357d69

SHA256
3a93f7f804db498008e99b997233dfcb17be4a1b88da0ad8818ea8d41165029f

SHA512
e5629f8f7d3c1ace8f47c6d095c16947d2d8aff684b36d4751f9408da1dfd1ca35e6fc231ab9306707f421c2f8dd22cde47ba018b56770b08241c61d76a3d11a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
15d1433b7e9bc33e8de4e28e69090b4f

SHA1
825cdee60fb19946e31f5a365cfc1aad5526cb3b

SHA256
16bce42cf0c63d031a96c33ee7a7a69f070e2818b156e9367992366839d8c862

SHA512
d4acdcab25d292e1aaa2d3dc0db89f556b67921191c163e3f36eb433ce666ab9a35ffe6a6ddbbef247ee34fe66ee0cde84b255d5629c2b19b3d40f33c2dcdd52

Download Submit
C:\Users\Admin\AppData\Roaming\spoolsv.exe

Filesize
1.6MB

MD5
2ca47cfe604ad381f6c08d64c67442cd

SHA1
bce73c71c0f224d258ed8ea29da3fa4e45d2992d

SHA256
502674b665e010b50809979a42b457ce495f99635cb92ea3f077a53d0aa80715

SHA512
cfa25d5a288713379a7cd822851725a2f77c213bd8d08153a376f8c82acabebcc6c2c647badab318315a4924ab6658aefa22f41e44332f84d7498d7c887e7a22

Download Submit
memory/636-345-0x0000000000020000-0x00000000001C2000-memory.dmp

Filesize
1.6MB

Download
memory/1524-253-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/1524-251-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/2100-369-0x0000000000CC0000-0x0000000000E62000-memory.dmp

Filesize
1.6MB

Download
memory/2112-12-0x0000000000620000-0x000000000062E000-memory.dmp

Filesize
56KB

Download
memory/2112-11-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/2112-1-0x0000000000E70000-0x0000000001012000-memory.dmp

Filesize
1.6MB

Download
memory/2112-196-0x000007FEF5A03000-0x000007FEF5A04000-memory.dmp

Filesize
4KB

Download
memory/2112-252-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

Filesize
9.9MB

Download
memory/2112-16-0x0000000000B00000-0x0000000000B0C000-memory.dmp

Filesize
48KB

Download
memory/2112-15-0x0000000000AF0000-0x0000000000AFA000-memory.dmp

Filesize
40KB

Download
memory/2112-13-0x0000000000630000-0x0000000000638000-memory.dmp

Filesize
32KB

Download
memory/2112-14-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/2112-2-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

Filesize
9.9MB

Download
memory/2112-0-0x000007FEF5A03000-0x000007FEF5A04000-memory.dmp

Filesize
4KB

Download
memory/2112-214-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

Filesize
9.9MB

Download
memory/2112-10-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2112-3-0x00000000002C0000-0x00000000002DC000-memory.dmp

Filesize
112KB

Download
memory/2112-9-0x0000000000330000-0x000000000033C000-memory.dmp

Filesize
48KB

Download
memory/2112-8-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/2112-6-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/2112-4-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/2112-7-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/2112-5-0x00000000002F0000-0x0000000000306000-memory.dmp

Filesize
88KB

Download
memory/2116-244-0x0000000000A20000-0x0000000000BC2000-memory.dmp

Filesize
1.6MB

Download
memory/2704-333-0x0000000000B70000-0x0000000000D12000-memory.dmp

Filesize
1.6MB

Download
memory/2780-357-0x0000000000B10000-0x0000000000CB2000-memory.dmp

Filesize
1.6MB

Download
memory/2996-381-0x00000000013A0000-0x0000000001542000-memory.dmp

Filesize
1.6MB

Download