dcrat | 777f77c1c53c3551c89ef44c86c06cbfe0b2bb04374b7d7d9f6153d3ecc3c267

Analysis

max time kernel
70s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41234e0118ba1cfc06b88d347f3a53f5.exe
Size

885KB
MD5

41234e0118ba1cfc06b88d347f3a53f5
SHA1

a0bc5bbd988def1d53cb8b74d6a19084ebec1a92
SHA256

7eaf3845dc36309ef1b4dbcf87058d55bbe2b9bdad969d53c9bf6f250981dd6f
SHA512

25f929d3197123654edfd7ba2dcad5dcc0c2fab2743c9e7b80ed2b419326f5666799d6866ed76d51f7fce1a48e1d67c0454f5a9f699c04c590366c27c313d49c
SSDEEP

12288:GlNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:GlNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5996	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6056	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5152	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3444	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5424	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6048	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5832	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5208	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5160	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5172	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5460	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5336	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5436	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5368	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5708	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5600	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	4660	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	4660	schtasks.exe	87

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral4/memory/400-1-0x00000000009C0000-0x0000000000AA4000-memory.dmp	dcrat
behavioral4/files/0x00070000000242cc-19.dat	dcrat
behavioral4/files/0x000800000002431e-235.dat	dcrat
behavioral4/files/0x0008000000024314-242.dat	dcrat
behavioral4/files/0x000d00000001e68e-362.dat	dcrat
behavioral4/files/0x000f00000001e68e-395.dat	dcrat

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	41234e0118ba1cfc06b88d347f3a53f5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	41234e0118ba1cfc06b88d347f3a53f5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	SearchApp.exe

Executes dropped EXE 6 IoCs

pid	Process
5108	SearchApp.exe
1808	SearchApp.exe
2220	SearchApp.exe
4748	SearchApp.exe
4644	SearchApp.exe
5772	SearchApp.exe

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX95BC.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\SppExtComObj.exe	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Program Files (x86)\Windows Portable Devices\6ccacd8608530f	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\RCX9417.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Program Files\edge_BITS_4600_846981562\RCX9418.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Program Files\edge_BITS_4600_846981562\RCX9429.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX95AB.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Program Files\edge_BITS_4600_846981562\System.exe	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\e1ef82546f0b02	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX9543.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Program Files\ModifiableWindowsApps\Idle.exe	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\dllhost.exe	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\5940a34987c991	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX9554.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX9599.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\WmiPrvSE.exe	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Program Files (x86)\Windows Portable Devices\Idle.exe	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\RCX948C.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX959A.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\38384e6a620884	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\24dbde2999530e	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\ea1d8f6d871115	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\RCX9406.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\smss.exe	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX8E4A.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX8E4B.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\RCX946C.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Program Files (x86)\Windows Mail\9e8d7a4ca61bd9	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Program Files\edge_BITS_4600_846981562\27d1bcfc3c54e0	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\upfc.exe	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\RCX945B.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\RCX946B.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe	41234e0118ba1cfc06b88d347f3a53f5.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\twain_32\RCX8E4C.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\RCX8E5E.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Windows\SystemResources\ShellComponents\pris\System.exe	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Windows\twain_32\SppExtComObj.exe	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\121e5b5079f7c0	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Windows\SystemResources\ShellComponents\pris\RCX8D62.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\RCX8E5F.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Windows\Help\en-US\unsecapp.exe	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Windows\twain_32\e1ef82546f0b02	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\sysmon.exe	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Windows\Help\en-US\RCX8D99.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Windows\twain_32\RCX8E4D.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Windows\SystemResources\ShellComponents\pris\27d1bcfc3c54e0	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Windows\Help\en-US\29c1c3cc0f7685	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Windows\Help\en-US\RCX8D89.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Windows\SystemResources\ShellComponents\pris\RCX8D52.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	41234e0118ba1cfc06b88d347f3a53f5.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	SearchApp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4508	schtasks.exe
2736	schtasks.exe
4908	schtasks.exe
5436	schtasks.exe
5708	schtasks.exe
5336	schtasks.exe
5368	schtasks.exe
4380	schtasks.exe
4804	schtasks.exe
2552	schtasks.exe
6056	schtasks.exe
4892	schtasks.exe
2060	schtasks.exe
440	schtasks.exe
5104	schtasks.exe
1268	schtasks.exe
3020	schtasks.exe
4552	schtasks.exe
6048	schtasks.exe
2900	schtasks.exe
4764	schtasks.exe
5160	schtasks.exe
5172	schtasks.exe
5028	schtasks.exe
220	schtasks.exe
5152	schtasks.exe
3716	schtasks.exe
2964	schtasks.exe
2816	schtasks.exe
4792	schtasks.exe
1844	schtasks.exe
3000	schtasks.exe
1500	schtasks.exe
3852	schtasks.exe
1152	schtasks.exe
4320	schtasks.exe
5764	schtasks.exe
4368	schtasks.exe
1628	schtasks.exe
4576	schtasks.exe
4652	schtasks.exe
4816	schtasks.exe
2560	schtasks.exe
1892	schtasks.exe
5092	schtasks.exe
5424	schtasks.exe
4864	schtasks.exe
4340	schtasks.exe
2604	schtasks.exe
4972	schtasks.exe
4948	schtasks.exe
4832	schtasks.exe
732	schtasks.exe
5540	schtasks.exe
6072	schtasks.exe
3256	schtasks.exe
4184	schtasks.exe
2512	schtasks.exe
540	schtasks.exe
4224	schtasks.exe
1372	schtasks.exe
4668	schtasks.exe
4772	schtasks.exe
4384	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
400	41234e0118ba1cfc06b88d347f3a53f5.exe
400	41234e0118ba1cfc06b88d347f3a53f5.exe
400	41234e0118ba1cfc06b88d347f3a53f5.exe
400	41234e0118ba1cfc06b88d347f3a53f5.exe
400	41234e0118ba1cfc06b88d347f3a53f5.exe
400	41234e0118ba1cfc06b88d347f3a53f5.exe
400	41234e0118ba1cfc06b88d347f3a53f5.exe
400	41234e0118ba1cfc06b88d347f3a53f5.exe
400	41234e0118ba1cfc06b88d347f3a53f5.exe
400	41234e0118ba1cfc06b88d347f3a53f5.exe
400	41234e0118ba1cfc06b88d347f3a53f5.exe
400	41234e0118ba1cfc06b88d347f3a53f5.exe
400	41234e0118ba1cfc06b88d347f3a53f5.exe
400	41234e0118ba1cfc06b88d347f3a53f5.exe
400	41234e0118ba1cfc06b88d347f3a53f5.exe
2680	41234e0118ba1cfc06b88d347f3a53f5.exe
2680	41234e0118ba1cfc06b88d347f3a53f5.exe
2680	41234e0118ba1cfc06b88d347f3a53f5.exe
2680	41234e0118ba1cfc06b88d347f3a53f5.exe
2680	41234e0118ba1cfc06b88d347f3a53f5.exe
2680	41234e0118ba1cfc06b88d347f3a53f5.exe
5108	SearchApp.exe
1808	SearchApp.exe
2220	SearchApp.exe
4748	SearchApp.exe
4644	SearchApp.exe
5772	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	400	41234e0118ba1cfc06b88d347f3a53f5.exe
Token: SeDebugPrivilege	2680	41234e0118ba1cfc06b88d347f3a53f5.exe
Token: SeDebugPrivilege	5108	SearchApp.exe
Token: SeDebugPrivilege	1808	SearchApp.exe
Token: SeDebugPrivilege	2220	SearchApp.exe
Token: SeDebugPrivilege	4748	SearchApp.exe
Token: SeDebugPrivilege	4644	SearchApp.exe
Token: SeDebugPrivilege	5772	SearchApp.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 2680	400	41234e0118ba1cfc06b88d347f3a53f5.exe	127
PID 400 wrote to memory of 2680	400	41234e0118ba1cfc06b88d347f3a53f5.exe	127
PID 2680 wrote to memory of 6064	2680	41234e0118ba1cfc06b88d347f3a53f5.exe	181
PID 2680 wrote to memory of 6064	2680	41234e0118ba1cfc06b88d347f3a53f5.exe	181
PID 6064 wrote to memory of 2164	6064	cmd.exe	183
PID 6064 wrote to memory of 2164	6064	cmd.exe	183
PID 6064 wrote to memory of 5108	6064	cmd.exe	189
PID 6064 wrote to memory of 5108	6064	cmd.exe	189
PID 5108 wrote to memory of 400	5108	SearchApp.exe	191
PID 5108 wrote to memory of 400	5108	SearchApp.exe	191
PID 5108 wrote to memory of 3716	5108	SearchApp.exe	192
PID 5108 wrote to memory of 3716	5108	SearchApp.exe	192
PID 400 wrote to memory of 1808	400	WScript.exe	194
PID 400 wrote to memory of 1808	400	WScript.exe	194
PID 1808 wrote to memory of 1348	1808	SearchApp.exe	195
PID 1808 wrote to memory of 1348	1808	SearchApp.exe	195
PID 1808 wrote to memory of 3136	1808	SearchApp.exe	196
PID 1808 wrote to memory of 3136	1808	SearchApp.exe	196
PID 1348 wrote to memory of 2220	1348	WScript.exe	203
PID 1348 wrote to memory of 2220	1348	WScript.exe	203
PID 2220 wrote to memory of 2900	2220	SearchApp.exe	206
PID 2220 wrote to memory of 2900	2220	SearchApp.exe	206
PID 2220 wrote to memory of 2328	2220	SearchApp.exe	207
PID 2220 wrote to memory of 2328	2220	SearchApp.exe	207
PID 2900 wrote to memory of 4748	2900	WScript.exe	208
PID 2900 wrote to memory of 4748	2900	WScript.exe	208
PID 4748 wrote to memory of 4492	4748	SearchApp.exe	209
PID 4748 wrote to memory of 4492	4748	SearchApp.exe	209
PID 4748 wrote to memory of 2268	4748	SearchApp.exe	210
PID 4748 wrote to memory of 2268	4748	SearchApp.exe	210
PID 4492 wrote to memory of 4644	4492	WScript.exe	211
PID 4492 wrote to memory of 4644	4492	WScript.exe	211
PID 4644 wrote to memory of 2456	4644	SearchApp.exe	212
PID 4644 wrote to memory of 2456	4644	SearchApp.exe	212
PID 4644 wrote to memory of 1176	4644	SearchApp.exe	213
PID 4644 wrote to memory of 1176	4644	SearchApp.exe	213
PID 2456 wrote to memory of 5772	2456	WScript.exe	214
PID 2456 wrote to memory of 5772	2456	WScript.exe	214
PID 5772 wrote to memory of 5552	5772	SearchApp.exe	215
PID 5772 wrote to memory of 5552	5772	SearchApp.exe	215
PID 5772 wrote to memory of 2284	5772	SearchApp.exe	216
PID 5772 wrote to memory of 2284	5772	SearchApp.exe	216

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\41234e0118ba1cfc06b88d347f3a53f5.exe
"C:\Users\Admin\AppData\Local\Temp\41234e0118ba1cfc06b88d347f3a53f5.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400
- C:\Users\Admin\AppData\Local\Temp\41234e0118ba1cfc06b88d347f3a53f5.exe
  "C:\Users\Admin\AppData\Local\Temp\41234e0118ba1cfc06b88d347f3a53f5.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4ufk0Q6MZw.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6064
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:2164
  - - C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe
      "C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5108
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8384ed7f-d1c2-4716-bdce-982cacef6177.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:400
      - C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe
        
        "C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3d02a72-de64-412c-94fa-31edb39f4f87.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe
        
        "C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7c7607c-9a6d-4090-9b6c-ddc403c00845.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe
        
        "C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fda07077-b8bc-47de-adec-dea52bf4ba51.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe
        
        "C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ce2a9bb-f2ce-4f93-ac12-ffbd7bf4cd8b.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe
        
        "C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e2c7380-6666-4799-b4d1-d3a314764dc3.vbs"
        15⤵
        
        PID:5552
        
        C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe
        
        "C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe"
        16⤵
        
        PID:868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d46138f-33dc-4d92-ba74-186890520781.vbs"
        17⤵
        
        PID:4560
        
        C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe
        
        "C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe"
        18⤵
        
        PID:3900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70fb6fc2-1064-4233-b9d3-8aea2ac18c5c.vbs"
        19⤵
        
        PID:5372
        
        C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe
        
        "C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe"
        20⤵
        
        PID:1460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b40ac495-7379-4b94-b57d-ee71416367e0.vbs"
        21⤵
        
        PID:4724
        
        C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe
        
        "C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe"
        22⤵
        
        PID:4568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29a2793e-82c2-4ed9-9d86-31afcc086bee.vbs"
        23⤵
        
        PID:4816
        
        C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe
        
        "C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe"
        24⤵
        
        PID:4480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\819e2494-5b53-48a1-85be-00b4ce0b4ec5.vbs"
        25⤵
        
        PID:3372
        
        C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe
        
        "C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe"
        26⤵
        
        PID:1692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5d2e7eb-3858-4e46-b88c-ff858d038117.vbs"
        27⤵
        
        PID:5744
        
        C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe
        
        "C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe"
        28⤵
        
        PID:5076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\861ef0a3-4e37-4de6-b604-e6c70168e58c.vbs"
        29⤵
        
        PID:392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e59fdac9-aef1-4830-86fd-7674665764fa.vbs"
        29⤵
        
        PID:5800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fc56f46-f831-4ca0-b2f7-49bb619f0f77.vbs"
        27⤵
        
        PID:6076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4145fc2-6f36-4d0c-a58d-90f3eab7193f.vbs"
        25⤵
        
        PID:4928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a2c5b0e-658b-426a-90e2-6753ac2e247c.vbs"
        23⤵
        
        PID:1348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48f8851c-9a11-4e17-922b-e3f617e34900.vbs"
        21⤵
        
        PID:220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b88195b-602c-4166-b3f9-7164cca9f897.vbs"
        19⤵
        
        PID:4324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\139cf485-4a60-4e00-9a4b-280c083e7d0e.vbs"
        17⤵
        
        PID:4300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f4aa57c-f285-43a6-b9ad-9a0415e7d3a3.vbs"
        15⤵
        
        PID:2284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3042d47c-2e16-42bc-aa1b-c19bbe825c46.vbs"
        13⤵
        
        PID:1176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e82fab4-5444-47b1-9e1f-652b23ac24d5.vbs"
        11⤵
        
        PID:2268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8422c4f-074d-410e-afd2-bb48fdfa2148.vbs"
        9⤵
        
        PID:2328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68b9f691-33c5-47e9-9cf6-5bcf0abb680f.vbs"
        7⤵
        
        PID:3136
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1e0fb71-780c-4672-aafe-2d0af26ef68a.vbs"
        5⤵
        
        PID:3716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\900323d723f1dd1206\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\900323d723f1dd1206\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\900323d723f1dd1206\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\900323d723f1dd1206\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\900323d723f1dd1206\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\900323d723f1dd1206\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\SystemResources\ShellComponents\pris\System.exe'" /f
1⤵
- Process spawned unexpected child process
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\SystemResources\ShellComponents\pris\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\SystemResources\ShellComponents\pris\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\60739cf6f660743813\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\60739cf6f660743813\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\60739cf6f660743813\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\60739cf6f660743813\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\60739cf6f660743813\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\60739cf6f660743813\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Windows\Help\en-US\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Help\en-US\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Windows\Help\en-US\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\updates\0\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\updates\0\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\updates\0\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Windows\twain_32\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\twain_32\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Windows\twain_32\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\60739cf6f660743813\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\60739cf6f660743813\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\60739cf6f660743813\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\900323d723f1dd1206\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\900323d723f1dd1206\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\900323d723f1dd1206\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\edge_BITS_4600_846981562\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4600_846981562\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\edge_BITS_4600_846981562\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\60739cf6f660743813\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\60739cf6f660743813\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\60739cf6f660743813\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\IdentityCRL\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\IdentityCRL\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\IdentityCRL\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\Downloads\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Start Menu\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Start Menu\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "41234e0118ba1cfc06b88d347f3a53f54" /sc MINUTE /mo 14 /tr "'C:\900323d723f1dd1206\41234e0118ba1cfc06b88d347f3a53f5.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "41234e0118ba1cfc06b88d347f3a53f5" /sc ONLOGON /tr "'C:\900323d723f1dd1206\41234e0118ba1cfc06b88d347f3a53f5.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "41234e0118ba1cfc06b88d347f3a53f54" /sc MINUTE /mo 9 /tr "'C:\900323d723f1dd1206\41234e0118ba1cfc06b88d347f3a53f5.exe'" /rl HIGHEST /f
1⤵
PID:6104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\60739cf6f660743813\RuntimeBroker.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\60739cf6f660743813\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\60739cf6f660743813\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\upfc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\upfc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\upfc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\60739cf6f660743813\Idle.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\60739cf6f660743813\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\60739cf6f660743813\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\900323d723f1dd1206\fontdrvhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\900323d723f1dd1206\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\900323d723f1dd1206\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\SppExtComObj.exe'" /f
1⤵
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:6072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\60739cf6f660743813\6ccacd8608530f

Filesize
764B

MD5
8a077faf2971f15bc8d91a524dbea46f

SHA1
a88a83078b4f4c1df98ae56dce92c43e6d936afd

SHA256
6676dd0f30ce436702d99ace7e1d2a6f8ec52d2632843cbca014c4dd669e7bd5

SHA512
b61a377235e2b2fad24456d1e57bfd4c6f76a6e45f0ac083ee45f942cfc613f31ae3fe7b3705e554c47bbdbee19e6c8ee56ff6be8405910a2886c01171c117bc

Download Submit
C:\60739cf6f660743813\RCX9555.tmp

Filesize
885KB

MD5
180bbfc58fe22fe4c8dfb67b8cf12556

SHA1
65c22396f2bb134dd65370788c7c6126bae4ce21

SHA256
f79e927f3e8b6b6ee859b275b0262aecf6aa85249d2c4ace3066bf01e108a5b8

SHA512
f46f57cd2ec7e71616002c0f06cdb735a8b639d20bd5f8ac70e5b8d8f62efba3946cdbbd879e18ae23c6fe1710df237abc1449a51f40d42bfb4dc972bd34703d

Download Submit
C:\60739cf6f660743813\StartMenuExperienceHost.exe

Filesize
885KB

MD5
41234e0118ba1cfc06b88d347f3a53f5

SHA1
a0bc5bbd988def1d53cb8b74d6a19084ebec1a92

SHA256
7eaf3845dc36309ef1b4dbcf87058d55bbe2b9bdad969d53c9bf6f250981dd6f

SHA512
25f929d3197123654edfd7ba2dcad5dcc0c2fab2743c9e7b80ed2b419326f5666799d6866ed76d51f7fce1a48e1d67c0454f5a9f699c04c590366c27c313d49c

Download Submit
C:\900323d723f1dd1206\backgroundTaskHost.exe

Filesize
885KB

MD5
5850e5e14a5fa8bca207f8a3e0e06443

SHA1
319b184e4c9c1b581f3d966208e42ab985113abe

SHA256
72682cdb8813bd65a8ef5104b4acb432dee704ded28d45900a3f87ed5ea269e5

SHA512
1834bd2ded1c025c6e5a2c0765f8853abf794cf407e2b97121aaf443ff44e097615fe4437e738470b1472fa8bb349ae6bc347dc090ad3bc9c36b25965ca17612

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\RCX9406.tmp

Filesize
885KB

MD5
e5506df7f1054036791130bed3ce10a6

SHA1
f5100aca4e9f9147e6a307fb357e839beed0adf4

SHA256
01dbc50c34d15bb60a58794fefa180554409f9d7c80dc3c5dbeecb4647af1cc9

SHA512
f6550eca284d2d28be9c978ffd5ea008b5a7ec55bb62cd48234002e9f5d9e1fc2f5e1655cfec5e03918557b5ba194516c1397efb222837e5c4a1f5cacd446115

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX9599.tmp

Filesize
885KB

MD5
c7aac07fc15b3fda3369870936c8fb41

SHA1
2e7ed477be19c8bc67f761ff76a0dba10856c6a0

SHA256
937fdb68faf20cdb2ad1c9d503e20a86580a1329150d5f224c1d29b1303493dc

SHA512
793b43ea9a0b794b6b1286f20c19db2ba256c209a19da7a624c57042bcbe6813f778b9bcf5ae21692161d83afd9bd6aa11e37a0d1a77695112f89a7daf3ceb9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\41234e0118ba1cfc06b88d347f3a53f5.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e2c7380-6666-4799-b4d1-d3a314764dc3.vbs

Filesize
755B

MD5
333d455820054307cefafc57fff93dae

SHA1
5e8a3ecea91e027e2c7d38807493146574c18b4a

SHA256
47c7c4c256c3542aff8a404dbc223735306521214750c802b575e36f5b029d6b

SHA512
29fa84ba00d6f0ea1644b155c4f1c71272d2b0b0b4d3635a3341d32ff8e5e54ba4e258dd61e6cedea34fb51cd1bc3bd772132e2649059819387a792b87ccab5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\29a2793e-82c2-4ed9-9d86-31afcc086bee.vbs

Filesize
755B

MD5
5ff3f40186ad8b0283a50b5bee17bac3

SHA1
b27fd0dde177ac07b14d916294a516840c88af4c

SHA256
11463f118b4144f7bdea5b4e98805f4948b2473529f6c004ec2be0044fe17224

SHA512
6005b1d0dbc67dff538af26e337c23b6ec24379dc624e47e02bec8415e0e559bbf3849ecbf35846dfd0981485348d4cbc2ad447bf937555da78fa49ddb46cff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ufk0Q6MZw.bat

Filesize
244B

MD5
54e543240ac0874293cccb3c66d5e48e

SHA1
156821985f4df182d6a8622761a8558df298e141

SHA256
c2cefcaef2bafc4552cfe628f2279189cfde7eba975abce0c74699fc391fea84

SHA512
26e71c3b1ff31c1a11a10af5dab972ed662ee9f43e05338876f983a9b3d9cc207456004a7f2bf84d21bf0e8a1247b13d12caa122b5ef146bda3b8fe9d36c8ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\70fb6fc2-1064-4233-b9d3-8aea2ac18c5c.vbs

Filesize
755B

MD5
6325856189d0d4c96d46cce9587cef83

SHA1
c27572b872d6ab3701228144376510511701e6bd

SHA256
1510b241812c6fa83cedc2aa6116e4198e4736382b8b0c771c9400282a65b0b9

SHA512
d5d9cd7c38c1ae9888b551c732af25312d97fc61f44dbba6ed44ba03a847afd9505af0c550c81d9386a99328869df67be24328ad09908e9d7a44ec5d1d5b8e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\7d46138f-33dc-4d92-ba74-186890520781.vbs

Filesize
754B

MD5
ac63fc25470eb708ad601b1b2e1d6505

SHA1
eb37166401ca9cfd4c3a3b04febe448a67f6be56

SHA256
963c609c449bc45e18187cbf0f0715ef13984a0626f8543a58cbb91889a259c9

SHA512
5ccb327a15f96c57ae46aa92d2b7b791a64d6ca4e874c7620cf6a75d88ace74fa269e8596d949424d0911793f20ef6181bc49930c57479d3115b59519d5e7d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\819e2494-5b53-48a1-85be-00b4ce0b4ec5.vbs

Filesize
755B

MD5
1748aae15535407c5cbf967e34f01b15

SHA1
84d75cb32c7d1c6a7789b41f9a42c748f4ed43b8

SHA256
e416d9a64c73281f4cb02c5019e2cdef6358d796c73cbe5089486d719c58f88c

SHA512
447bc58347094965c3267aa2dbf26b5b56cc7f919b4fc48e82b49a22e082e77687e2c43b96a9a32e78688f0e536833b1d3bdd01fbdf15793c81f8b2331f04e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\8384ed7f-d1c2-4716-bdce-982cacef6177.vbs

Filesize
755B

MD5
dd0e5c723acab4c8e6f370935b7bbcda

SHA1
4189335a21a7f6ad265f5754f170892bb0b16a6b

SHA256
a1732f692007e28230a53fa0c42ffc8d801e5f609ec1bded59896457722ae731

SHA512
17c66b28fdcb89a90fcc121f6c2593c56143a119e04cf7ffc2bc0e8faaec6715ce21d078d7434191f0eeeb38de50425262c298203d9407eb36ce99057c1745a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\861ef0a3-4e37-4de6-b604-e6c70168e58c.vbs

Filesize
755B

MD5
983d6698e79876f76b4c32a28f267d59

SHA1
7802c410b70498d1b7a1eadc120135fa393c8119

SHA256
dc2c01671f84502c0fb40f8879d3d971ca6d81b8a497c5d6722bbedff29782d9

SHA512
bd4c4c84e2da5b4ab345b9d0c7d6cc24c58a105ab23eb2d526575e53fada36686205cd5ec4b8890970ce4027171367c8fe41425a07e6d2548520060f5e91190f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ce2a9bb-f2ce-4f93-ac12-ffbd7bf4cd8b.vbs

Filesize
755B

MD5
0124f91c312a56a43f26c81447d22541

SHA1
4a37596a8f1947f077028557b5d052ac90150bb9

SHA256
0d3db29fb210470d77b30f82867220fbb18542164721d030bc3a3d1971a96967

SHA512
0e55334112cbbe8ba2e4032d85ab60a30cf45202117e508397b75717e073b67c5b5c215710b00b8dbd7be0c0d11e8c943dc07b0ed4cc77620fcf9c5bbfb0f50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1e0fb71-780c-4672-aafe-2d0af26ef68a.vbs

Filesize
531B

MD5
8ef062b1492f01d2565651c7e3d85681

SHA1
9705487d5f49ce360218a8b8e888b965847ec68b

SHA256
09eb8ebf5f7f1022f0265e20b5e4613329cdb478f15a08ea049a668ef4bd6332

SHA512
d8c5997fc7fc36ff9556b682c662c4a52a06ef6279ade510f714f5d3308c0588683496d06b039f9b626940a587161f0764495d3208959cdcf715ee223001eafc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3d02a72-de64-412c-94fa-31edb39f4f87.vbs

Filesize
755B

MD5
c8474b4791ea3384e1e9970134621c03

SHA1
7b08738ff8d4ad1bb0ec3bcde0b2235cb74fb1b2

SHA256
edb03f5c8148b2f6a70a403f828598db3f600dd36ec292fb9c6dcb3b2506d638

SHA512
b487fe819b88c7c5ce7d2954cdce4da077ce0ec32a5dd7fb7182b76fe133b1650e88d0aaca2616e6c1c6b6079b2c3750d277b21168f580106b5fbc5d292b417f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5d2e7eb-3858-4e46-b88c-ff858d038117.vbs

Filesize
755B

MD5
bd1285e5d34eb06740245b06d4b33a20

SHA1
75f54f088dfbb327cc98b60d93b91bb18748b723

SHA256
cd508aefe2b3259cf20f57463ae30e89e033c0de0baa554563aeebe85d02f5d0

SHA512
0e0edf34a6b826929b848beec63488b5507f816ad812eb4804d3a7a5229011fa58a2a46645352951cc0077fbd15cd4946ac6d64f476879ab1a18afbace35c3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40ac495-7379-4b94-b57d-ee71416367e0.vbs

Filesize
755B

MD5
20d21a1d366a3734066aa7210b7e791f

SHA1
47382f0503f582f68a03d86b35414c958a1c73a3

SHA256
9e2105df04b8865c1c54420f749ed1a18c83e0ab70f0e7a09d3a995f834fef29

SHA512
202279ec9bb0f63c3bbc7c738361022b2c42eea74eea40fc9fb568cf2dad20474bc3606f9ba5c787ef0ee92511fb7b69da3f460a335eb57dc713bd5c0fc0d7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\c7c7607c-9a6d-4090-9b6c-ddc403c00845.vbs

Filesize
755B

MD5
693f8298eea76499e2f1ab695573a4fb

SHA1
4b24e083fd53c902b84486a694bb56b8de921c73

SHA256
b4e6f7587da2a22bf8106e83247ac0d3931355e7eb0e365875ccf768271b3b4b

SHA512
f409bb20a5e1aea6f9eff2144ed7889ce5dff39858c87234eed8a07a9d5eac1ae9198f7a3922cf258437e75972ceef4990542b131267f3c4e5365037ee5ad8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fda07077-b8bc-47de-adec-dea52bf4ba51.vbs

Filesize
755B

MD5
88f999615234ca0aab519734c5f50612

SHA1
8b233c0c3ea9188705d61c5798634ad8437da249

SHA256
ca163c3f6e940d42e76e57535052b38807c3c0ff44817b0028e0a44dfb3a0210

SHA512
d6c35a2543e11dcb8491e7a7024bdb67ea765ae34706e5eea2fef7774d84882c8473d37f48aca6951afd8bec1247bce44433bc10d2985f0b007ea06e1ffc878c

Download Submit
memory/400-6-0x000000001B5E0000-0x000000001B5F6000-memory.dmp

Filesize
88KB

Download
memory/400-0-0x00007FFD86A33000-0x00007FFD86A35000-memory.dmp

Filesize
8KB

Download
memory/400-8-0x000000001BC20000-0x000000001BC2E000-memory.dmp

Filesize
56KB

Download
memory/400-9-0x000000001BC30000-0x000000001BC38000-memory.dmp

Filesize
32KB

Download
memory/400-10-0x000000001BC40000-0x000000001BC4C000-memory.dmp

Filesize
48KB

Download
memory/400-187-0x00007FFD86A30000-0x00007FFD874F1000-memory.dmp

Filesize
10.8MB

Download
memory/400-7-0x000000001BC10000-0x000000001BC1A000-memory.dmp

Filesize
40KB

Download
memory/400-4-0x000000001BC60000-0x000000001BCB0000-memory.dmp

Filesize
320KB

Download
memory/400-5-0x000000001B5D0000-0x000000001B5E0000-memory.dmp

Filesize
64KB

Download
memory/400-3-0x0000000002B10000-0x0000000002B2C000-memory.dmp

Filesize
112KB

Download
memory/400-2-0x00007FFD86A30000-0x00007FFD874F1000-memory.dmp

Filesize
10.8MB

Download
memory/400-1-0x00000000009C0000-0x0000000000AA4000-memory.dmp

Filesize
912KB

Download