dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f0343adab1970d928320ce2aa587fd3.exe
Size

1.6MB
MD5

1f0343adab1970d928320ce2aa587fd3
SHA1

e9ba72eefebbc990b9d87fdc6c900ba0ab4160b8
SHA256

9543bb2076f9b8c0d465689514dfc89f7cddc872620b5158cff2e2fa270963c4
SHA512

c6ae66f4ee2e2307da2176d9ea1e8a57ee96c59a15c633d8ca618cc4c167744063fa189d03eb134e1789ad544cef426e1b6da8c61dd1785888b204f84cdc316c
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5784	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5396	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	4428	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	4428	schtasks.exe	87

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral20/memory/1384-1-0x0000000000CF0000-0x0000000000E92000-memory.dmp	dcrat
behavioral20/files/0x000700000002429f-26.dat	dcrat
behavioral20/files/0x000f0000000242bc-91.dat	dcrat
behavioral20/files/0x000900000002429a-102.dat	dcrat
behavioral20/files/0x000900000002429f-113.dat	dcrat
behavioral20/files/0x00090000000242aa-146.dat	dcrat
behavioral20/files/0x00090000000242ae-157.dat	dcrat
behavioral20/files/0x00090000000242b0-168.dat	dcrat
behavioral20/memory/1328-338-0x0000000000760000-0x0000000000902000-memory.dmp	dcrat
behavioral20/files/0x000e0000000242c1-442.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1504	powershell.exe
3060	powershell.exe
1232	powershell.exe
5208	powershell.exe
6028	powershell.exe
660	powershell.exe
1956	powershell.exe
776	powershell.exe
5356	powershell.exe
5672	powershell.exe
2352	powershell.exe
5184	powershell.exe
2328	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	1f0343adab1970d928320ce2aa587fd3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	sihost.exe

Executes dropped EXE 13 IoCs

pid	Process
1328	sihost.exe
1064	sihost.exe
5676	sihost.exe
4772	sihost.exe
1968	sihost.exe
3480	sihost.exe
4016	sihost.exe
4460	sihost.exe
5804	sihost.exe
4228	sihost.exe
5264	sihost.exe
6044	sihost.exe
1988	sihost.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\de-DE\csrss.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Java\RCX817A.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\RCX8390.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\RCX83FE.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\886983d96e3d3e	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Java\RCX817B.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\RCX92CE.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\RCX934C.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\csrss.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Java\lsass.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\Java\lsass.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\Java\6203df4a6bafc7	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\6cb0b6c459d5d3	1f0343adab1970d928320ce2aa587fd3.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\TAPI\1f0343adab1970d928320ce2aa587fd3.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\TAPI\49576f6967acf4	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\L2Schemas\886983d96e3d3e	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\Web\4K\Wallpaper\Windows\RCX7D32.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\TAPI\1f0343adab1970d928320ce2aa587fd3.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\Web\4K\Wallpaper\Windows\121e5b5079f7c0	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\L2Schemas\RCX97E3.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\Web\4K\Wallpaper\Windows\sysmon.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\Web\4K\Wallpaper\Windows\RCX7CF2.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\TAPI\RCX8B37.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\L2Schemas\RCX97E4.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\Web\4K\Wallpaper\Windows\sysmon.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\L2Schemas\csrss.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\TAPI\RCX8B38.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\L2Schemas\csrss.exe	1f0343adab1970d928320ce2aa587fd3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	1f0343adab1970d928320ce2aa587fd3.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	sihost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2752	schtasks.exe
1296	schtasks.exe
4940	schtasks.exe
5036	schtasks.exe
4836	schtasks.exe
4784	schtasks.exe
528	schtasks.exe
4032	schtasks.exe
3536	schtasks.exe
1592	schtasks.exe
3656	schtasks.exe
4932	schtasks.exe
4948	schtasks.exe
3312	schtasks.exe
4456	schtasks.exe
4772	schtasks.exe
4756	schtasks.exe
4900	schtasks.exe
3996	schtasks.exe
3180	schtasks.exe
3192	schtasks.exe
4980	schtasks.exe
3544	schtasks.exe
5784	schtasks.exe
4808	schtasks.exe
4588	schtasks.exe
5100	schtasks.exe
1660	schtasks.exe
1104	schtasks.exe
1644	schtasks.exe
2456	schtasks.exe
3340	schtasks.exe
2388	schtasks.exe
4544	schtasks.exe
5396	schtasks.exe
4508	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1384	1f0343adab1970d928320ce2aa587fd3.exe
1384	1f0343adab1970d928320ce2aa587fd3.exe
1384	1f0343adab1970d928320ce2aa587fd3.exe
1384	1f0343adab1970d928320ce2aa587fd3.exe
1384	1f0343adab1970d928320ce2aa587fd3.exe
1384	1f0343adab1970d928320ce2aa587fd3.exe
1384	1f0343adab1970d928320ce2aa587fd3.exe
1384	1f0343adab1970d928320ce2aa587fd3.exe
1384	1f0343adab1970d928320ce2aa587fd3.exe
1384	1f0343adab1970d928320ce2aa587fd3.exe
1384	1f0343adab1970d928320ce2aa587fd3.exe
5672	powershell.exe
5672	powershell.exe
1232	powershell.exe
1232	powershell.exe
2328	powershell.exe
2328	powershell.exe
1504	powershell.exe
776	powershell.exe
1504	powershell.exe
776	powershell.exe
3060	powershell.exe
3060	powershell.exe
5356	powershell.exe
5356	powershell.exe
2352	powershell.exe
2352	powershell.exe
6028	powershell.exe
6028	powershell.exe
660	powershell.exe
660	powershell.exe
1956	powershell.exe
1956	powershell.exe
5208	powershell.exe
5208	powershell.exe
5184	powershell.exe
5184	powershell.exe
5184	powershell.exe
1504	powershell.exe
5672	powershell.exe
2328	powershell.exe
1232	powershell.exe
5208	powershell.exe
776	powershell.exe
5356	powershell.exe
660	powershell.exe
2352	powershell.exe
3060	powershell.exe
6028	powershell.exe
1956	powershell.exe
1328	sihost.exe
1064	sihost.exe
5676	sihost.exe
4772	sihost.exe
1968	sihost.exe
1968	sihost.exe
3480	sihost.exe
3480	sihost.exe
4016	sihost.exe
4460	sihost.exe
5804	sihost.exe
4228	sihost.exe
5264	sihost.exe
5264	sihost.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	1384	1f0343adab1970d928320ce2aa587fd3.exe
Token: SeDebugPrivilege	5672	powershell.exe
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	5356	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	6028	powershell.exe
Token: SeDebugPrivilege	5184	powershell.exe
Token: SeDebugPrivilege	660	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	5208	powershell.exe
Token: SeDebugPrivilege	1328	sihost.exe
Token: SeDebugPrivilege	1064	sihost.exe
Token: SeDebugPrivilege	5676	sihost.exe
Token: SeDebugPrivilege	4772	sihost.exe
Token: SeDebugPrivilege	1968	sihost.exe
Token: SeDebugPrivilege	3480	sihost.exe
Token: SeDebugPrivilege	4016	sihost.exe
Token: SeDebugPrivilege	4460	sihost.exe
Token: SeDebugPrivilege	5804	sihost.exe
Token: SeDebugPrivilege	4228	sihost.exe
Token: SeDebugPrivilege	5264	sihost.exe
Token: SeDebugPrivilege	6044	sihost.exe
Token: SeDebugPrivilege	1988	sihost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 776	1384	1f0343adab1970d928320ce2aa587fd3.exe	124
PID 1384 wrote to memory of 776	1384	1f0343adab1970d928320ce2aa587fd3.exe	124
PID 1384 wrote to memory of 1504	1384	1f0343adab1970d928320ce2aa587fd3.exe	125
PID 1384 wrote to memory of 1504	1384	1f0343adab1970d928320ce2aa587fd3.exe	125
PID 1384 wrote to memory of 5356	1384	1f0343adab1970d928320ce2aa587fd3.exe	126
PID 1384 wrote to memory of 5356	1384	1f0343adab1970d928320ce2aa587fd3.exe	126
PID 1384 wrote to memory of 3060	1384	1f0343adab1970d928320ce2aa587fd3.exe	127
PID 1384 wrote to memory of 3060	1384	1f0343adab1970d928320ce2aa587fd3.exe	127
PID 1384 wrote to memory of 5672	1384	1f0343adab1970d928320ce2aa587fd3.exe	128
PID 1384 wrote to memory of 5672	1384	1f0343adab1970d928320ce2aa587fd3.exe	128
PID 1384 wrote to memory of 2352	1384	1f0343adab1970d928320ce2aa587fd3.exe	129
PID 1384 wrote to memory of 2352	1384	1f0343adab1970d928320ce2aa587fd3.exe	129
PID 1384 wrote to memory of 1232	1384	1f0343adab1970d928320ce2aa587fd3.exe	130
PID 1384 wrote to memory of 1232	1384	1f0343adab1970d928320ce2aa587fd3.exe	130
PID 1384 wrote to memory of 5208	1384	1f0343adab1970d928320ce2aa587fd3.exe	131
PID 1384 wrote to memory of 5208	1384	1f0343adab1970d928320ce2aa587fd3.exe	131
PID 1384 wrote to memory of 5184	1384	1f0343adab1970d928320ce2aa587fd3.exe	132
PID 1384 wrote to memory of 5184	1384	1f0343adab1970d928320ce2aa587fd3.exe	132
PID 1384 wrote to memory of 6028	1384	1f0343adab1970d928320ce2aa587fd3.exe	133
PID 1384 wrote to memory of 6028	1384	1f0343adab1970d928320ce2aa587fd3.exe	133
PID 1384 wrote to memory of 660	1384	1f0343adab1970d928320ce2aa587fd3.exe	134
PID 1384 wrote to memory of 660	1384	1f0343adab1970d928320ce2aa587fd3.exe	134
PID 1384 wrote to memory of 2328	1384	1f0343adab1970d928320ce2aa587fd3.exe	135
PID 1384 wrote to memory of 2328	1384	1f0343adab1970d928320ce2aa587fd3.exe	135
PID 1384 wrote to memory of 1956	1384	1f0343adab1970d928320ce2aa587fd3.exe	136
PID 1384 wrote to memory of 1956	1384	1f0343adab1970d928320ce2aa587fd3.exe	136
PID 1384 wrote to memory of 3140	1384	1f0343adab1970d928320ce2aa587fd3.exe	150
PID 1384 wrote to memory of 3140	1384	1f0343adab1970d928320ce2aa587fd3.exe	150
PID 3140 wrote to memory of 3312	3140	cmd.exe	152
PID 3140 wrote to memory of 3312	3140	cmd.exe	152
PID 3140 wrote to memory of 1328	3140	cmd.exe	153
PID 3140 wrote to memory of 1328	3140	cmd.exe	153
PID 1328 wrote to memory of 720	1328	sihost.exe	156
PID 1328 wrote to memory of 720	1328	sihost.exe	156
PID 1328 wrote to memory of 4168	1328	sihost.exe	157
PID 1328 wrote to memory of 4168	1328	sihost.exe	157
PID 720 wrote to memory of 1064	720	WScript.exe	160
PID 720 wrote to memory of 1064	720	WScript.exe	160
PID 1064 wrote to memory of 4444	1064	sihost.exe	162
PID 1064 wrote to memory of 4444	1064	sihost.exe	162
PID 1064 wrote to memory of 1880	1064	sihost.exe	163
PID 1064 wrote to memory of 1880	1064	sihost.exe	163
PID 4444 wrote to memory of 5676	4444	WScript.exe	166
PID 4444 wrote to memory of 5676	4444	WScript.exe	166
PID 5676 wrote to memory of 4416	5676	sihost.exe	167
PID 5676 wrote to memory of 4416	5676	sihost.exe	167
PID 5676 wrote to memory of 3176	5676	sihost.exe	168
PID 5676 wrote to memory of 3176	5676	sihost.exe	168
PID 4416 wrote to memory of 4772	4416	WScript.exe	171
PID 4416 wrote to memory of 4772	4416	WScript.exe	171
PID 4772 wrote to memory of 2848	4772	sihost.exe	172
PID 4772 wrote to memory of 2848	4772	sihost.exe	172
PID 4772 wrote to memory of 3568	4772	sihost.exe	173
PID 4772 wrote to memory of 3568	4772	sihost.exe	173
PID 2848 wrote to memory of 1968	2848	WScript.exe	174
PID 2848 wrote to memory of 1968	2848	WScript.exe	174
PID 1968 wrote to memory of 5312	1968	sihost.exe	175
PID 1968 wrote to memory of 5312	1968	sihost.exe	175
PID 1968 wrote to memory of 4764	1968	sihost.exe	176
PID 1968 wrote to memory of 4764	1968	sihost.exe	176
PID 5312 wrote to memory of 3480	5312	WScript.exe	177
PID 5312 wrote to memory of 3480	5312	WScript.exe	177
PID 3480 wrote to memory of 4240	3480	sihost.exe	178
PID 3480 wrote to memory of 4240	3480	sihost.exe	178

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe
"C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\4K\Wallpaper\Windows\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f170d29a37c9c9775251\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\1f0343adab1970d928320ce2aa587fd3.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SendTo\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\de-DE\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dF2fQXFAj5.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3312
- - C:\Recovery\WindowsRE\sihost.exe
    "C:\Recovery\WindowsRE\sihost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1328
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d34abee0-4e16-4db5-aa1a-cdad28eb50e2.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:720
    - - C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1064
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0211a782-2684-4a5e-9a27-b9b7f50f1509.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b66b0240-1921-4611-8dfe-70f75c05d1be.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a57703f2-892c-4c97-a1ff-5c8981725acd.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad053451-30f6-4deb-a53b-b35c8badd3cf.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:5312
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a566d64a-a6c9-437e-8407-7b09e26d6345.vbs"
        14⤵
        
        PID:4240
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85f0c184-1a57-4c6d-b4ff-9538f81818cb.vbs"
        16⤵
        
        PID:2484
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e61359c2-d6b6-43f7-b2b0-cb224dd2155b.vbs"
        18⤵
        
        PID:2468
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60a1e4c7-ccdb-4660-8796-b2aa6f1d9755.vbs"
        20⤵
        
        PID:5512
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce57e8eb-0abd-4ad4-a0a7-078c3c4945aa.vbs"
        22⤵
        
        PID:4748
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ca1d73b-50b8-4308-89ce-44dd2d4eb6e2.vbs"
        24⤵
        
        PID:2728
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96abdb90-8794-4432-8401-08dcd88518da.vbs"
        26⤵
        
        PID:924
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1d77257-6c9a-4157-bc7d-ce60292dfe4a.vbs"
        28⤵
        
        PID:5180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\149dabbb-db24-42b8-b1cf-ac8ac6bc1c99.vbs"
        28⤵
        
        PID:4916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f06fa0dd-332c-4786-88b4-7214188b6506.vbs"
        26⤵
        
        PID:4688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01e482fc-bf78-427c-9326-b3f0a888fd07.vbs"
        24⤵
        
        PID:2848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd912b21-3565-4d19-b22c-31bfb83c1688.vbs"
        22⤵
        
        PID:5812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ea54774-d365-4f6a-bcad-e5b7f37f7839.vbs"
        20⤵
        
        PID:3520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a5b8f55-657b-4fe4-b4b7-77f0a9a2fb59.vbs"
        18⤵
        
        PID:3812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f9b061c-3555-42e1-b513-3c721734e339.vbs"
        16⤵
        
        PID:3696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\446ca6f2-a597-45eb-87e8-9fd62802ca54.vbs"
        14⤵
        
        PID:4388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba591ca0-2d0a-4043-9bdc-ceb42e0290be.vbs"
        12⤵
        
        PID:4764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5c6b6a8-7efa-48cd-8d15-986eb54b0e8a.vbs"
        10⤵
        
        PID:3568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96276eb4-d1ab-43b6-9eb3-a0e586d7e22e.vbs"
        8⤵
        
        PID:3176
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e781400d-9ead-46a2-8d1e-80eaa6c5379a.vbs"
        6⤵
        
        PID:1880
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61cd6c53-c256-44c8-95af-3a5748bdcd2f.vbs"
      4⤵
      PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\4K\Wallpaper\Windows\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Web\4K\Wallpaper\Windows\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Windows\Web\4K\Wallpaper\Windows\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Java\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\AccountPictures\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\f170d29a37c9c9775251\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\f170d29a37c9c9775251\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1f0343adab1970d928320ce2aa587fd31" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\1f0343adab1970d928320ce2aa587fd3.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1f0343adab1970d928320ce2aa587fd3" /sc ONLOGON /tr "'C:\Windows\TAPI\1f0343adab1970d928320ce2aa587fd3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1f0343adab1970d928320ce2aa587fd31" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\1f0343adab1970d928320ce2aa587fd3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Links\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Links\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Links\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\SendTo\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\SendTo\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\L2Schemas\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Java\Java Update\dwm.exe

Filesize
1.6MB

MD5
22815ebfa93a786c0805d192318a237a

SHA1
133bff94d97f2950795d1b9535f6f8d42cb720bf

SHA256
b553caa72570a4c2c4b4cfbce003db67ae7935173254ec1aa8b4af0af824ef87

SHA512
48eac1afbb70701aee459e6a34a5de6d664034774d2c12145faf505fb8b17f9156603f50ed13e59bee906395607b26f6e8833b2ff1d5faae5658e44f2026eef8

Download Submit
C:\Program Files (x86)\Windows Media Player\de-DE\csrss.exe

Filesize
1.6MB

MD5
3d8b6a1d9ec373171104726766c738f4

SHA1
dc8cd0c6bb49609d7afa093c955db7983a3528ef

SHA256
26bc914b821e0fa7aa076ba117c6b2929a1084dc75872d9d0cb95ffce9cfe8d8

SHA512
1bd0a5a16697e8419ed592055cc90fe6bf1c0d6f95beb85da9eadf4e4f0419ead7eedaaa232b31ed1e73b9e26975290bf1e4b31aceace21a801eee8f6b5cdfc1

Download Submit
C:\Recovery\WindowsRE\sihost.exe

Filesize
1.6MB

MD5
fba1fffc91a4a55e751b4fc1586ba3df

SHA1
cb3b1cc6a2d5a6e1966699e64fea8162696ac1f9

SHA256
783dbde84736d55ba8ff1e3de0710ba7df1ebc28a6bcc84783d500da6cd0dea2

SHA512
0c8ece9b990f1bf74d95775c6f555d6d0a25b6c8c3e903b2ced6f1004ac78f54f5787be8defd340178aa907a35d5b5978cefb97c60ac3322d905e951b845c6c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47dc8ed1f00b2cf40d90efa529ee35cc

SHA1
851d6a181ebb44256367c73042ed4f774bce9bdd

SHA256
2a1fa5eb6fa8a3b821776f5db5d69d414ca120a4612e613ec6ad34d216b2223e

SHA512
3dc49732881a4c8d2edfd4619ea4d206cca74fabba7d00f2021a7e07dba47c436a10f2d591ca43930c674ffe6b5f528a9e10e543dd87edf97d3f2f078c23c928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cfa8d0869a20aa4c39253105e95bc291

SHA1
a7c5af1ace23fe0b418be76d9d3a579ba0e173a5

SHA256
da3e6f6ae9e4b0f5f4f05be90e7afb6b3b8b92225e6d9afab6701af5eff435fe

SHA512
e9960eefffe4356d1ae01a76eec517046759e49ed9cb45e2801ab22d04a5fdd00676f5d677c04826b75a2381291ba032578d9b153dda4daac56a8bab1b92879b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c2e67766ebbf9a065d2d6698d1e76a22

SHA1
880bd6eb37a65027fd6b100beb69326469e62786

SHA256
2123e4031ccd3bb8f144c209b0d0b1fc37623a472caa18fa31b6ccf787001120

SHA512
d39497ddd1abb45733a35e4fa7a9958cc736addbd37e18820cc3149b704814e9db4d8146e6737fcb2e3c93c0e945d567d0995c7657e982c574886b29dfdd8a73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
16e669660431a76b6985bae6a3e0ca0f

SHA1
55aead2478e085cc4fa52035dc6d3e9ceb856485

SHA256
df0d9b2a6f0538cdf02e7f2a69db35dbf92a48fb81fcf58c12f1f0ad2ea13fe2

SHA512
ba3a159eca907f8cd6bce2a66b334250e1c6a3b60f14e2cd1ab8dbd0baf33b7b385d834ed1aa3ccb013711cbaf7607d51e7107f1f1783f46595a99a15d5a7d2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3f0db2be09ea50e93f81f83a58fdc049

SHA1
862883227880dde307538079454109d35f39723e

SHA256
b747c644e6479e6e921d09626c68d2df0d33d2a707f9432e5fc1b138e6c9387d

SHA512
a7f4644e8f4a0dd59f47645ba7afe312c9e714f923019add5cddf6491f3466731abd66c854bdaa497c0f162c1ae08df5c6506e2171ec9d74ae5c9ffcd69f0773

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6428bb418e23150d43c05d209fb230e5

SHA1
4f6302b8d65aa0ec0735bc647fb01c0401ce8908

SHA256
89b781ea87dcdb5761d6c329a50cce5ee5d624029f790be411c2eea79acf465d

SHA512
ae3bd20cefd5a44cebfece88460d117b90cfb88e32df965a8db51c3adf32f333ef9f04e5904f0f92793e24276db0b58ebefc23411fe5b53236d0665361eb4a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\0211a782-2684-4a5e-9a27-b9b7f50f1509.vbs

Filesize
708B

MD5
2c79a4ac00484f99fbe33d9922f0a0f4

SHA1
f10f30b5cce723f1838e540497436cf9e1a033ef

SHA256
3387213995f2a7482cd4fcadc34847e1941b2401776afafb855ff78b288441ff

SHA512
9a08d4088c1888a38ca9ea0ab8f8da5b288606366661f67e5858db0b18681a4f1ca61b6627a3b4fb98ad517e1374f47bcb62426a200cac5ee6d1c3d37b947cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\60a1e4c7-ccdb-4660-8796-b2aa6f1d9755.vbs

Filesize
708B

MD5
10a60d09a056cd2810f9162a9e4d27b6

SHA1
c3f10f8c4f87b90b887126d89a1132a81dc5a5c9

SHA256
91069283a54b9b87291733fe79d4429fe3b36df9dcc48514d007c2ff1a9a117d

SHA512
bbcd8f56d71fd0d0b50cd800527ecfa72af54c70cba276043b17f17b14830e6eb40fa7b9cebe5fb2a676a7cf95ad629df674d803a5e18659e76b065598633986

Download Submit
C:\Users\Admin\AppData\Local\Temp\61cd6c53-c256-44c8-95af-3a5748bdcd2f.vbs

Filesize
484B

MD5
ef94a70b91e720734aa2298d42dadb8e

SHA1
f9b573812e84b68cf226c230f593626ea62203de

SHA256
f564223f9ec521b6a13a1dbbc96a43b10afab8c8798236654170746a4ca21d3f

SHA512
ad797f8dbba68cb6799b32142cecf3dd39cf425a1ff8d5f48b394a3742506acccaf36c61a158db0751be8b63b11181c33b0246d04ef37082920eb750fc175d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\85f0c184-1a57-4c6d-b4ff-9538f81818cb.vbs

Filesize
708B

MD5
fd035aa3d87943299e1360f4b2e0d342

SHA1
5be304ae1ce4cffefd7dae2d8f2d2f8f70876bae

SHA256
f6213a527bd703ebc15375a658ea669b21685dc0ac02fa68fabd7d5b2500492d

SHA512
9904863bf79ebc99bc14576eaa4630de2cfbadb7d135123f6b55e4d574e47778d4476c7c25187799c1c7a7b3d76f84758426aa5fa08bb390592f4c0d0c903915

Download Submit
C:\Users\Admin\AppData\Local\Temp\96abdb90-8794-4432-8401-08dcd88518da.vbs

Filesize
708B

MD5
63ce4abef35224e7147e9baad4630714

SHA1
21e179581dc5a559abb1b7a5edb064fc58fc5c98

SHA256
0d9722659e5bbe70bfdb13617921807787db14ea1f044d305d88adb71bb71a62

SHA512
2157f793dc79254bcc73287ee0a95b9660b9d40047c82a98c3814b6440c23692b3e2118bf71df9396f4734fb6d3242bd4e13b83e82dd50830c5d74b1cae90fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ca1d73b-50b8-4308-89ce-44dd2d4eb6e2.vbs

Filesize
708B

MD5
fc13df85584d54412d810b1f6ff288d8

SHA1
ef7702925529bdb9af31a089d7998da58cd384d9

SHA256
bfd4412e31fd7a7f66902d46641574992ff2a264a190325c2aa73113b35707e9

SHA512
4cfcf897971907a0d461bbaa80a9c537774396baa0e294c4b895a502d5b69457b0fe60f5c63f787bb3e3a8d28ae39fa7ac2e4e95154b79f25c11b89eb0e4f8c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_14ef0ca4.fcz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a566d64a-a6c9-437e-8407-7b09e26d6345.vbs

Filesize
708B

MD5
3d37ec2cc38864d9709432cfe5d32201

SHA1
ec1d58ca20900d973bbfb12cafd6e1e93c47ab15

SHA256
120d9d19cec709bd5d6fad2329319adb2255283855b10deba6061b31252ea9d1

SHA512
196927a7c35eb3645af1063a918f15aa1648fa556ebc0a2ef271a7174c5d94893b46d0f77d159baad553d11fc8019d544b2d21479e5d53b529aa077ff2375d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\a57703f2-892c-4c97-a1ff-5c8981725acd.vbs

Filesize
708B

MD5
cb21028bec063b5e5f562e08c4bc8c60

SHA1
0f83aec835ab5803ef921685dc48d6a75ecee7c9

SHA256
7a476811be40c2615ae42f30ac8d5f4c4ff3f08023e7752ad18a4daa5daebcd3

SHA512
cea24379c32658a7e3894bde5c247491728ab3ea5c4b291b0ac3102b94735b13849779c67d08a9636b29b14d0728d3fa282c87a7108a3b54faf6ca729713f637

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad053451-30f6-4deb-a53b-b35c8badd3cf.vbs

Filesize
708B

MD5
ee4490b3c5d54f7f3c35da90b79d0c8b

SHA1
58fa2dc1dc6104c8ac4c2d8f56205f013a3d85ff

SHA256
c4a3fd577fd11c26fb8658d1462a1ec335291ae612b96cee4e4f85de0d27cffb

SHA512
647612c28b7dd6010015b0288ab3599a8aae4d6668e464d9adabb4c8264b5f1b529fa2b776173d25c0aedb61f649341bb1d9b700bac0a1e8becb7b2a6350c3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\b66b0240-1921-4611-8dfe-70f75c05d1be.vbs

Filesize
708B

MD5
a65814c359b48a6b2bd3ca4ae7c70b30

SHA1
9a0bcf0ce452fb8a7394ac4d71cedbb944d992c0

SHA256
ce87226d122e10a9530f809851abc97302387d8854440acc9998caa2bad819f4

SHA512
a3f719cf2130d23125909a5a0d25696e919fb2ea2ca62c51bbe2e12a69933318b78b22f01403e36be0a0d675ec42423cbc8be94c8f6ac0ed774190d71bd4bd22

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce57e8eb-0abd-4ad4-a0a7-078c3c4945aa.vbs

Filesize
708B

MD5
48df1e20667e36e604550fa12973c30f

SHA1
7e8311c496d8f9de1c67d9879a129f8b77ae1111

SHA256
c99234fb14c77d0d5f54d4658f5ae7164757cbb95305146b3433a36b5706b890

SHA512
6fe77756c8e99f7a731aa4546bc8142729f9a0edb6689ce2c71bfbf1ee2e69291e2d14ae4915074d8b61e0f0362409b66f6ee79ea139ea1537e8cbaeed0d097a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d34abee0-4e16-4db5-aa1a-cdad28eb50e2.vbs

Filesize
708B

MD5
704ad44eaa79c91f92fcfc3966e13c9a

SHA1
8f3448d563fb64003d5aaf44640f617a81658680

SHA256
48cc21d5e37e6bddd64d4a796fe6843f7c9ce16ddbd68bf6d06c938d9707be41

SHA512
d405f10c32764d6b980318c4268245082b9c07fac7e7282cbc3fee15ffb981d94b1366e3fe5f054dbe0ff35107ff31054f6cfe9878c07f9dace2650d5d979fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dF2fQXFAj5.bat

Filesize
197B

MD5
c34af499b7bb3741c34bbd1db799ffae

SHA1
abd9a51802aaa4f1caa0ac0340bd286b0528934a

SHA256
055ef1a0689200487b4ec1a48597661b8268b401e7157cfefb08742a7ad4ad3d

SHA512
2eca9e5023c44823f4553d39866ff1462e9802c1eaac9a4953a30c4f37f237f674f691638b891ba9b370cd0c56a2a2cfb9a252384e6dd7baa5c0d39fa70caa2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\e61359c2-d6b6-43f7-b2b0-cb224dd2155b.vbs

Filesize
708B

MD5
927b78d7e35973d6100206d3ea52a634

SHA1
28c6d04d4a2deb1d4c17fee7fe4e65aeb29bdc89

SHA256
b1483ae36a812b79d273f4524ca89159900d19674e1e4f80b2ff7591f3e02cb9

SHA512
7ccce21bd19b41282358a3e89475c4620c3dac8c26df37887318d34ab484d3a0124a6282ab88e0a927a2da03e2035355a2312604db3b848e6d44953de8ae57ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5a120477f54a1127022ade7edd174140348904a.exe

Filesize
1.6MB

MD5
1b8c678ffa9cf4061733d6b25eea2636

SHA1
1387ecba77e160fedbb6eed11dbfbbb1a60a012e

SHA256
da9722de9ec15f03048671c84a95010a3284907f68aca363a0e12d0732e33b24

SHA512
6a5bbce1d47c1b49476541eadef323b55b81c965f721bac5eb6ce18aec531d0e2e549c23c60ad4bb10d55096c83c6ccfc0367f370f7118b407c0fb287bfc202a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\fontdrvhost.exe

Filesize
1.6MB

MD5
bb0551577de6e643b263d1e33271a3e8

SHA1
983915a85bb5cc6064c8d3a8dce47b6c305cb64e

SHA256
59190dcaafc64bfe2aad461dc2fbc51878ba0e6b8b587da23a07f781ec2dd549

SHA512
53d020255d81e916de44ada7a91498538aa7a88ac128ccc8ba7c3beba1bf6ff6e4ba7da225259105343a0b2b2fda2aea6b9ccb7efb9dcee8f0bcf3df7c8c654f

Download Submit
C:\Users\Public\AccountPictures\Registry.exe

Filesize
1.6MB

MD5
1f0343adab1970d928320ce2aa587fd3

SHA1
e9ba72eefebbc990b9d87fdc6c900ba0ab4160b8

SHA256
9543bb2076f9b8c0d465689514dfc89f7cddc872620b5158cff2e2fa270963c4

SHA512
c6ae66f4ee2e2307da2176d9ea1e8a57ee96c59a15c633d8ca618cc4c167744063fa189d03eb134e1789ad544cef426e1b6da8c61dd1785888b204f84cdc316c

Download Submit
C:\Users\Public\AccountPictures\Registry.exe

Filesize
1.6MB

MD5
4302757fdddfb93a61bc3b010915d23d

SHA1
f799de064d70edcc9ac8a12e71da8a39d2750e22

SHA256
18013c76bed26db4fb3c25b21e30d1d1147a372646a26d49424a581de86bacf0

SHA512
d9ab69c1d518a71b785a1d045cd420c729d41d39321651b4e51f5e6bdf75794e02d4c38d350a43dba83dd36949f17f9d1fed79b92e2dfa0bfc0566af72695774

Download Submit
C:\f170d29a37c9c9775251\RuntimeBroker.exe

Filesize
1.6MB

MD5
509525fe92b681f3e1b75bb57986789b

SHA1
674137f50940e505e9522696cd4e3a80c7d63ca5

SHA256
fcd63e2f12183df15134c375588b462faf67ff3ce46597cea5ad80a4eb1856ff

SHA512
f88da9e3b5fcc41ca9f6f166c12d469334af49312c0f0c9956bb6d319c4b5f99ae7ee272eb95174ca2e5c35fc0a51af3cdfa655677a6909771cb1658c06fd87c

Download Submit
memory/1328-338-0x0000000000760000-0x0000000000902000-memory.dmp

Filesize
1.6MB

Download
memory/1384-12-0x000000001C340000-0x000000001C34A000-memory.dmp

Filesize
40KB

Download
memory/1384-10-0x0000000003180000-0x000000000318C000-memory.dmp

Filesize
48KB

Download
memory/1384-1-0x0000000000CF0000-0x0000000000E92000-memory.dmp

Filesize
1.6MB

Download
memory/1384-183-0x00007FFAD8A03000-0x00007FFAD8A05000-memory.dmp

Filesize
8KB

Download
memory/1384-17-0x000000001C390000-0x000000001C39C000-memory.dmp

Filesize
48KB

Download
memory/1384-14-0x000000001C360000-0x000000001C368000-memory.dmp

Filesize
32KB

Download
memory/1384-16-0x000000001C380000-0x000000001C38A000-memory.dmp

Filesize
40KB

Download
memory/1384-15-0x000000001C370000-0x000000001C378000-memory.dmp

Filesize
32KB

Download
memory/1384-0-0x00007FFAD8A03000-0x00007FFAD8A05000-memory.dmp

Filesize
8KB

Download
memory/1384-13-0x000000001C350000-0x000000001C35E000-memory.dmp

Filesize
56KB

Download
memory/1384-11-0x000000001BBE0000-0x000000001BBEC000-memory.dmp

Filesize
48KB

Download
memory/1384-196-0x00007FFAD8A00000-0x00007FFAD94C1000-memory.dmp

Filesize
10.8MB

Download
memory/1384-9-0x0000000003170000-0x0000000003178000-memory.dmp

Filesize
32KB

Download
memory/1384-6-0x00000000030E0000-0x00000000030F6000-memory.dmp

Filesize
88KB

Download
memory/1384-8-0x0000000003110000-0x0000000003120000-memory.dmp

Filesize
64KB

Download
memory/1384-7-0x0000000003100000-0x0000000003108000-memory.dmp

Filesize
32KB

Download
memory/1384-4-0x0000000003120000-0x0000000003170000-memory.dmp

Filesize
320KB

Download
memory/1384-5-0x00000000030D0000-0x00000000030E0000-memory.dmp

Filesize
64KB

Download
memory/1384-3-0x00000000030B0000-0x00000000030CC000-memory.dmp

Filesize
112KB

Download
memory/1384-2-0x00007FFAD8A00000-0x00007FFAD94C1000-memory.dmp

Filesize
10.8MB

Download
memory/2328-190-0x00000288499D0000-0x00000288499F2000-memory.dmp

Filesize
136KB

Download