dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
Size

1.6MB
MD5

2c4dbe075f37719580a096bf67bf048e
SHA1

71673f7af94683985e875f3db73cbf1a5509228e
SHA256

1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567
SHA512

6d5bed3e46aa8e02d678c0a3f1ff6be56b776980af341e9ef84d9febaad843dfa2df28083ff6d8dcad9e74d4724ee1f09190b093c9bb3d1cb78068ca219d3c70
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2376	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2376	schtasks.exe	31

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral25/memory/2336-1-0x00000000002E0000-0x0000000000482000-memory.dmp	dcrat
behavioral25/files/0x000500000001a413-25.dat	dcrat
behavioral25/files/0x000600000001c870-89.dat	dcrat
behavioral25/files/0x000d00000001225f-100.dat	dcrat
behavioral25/files/0x000a00000001a03b-123.dat	dcrat
behavioral25/files/0x000700000001a2d2-134.dat	dcrat
behavioral25/memory/2628-300-0x0000000001190000-0x0000000001332000-memory.dmp	dcrat
behavioral25/memory/2320-400-0x0000000000200000-0x00000000003A2000-memory.dmp	dcrat
behavioral25/memory/2680-412-0x0000000001380000-0x0000000001522000-memory.dmp	dcrat
behavioral25/memory/2248-435-0x0000000000260000-0x0000000000402000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1548	powershell.exe
1076	powershell.exe
752	powershell.exe
2568	powershell.exe
1656	powershell.exe
1388	powershell.exe
2192	powershell.exe
2840	powershell.exe
2312	powershell.exe
3032	powershell.exe
3028	powershell.exe
448	powershell.exe
3056	powershell.exe
2284	powershell.exe
1048	powershell.exe
3036	powershell.exe
1916	powershell.exe
2400	powershell.exe
1932	powershell.exe

Executes dropped EXE 7 IoCs

pid	Process
2628	dwm.exe
2792	dwm.exe
308	dwm.exe
2020	dwm.exe
2320	dwm.exe
2680	dwm.exe
2064	dwm.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\cc11b995f2a76d	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXFE24.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\ja-JP\RCX1408.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\en-US\RCX1FD3.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\en-US\RCX1FD4.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\en-US\winlogon.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\56085415360792	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\7a0fd90576e088	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files\Windows NT\TableTextService\ja-JP\5940a34987c991	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\winlogon.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX4BE.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX52C.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\System.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\27d1bcfc3c54e0	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXFDB6.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\RCX47.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\RCXB5.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\ja-JP\RCX1476.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\ja-JP\dllhost.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files\Windows NT\TableTextService\ja-JP\dllhost.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\System.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Registration\CRMLog\Idle.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\AppCompat\Programs\RCX167A.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Windows\security\templates\101b941d020240	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Windows\AppCompat\Programs\0a1fd5f707cd16	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\security\templates\RCXBC6.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\security\templates\lsm.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\Tasks\RCXFBA2.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\security\templates\RCXBC7.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCX1203.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\AppCompat\Programs\RCX167B.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\AppCompat\Programs\sppsvc.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Windows\Registration\CRMLog\Idle.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Windows\AppCompat\Programs\sppsvc.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCX1204.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Windows\Tasks\OSPPSVC.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Windows\Tasks\1610b97d3ab4a7	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Windows\security\templates\lsm.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Windows\Registration\CRMLog\6ccacd8608530f	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\Tasks\RCXFBA3.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\Tasks\OSPPSVC.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1252	schtasks.exe
1592	schtasks.exe
1768	schtasks.exe
2616	schtasks.exe
2644	schtasks.exe
2780	schtasks.exe
2480	schtasks.exe
2548	schtasks.exe
1312	schtasks.exe
2056	schtasks.exe
2756	schtasks.exe
2656	schtasks.exe
2024	schtasks.exe
3036	schtasks.exe
2464	schtasks.exe
1912	schtasks.exe
832	schtasks.exe
2660	schtasks.exe
2712	schtasks.exe
2708	schtasks.exe
1776	schtasks.exe
1728	schtasks.exe
2652	schtasks.exe
2784	schtasks.exe
2812	schtasks.exe
2844	schtasks.exe
1852	schtasks.exe
1528	schtasks.exe
268	schtasks.exe
2340	schtasks.exe
2916	schtasks.exe
2920	schtasks.exe
2032	schtasks.exe
752	schtasks.exe
1936	schtasks.exe
2188	schtasks.exe
2928	schtasks.exe
1984	schtasks.exe
1964	schtasks.exe
2680	schtasks.exe
1924	schtasks.exe
2076	schtasks.exe
1560	schtasks.exe
2428	schtasks.exe
2956	schtasks.exe
1520	schtasks.exe
1708	schtasks.exe
1556	schtasks.exe
1500	schtasks.exe
1568	schtasks.exe
560	schtasks.exe
3016	schtasks.exe
2192	schtasks.exe
1516	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
2840	powershell.exe
752	powershell.exe
3032	powershell.exe
1548	powershell.exe
3028	powershell.exe
1916	powershell.exe
2568	powershell.exe
1656	powershell.exe
2284	powershell.exe
3036	powershell.exe
1048	powershell.exe
448	powershell.exe
3056	powershell.exe
2192	powershell.exe
1932	powershell.exe
2400	powershell.exe
1388	powershell.exe
1076	powershell.exe
2628	dwm.exe
2792	dwm.exe
308	dwm.exe
2020	dwm.exe
2320	dwm.exe
2680	dwm.exe
2064	dwm.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	2628	dwm.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	2792	dwm.exe
Token: SeDebugPrivilege	308	dwm.exe
Token: SeDebugPrivilege	2020	dwm.exe
Token: SeDebugPrivilege	2320	dwm.exe
Token: SeDebugPrivilege	2680	dwm.exe
Token: SeDebugPrivilege	2064	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 752	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	86
PID 2336 wrote to memory of 752	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	86
PID 2336 wrote to memory of 752	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	86
PID 2336 wrote to memory of 2568	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	87
PID 2336 wrote to memory of 2568	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	87
PID 2336 wrote to memory of 2568	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	87
PID 2336 wrote to memory of 1932	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	88
PID 2336 wrote to memory of 1932	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	88
PID 2336 wrote to memory of 1932	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	88
PID 2336 wrote to memory of 1656	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	89
PID 2336 wrote to memory of 1656	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	89
PID 2336 wrote to memory of 1656	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	89
PID 2336 wrote to memory of 1548	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	91
PID 2336 wrote to memory of 1548	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	91
PID 2336 wrote to memory of 1548	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	91
PID 2336 wrote to memory of 1048	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	93
PID 2336 wrote to memory of 1048	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	93
PID 2336 wrote to memory of 1048	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	93
PID 2336 wrote to memory of 3032	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	94
PID 2336 wrote to memory of 3032	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	94
PID 2336 wrote to memory of 3032	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	94
PID 2336 wrote to memory of 2400	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	96
PID 2336 wrote to memory of 2400	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	96
PID 2336 wrote to memory of 2400	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	96
PID 2336 wrote to memory of 2312	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	97
PID 2336 wrote to memory of 2312	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	97
PID 2336 wrote to memory of 2312	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	97
PID 2336 wrote to memory of 3028	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	98
PID 2336 wrote to memory of 3028	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	98
PID 2336 wrote to memory of 3028	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	98
PID 2336 wrote to memory of 1916	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	99
PID 2336 wrote to memory of 1916	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	99
PID 2336 wrote to memory of 1916	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	99
PID 2336 wrote to memory of 2840	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	100
PID 2336 wrote to memory of 2840	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	100
PID 2336 wrote to memory of 2840	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	100
PID 2336 wrote to memory of 2192	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	102
PID 2336 wrote to memory of 2192	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	102
PID 2336 wrote to memory of 2192	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	102
PID 2336 wrote to memory of 2284	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	103
PID 2336 wrote to memory of 2284	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	103
PID 2336 wrote to memory of 2284	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	103
PID 2336 wrote to memory of 3056	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	104
PID 2336 wrote to memory of 3056	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	104
PID 2336 wrote to memory of 3056	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	104
PID 2336 wrote to memory of 3036	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	105
PID 2336 wrote to memory of 3036	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	105
PID 2336 wrote to memory of 3036	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	105
PID 2336 wrote to memory of 1388	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	106
PID 2336 wrote to memory of 1388	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	106
PID 2336 wrote to memory of 1388	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	106
PID 2336 wrote to memory of 1076	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	107
PID 2336 wrote to memory of 1076	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	107
PID 2336 wrote to memory of 1076	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	107
PID 2336 wrote to memory of 448	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	108
PID 2336 wrote to memory of 448	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	108
PID 2336 wrote to memory of 448	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	108
PID 2336 wrote to memory of 2628	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	124
PID 2336 wrote to memory of 2628	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	124
PID 2336 wrote to memory of 2628	2336	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	124
PID 2628 wrote to memory of 2980	2628	dwm.exe	125
PID 2628 wrote to memory of 2980	2628	dwm.exe	125
PID 2628 wrote to memory of 2980	2628	dwm.exe	125
PID 2628 wrote to memory of 2560	2628	dwm.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
"C:\Users\Admin\AppData\Local\Temp\1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Pictures\WMIADAP.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\templates\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\ja-JP\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppCompat\Programs\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\en-US\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:448
- C:\Users\Default User\dwm.exe
  "C:\Users\Default User\dwm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a0b2946-923d-4040-ab46-38f08da1f484.vbs"
    3⤵
    PID:2980
  - - C:\Users\Default User\dwm.exe
      "C:\Users\Default User\dwm.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2792
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55742951-b7f7-4a30-9e90-29eddb136e61.vbs"
        5⤵
        
        PID:3028
      - C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e06afca3-422d-4b0f-a7a6-60f30ac8017e.vbs"
        7⤵
        
        PID:3040
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54f508d1-92d4-44c6-9ca0-aa23699708c9.vbs"
        9⤵
        
        PID:2996
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4a4bb44-b14b-41e8-91b0-19654c82fff9.vbs"
        11⤵
        
        PID:868
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c16dc37c-bbe9-4eb4-921e-3726c55c494e.vbs"
        13⤵
        
        PID:1412
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d91a001-a35b-47e7-aced-706370315d70.vbs"
        15⤵
        
        PID:2212
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        16⤵
        
        PID:2248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2b17057-531e-4794-9cb7-183c82004af5.vbs"
        15⤵
        
        PID:1652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0b48bd1-9afc-4fb9-90ac-afa89df38cc5.vbs"
        13⤵
        
        PID:812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c44cb5e-ede1-4e5f-b1ca-1325bf7eecaf.vbs"
        11⤵
        
        PID:2632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a8894d6-b689-4263-9675-b64807d44438.vbs"
        9⤵
        
        PID:2220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42d1b75a-f035-40ba-aec0-d33c87f34371.vbs"
        7⤵
        
        PID:2428
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15e1bfd8-75c2-4fe1-8cbf-39f47a95cec0.vbs"
        5⤵
        
        PID:2540
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6dd1666-31e5-4752-b2ee-9a5a6f8ff9da.vbs"
    3⤵
    PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Tasks\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Pictures\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Pictures\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\security\templates\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\security\templates\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\security\templates\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Searches\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\Searches\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Searches\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\CRMLog\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\CRMLog\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\AppCompat\Programs\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\AppCompat\Programs\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Videos\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\en-US\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\explorer.exe

Filesize
1.6MB

MD5
ed29838b18c576017960d93dd76fb596

SHA1
c7ceb6ee0971352e59bff4d33e12b1250683bbe5

SHA256
1bc7e4441b24b9da8f3c668e3994cae8e09aff08e60a8b0ab984e271a99bc658

SHA512
75b1b9f0ad991c92cbfed9f5ca27b2e7a16a4e287753c965ea54eccce82e4f84ebe90eca5dea18c2eaeaaf6024bdb4afe080760829a2870b376577f24340d8e9

Download Submit
C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\System.exe

Filesize
1.6MB

MD5
47abcb8e2ec465147e604014864f7fd1

SHA1
8476f1edf247bc060ab25769c2b1bde18484145b

SHA256
885f0f6923bcb42a6f0e37f617e338dc88ca2970ba6dfbadc13ab1f58e9ec585

SHA512
208a3f5d31f2e9f85940939477c3dff5ab1d040e296c4f285f285722fbcbb55b08726f921a8bbdd860ad791e2a62ed1ab265d72519f78e6686ab3d3e2ffdb812

Download Submit
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe

Filesize
1.6MB

MD5
e4736486c94a4d7203b51b4791482d42

SHA1
c7d1b054d95a8ca49747e8971ef3e7282cc7e891

SHA256
6dab908bff0db099985d38d70ed88078559d6bfc8ed0fc31bbf6704a15042a2a

SHA512
a4c813a2d3fb300512322317ebb7a1cc721001eb983cf5f437106c92d4fbcb5cd18cc5790fe65eaf6f0646faae23eddd17a8008c7c4543adf82f90b65f214e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a0b2946-923d-4040-ab46-38f08da1f484.vbs

Filesize
705B

MD5
8327d264b6c23727e53662fc2f3b8728

SHA1
8df3e91587c379e05c3c714c09bb96e5fcbe0ce0

SHA256
ba461404310aa23d03a21a3da48b060911ab0f1a66773088c875582fc0e09076

SHA512
dccba4b1a8a35f9ccee1ba92df3a207a0fbbdba9691f430459c4a15cfdff971607f48ab935e9d165133a9df112515e43c0766ca3010a268ed64bc7e80e2266eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\54f508d1-92d4-44c6-9ca0-aa23699708c9.vbs

Filesize
705B

MD5
83bd3c05e9a4c96390f40d622a24c7df

SHA1
ef526c0c252e464996eb87e7df22a7294271c266

SHA256
2549bc3da141c37e9a15520f0115087b44553f40b481b04c699d88663b4d431a

SHA512
55410a9a347bc00621aa03d04264f48abc2b4643c8dec960f506e6f90cd4dec9f653ccb82109717d6b135bf2f2b6a9476a86dfdc13633a6595b3543d99fbc2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\55742951-b7f7-4a30-9e90-29eddb136e61.vbs

Filesize
705B

MD5
a94d59dd9829bbe8cce87a1fcbd7666b

SHA1
9e4c2eac29c5e6536d31d151d957b8a1fc4ab2dd

SHA256
b096a062185e90b922b88b56e7fc7db265ca57ee723a3316ef9f32affa8cc424

SHA512
95abc822f56de990a916985a690076c1f90f5fa322400111f258b739e651e48da6931d7174f829b4bf7f8fc20bcb64f25ceb5a409bde2aea6225fce67e4e0602

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d91a001-a35b-47e7-aced-706370315d70.vbs

Filesize
705B

MD5
ad74a1a4fcf449b0ba4ba73cdacd0156

SHA1
d98ab295f0829936fcaa33b9d4e0556863941b48

SHA256
0deaf0ecb23126c4a3a03d893bcb17419f872acb73f84cfe3d0c5f45175cdb71

SHA512
d288a8e084c1afc7bf7702946385c85db568124f5367ec491cc2bc1691104698fa4017f7d6e647d41e69a2db5aaec060bd4dfec07dd46c0fbdcc8ca2bf77de9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c16dc37c-bbe9-4eb4-921e-3726c55c494e.vbs

Filesize
705B

MD5
d3f38ba605e9e95423f914222ce755d9

SHA1
f2a051b2bf7a08b99e22419d9fadc65152186cca

SHA256
3e86b5fc83e06a92d1cba31a0a00fda3379852ff26f34aa3a360f0e22ac58824

SHA512
332b788a55477d39bbe1debfb28a29b5131e0cfaf1e19166de1cb3da30fd6aaaa285526e9cbd91141a75b096d8796f58ca66c8664c42b1e623415c53d8123fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e06afca3-422d-4b0f-a7a6-60f30ac8017e.vbs

Filesize
704B

MD5
09f8127550c134c56cd51185a5e5fb37

SHA1
3ce5ca3a32dabe88f680d234569bf69100e9b8ac

SHA256
7455b1591f7f47aca04bbb2dc423b0b356e9574c44c701687d14d4f68d817195

SHA512
2f2775fe2fc88cbc196f913ca8e93d762d449ad963465b4a6d8220d468fa6117acb094346c9175714f3c75a778f2d639effa0ed90f65936bfce16769b19024db

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6dd1666-31e5-4752-b2ee-9a5a6f8ff9da.vbs

Filesize
481B

MD5
83e87d8d2ba3339869e0ee630aa298bb

SHA1
36059ec131002aa9be1c5220959ad47e96f7323f

SHA256
267d1fef5b87ea91122ac43324346afa93efb731da5a47d93bcd96e8514b4c71

SHA512
810984242704cb0b58442df089890f099636de5f5099e74fb0c49b72d94100c3b6582fe110215a621bd996069f908dd5bbd476e08c7859e2cf9e6e375048c5bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4a4bb44-b14b-41e8-91b0-19654c82fff9.vbs

Filesize
705B

MD5
5b79cc1ad5d0ccdb19b5f10de92a4004

SHA1
5ee2838386ff838884d848a139b727ae0c96ba97

SHA256
d9da7d61c94b813ad45c28cf09596b2079e364b3a66f35eff4df8d5d9feecbdb

SHA512
49826965f8af3c910eff2b37eb7f11828f92124c6769d2ab2c476484ae392a845a8ce860a4e9389c21091267972b64741979fb658c0cee53ea8db440aacde0a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
39d6adb5ec190349e18bc42fb400556e

SHA1
9e7aceee8a65a68365ac5e58a6498edcb4c1b7a9

SHA256
3d833a36c7fe5d3a5e16a7e23f465908090b13692e7d6219846a19c77af31f75

SHA512
9dbc4870865e0826ab98742ca2cd8cdb85a3b5cb75a8c1e6f089a8d4a9274f1072d4e0e66a03d9721d9d1737051f8779bc325388e51ba23e96ab9fd43fdce11f

Download Submit
C:\Users\Default\dwm.exe

Filesize
1.6MB

MD5
2c4dbe075f37719580a096bf67bf048e

SHA1
71673f7af94683985e875f3db73cbf1a5509228e

SHA256
1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567

SHA512
6d5bed3e46aa8e02d678c0a3f1ff6be56b776980af341e9ef84d9febaad843dfa2df28083ff6d8dcad9e74d4724ee1f09190b093c9bb3d1cb78068ca219d3c70

Download Submit
C:\Users\Public\Pictures\WMIADAP.exe

Filesize
1.6MB

MD5
e209e56bbf186fd7999288daf5d9c217

SHA1
63197f47decafcf0f996af962d4c6793f3821bb3

SHA256
ebaf9d7855a7718ac811e3210114a5715388705ea6397bdc97407fdea2d8849c

SHA512
a7edb42e74a0bc9f0d7d26d20a4340d53ec8bfda17caffeba20620d696e220295595209adce0e7bac2c5549c61345bf51a911c6d9daef4196f92cb0e6eacca44

Download Submit
memory/2248-435-0x0000000000260000-0x0000000000402000-memory.dmp

Filesize
1.6MB

Download
memory/2320-400-0x0000000000200000-0x00000000003A2000-memory.dmp

Filesize
1.6MB

Download
memory/2336-13-0x00000000007D0000-0x00000000007D8000-memory.dmp

Filesize
32KB

Download
memory/2336-11-0x00000000007B0000-0x00000000007BA000-memory.dmp

Filesize
40KB

Download
memory/2336-3-0x0000000000140000-0x000000000015C000-memory.dmp

Filesize
112KB

Download
memory/2336-2-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

Filesize
9.9MB

Download
memory/2336-1-0x00000000002E0000-0x0000000000482000-memory.dmp

Filesize
1.6MB

Download
memory/2336-4-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/2336-197-0x000007FEF5DF3000-0x000007FEF5DF4000-memory.dmp

Filesize
4KB

Download
memory/2336-8-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/2336-15-0x0000000000A00000-0x0000000000A0A000-memory.dmp

Filesize
40KB

Download
memory/2336-5-0x0000000000170000-0x0000000000186000-memory.dmp

Filesize
88KB

Download
memory/2336-6-0x00000000001A0000-0x00000000001A8000-memory.dmp

Filesize
32KB

Download
memory/2336-7-0x00000000001D0000-0x00000000001E0000-memory.dmp

Filesize
64KB

Download
memory/2336-356-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

Filesize
9.9MB

Download
memory/2336-14-0x00000000009F0000-0x00000000009F8000-memory.dmp

Filesize
32KB

Download
memory/2336-0-0x000007FEF5DF3000-0x000007FEF5DF4000-memory.dmp

Filesize
4KB

Download
memory/2336-12-0x00000000007C0000-0x00000000007CE000-memory.dmp

Filesize
56KB

Download
memory/2336-16-0x00000000020B0000-0x00000000020BC000-memory.dmp

Filesize
48KB

Download
memory/2336-10-0x00000000007A0000-0x00000000007AC000-memory.dmp

Filesize
48KB

Download
memory/2336-9-0x00000000001C0000-0x00000000001CC000-memory.dmp

Filesize
48KB

Download
memory/2336-221-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

Filesize
9.9MB

Download
memory/2628-300-0x0000000001190000-0x0000000001332000-memory.dmp

Filesize
1.6MB

Download
memory/2680-412-0x0000000001380000-0x0000000001522000-memory.dmp

Filesize
1.6MB

Download
memory/2840-294-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2840-293-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download