dcrat | 4acea05ab0905a50470e55fcb4575e6feee6e7f5ae857bdd388818cee7a562c6

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
Size

1.6MB
MD5

f78812be8328346fd09f480c9737963a
SHA1

0db02b799e80a1659c9aede03b54a26aef2beb4a
SHA256

5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1
SHA512

4be91e19f7eb4d1475ad142cbe66620320f4ab62dbdf8555fe7701aa1d2ddd19d739c73b4a1c05669282de374ba1a5dca449464154bf141a62e6842250ad79ad
SSDEEP

24576:Usm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:UD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	580	schtasks.exe	31

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral19/memory/596-1-0x0000000000C40000-0x0000000000DE2000-memory.dmp	dcrat
behavioral19/files/0x0005000000019250-25.dat	dcrat
behavioral19/files/0x0006000000019451-94.dat	dcrat
behavioral19/files/0x0008000000018b4e-105.dat	dcrat
behavioral19/files/0x0008000000019250-125.dat	dcrat
behavioral19/files/0x0007000000019284-138.dat	dcrat
behavioral19/files/0x00090000000193b6-161.dat	dcrat
behavioral19/files/0x00060000000195f0-201.dat	dcrat
behavioral19/files/0x00080000000195f0-230.dat	dcrat
behavioral19/files/0x000c000000019625-263.dat	dcrat
behavioral19/files/0x0006000000019629-373.dat	dcrat
behavioral19/memory/2060-374-0x0000000001130000-0x00000000012D2000-memory.dmp	dcrat
behavioral19/memory/2420-430-0x0000000001370000-0x0000000001512000-memory.dmp	dcrat
behavioral19/memory/1588-442-0x0000000000270000-0x0000000000412000-memory.dmp	dcrat
behavioral19/memory/1352-454-0x0000000000EA0000-0x0000000001042000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2784	powershell.exe
2484	powershell.exe
2496	powershell.exe
352	powershell.exe
2444	powershell.exe
2072	powershell.exe
2672	powershell.exe
2052	powershell.exe
764	powershell.exe
1616	powershell.exe
2272	powershell.exe
880	powershell.exe
1704	powershell.exe
3036	powershell.exe
1512	powershell.exe
1632	powershell.exe
3048	powershell.exe
2640	powershell.exe
2544	powershell.exe
2004	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2060	wininit.exe
2492	wininit.exe
2020	wininit.exe
764	wininit.exe
2724	wininit.exe
2420	wininit.exe
1588	wininit.exe
1352	wininit.exe
2360	wininit.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Mail\it-IT\RCXEB2F.tmp	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\services.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Program Files\Internet Explorer\System.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Program Files\Internet Explorer\RCXE1D4.tmp	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXF6FC.tmp	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\RCXFE03.tmp	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\RCXFE71.tmp	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Program Files\Windows Mail\it-IT\5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Program Files (x86)\Uninstall Information\c5b4cb5e9653cc	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\9b0d468a48e315	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Program Files\Windows Mail\it-IT\9b0d468a48e315	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\RCXEAC1.tmp	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXF68E.tmp	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Program Files\Internet Explorer\27d1bcfc3c54e0	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Program Files (x86)\Uninstall Information\services.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Program Files\Internet Explorer\RCXE166.tmp	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Program Files\Internet Explorer\System.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\cc11b995f2a76d	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Windows\fr-FR\6cb0b6c459d5d3	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\Music\RCXFB24.tmp	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\Music\RCXFB92.tmp	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\Music\wininit.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Windows\ModemLogs\smss.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Windows\ModemLogs\69ddcba757bf72	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\winlogon.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Windows\ModemLogs\RCXD403.tmp	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\RCXE64A.tmp	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\winlogon.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Windows\fr-FR\RCXF284.tmp	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Windows\ModemLogs\smss.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Windows\Boot\Fonts\lsm.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Windows\fr-FR\dwm.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Windows\ServiceProfiles\LocalService\Music\wininit.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File created	C:\Windows\ServiceProfiles\LocalService\Music\56085415360792	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Windows\ModemLogs\RCXD404.tmp	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\RCXE64B.tmp	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Windows\fr-FR\dwm.exe	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
File opened for modification	C:\Windows\fr-FR\RCXF285.tmp	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
692	schtasks.exe
548	schtasks.exe
796	schtasks.exe
1804	schtasks.exe
1244	schtasks.exe
2060	schtasks.exe
2796	schtasks.exe
2740	schtasks.exe
2908	schtasks.exe
2636	schtasks.exe
1260	schtasks.exe
324	schtasks.exe
2524	schtasks.exe
1624	schtasks.exe
1668	schtasks.exe
2732	schtasks.exe
1692	schtasks.exe
812	schtasks.exe
3020	schtasks.exe
900	schtasks.exe
2956	schtasks.exe
872	schtasks.exe
2392	schtasks.exe
2900	schtasks.exe
1700	schtasks.exe
2616	schtasks.exe
1716	schtasks.exe
1860	schtasks.exe
3048	schtasks.exe
2000	schtasks.exe
2012	schtasks.exe
2688	schtasks.exe
2368	schtasks.exe
2208	schtasks.exe
2024	schtasks.exe
2648	schtasks.exe
2736	schtasks.exe
2440	schtasks.exe
2924	schtasks.exe
1784	schtasks.exe
2672	schtasks.exe
2244	schtasks.exe
2456	schtasks.exe
2468	schtasks.exe
2224	schtasks.exe
2220	schtasks.exe
2724	schtasks.exe
1120	schtasks.exe
2236	schtasks.exe
2064	schtasks.exe
1988	schtasks.exe
1516	schtasks.exe
2976	schtasks.exe
3044	schtasks.exe
1552	schtasks.exe
588	schtasks.exe
1948	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
1632	powershell.exe
352	powershell.exe
2072	powershell.exe
2640	powershell.exe
1704	powershell.exe
764	powershell.exe
2052	powershell.exe
2496	powershell.exe
1616	powershell.exe
2672	powershell.exe
3036	powershell.exe
3048	powershell.exe
2004	powershell.exe
2544	powershell.exe
2484	powershell.exe
1512	powershell.exe
880	powershell.exe
2784	powershell.exe
2444	powershell.exe
2272	powershell.exe
2060	wininit.exe
2492	wininit.exe
2020	wininit.exe
764	wininit.exe
2724	wininit.exe
2420	wininit.exe
1588	wininit.exe
1352	wininit.exe
2360	wininit.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	352	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2060	wininit.exe
Token: SeDebugPrivilege	2492	wininit.exe
Token: SeDebugPrivilege	2020	wininit.exe
Token: SeDebugPrivilege	764	wininit.exe
Token: SeDebugPrivilege	2724	wininit.exe
Token: SeDebugPrivilege	2420	wininit.exe
Token: SeDebugPrivilege	1588	wininit.exe
Token: SeDebugPrivilege	1352	wininit.exe
Token: SeDebugPrivilege	2360	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 596 wrote to memory of 2672	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	89
PID 596 wrote to memory of 2672	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	89
PID 596 wrote to memory of 2672	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	89
PID 596 wrote to memory of 1632	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	90
PID 596 wrote to memory of 1632	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	90
PID 596 wrote to memory of 1632	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	90
PID 596 wrote to memory of 2072	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	91
PID 596 wrote to memory of 2072	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	91
PID 596 wrote to memory of 2072	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	91
PID 596 wrote to memory of 2004	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	92
PID 596 wrote to memory of 2004	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	92
PID 596 wrote to memory of 2004	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	92
PID 596 wrote to memory of 2444	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	93
PID 596 wrote to memory of 2444	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	93
PID 596 wrote to memory of 2444	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	93
PID 596 wrote to memory of 352	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	95
PID 596 wrote to memory of 352	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	95
PID 596 wrote to memory of 352	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	95
PID 596 wrote to memory of 880	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	96
PID 596 wrote to memory of 880	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	96
PID 596 wrote to memory of 880	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	96
PID 596 wrote to memory of 1512	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	98
PID 596 wrote to memory of 1512	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	98
PID 596 wrote to memory of 1512	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	98
PID 596 wrote to memory of 2272	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	99
PID 596 wrote to memory of 2272	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	99
PID 596 wrote to memory of 2272	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	99
PID 596 wrote to memory of 2544	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	100
PID 596 wrote to memory of 2544	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	100
PID 596 wrote to memory of 2544	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	100
PID 596 wrote to memory of 2640	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	101
PID 596 wrote to memory of 2640	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	101
PID 596 wrote to memory of 2640	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	101
PID 596 wrote to memory of 3048	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	103
PID 596 wrote to memory of 3048	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	103
PID 596 wrote to memory of 3048	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	103
PID 596 wrote to memory of 1616	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	104
PID 596 wrote to memory of 1616	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	104
PID 596 wrote to memory of 1616	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	104
PID 596 wrote to memory of 3036	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	105
PID 596 wrote to memory of 3036	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	105
PID 596 wrote to memory of 3036	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	105
PID 596 wrote to memory of 764	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	106
PID 596 wrote to memory of 764	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	106
PID 596 wrote to memory of 764	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	106
PID 596 wrote to memory of 2052	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	107
PID 596 wrote to memory of 2052	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	107
PID 596 wrote to memory of 2052	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	107
PID 596 wrote to memory of 2496	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	108
PID 596 wrote to memory of 2496	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	108
PID 596 wrote to memory of 2496	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	108
PID 596 wrote to memory of 1704	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	112
PID 596 wrote to memory of 1704	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	112
PID 596 wrote to memory of 1704	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	112
PID 596 wrote to memory of 2484	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	114
PID 596 wrote to memory of 2484	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	114
PID 596 wrote to memory of 2484	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	114
PID 596 wrote to memory of 2784	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	116
PID 596 wrote to memory of 2784	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	116
PID 596 wrote to memory of 2784	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	116
PID 596 wrote to memory of 2060	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	129
PID 596 wrote to memory of 2060	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	129
PID 596 wrote to memory of 2060	596	5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe	129
PID 2060 wrote to memory of 408	2060	wininit.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe
"C:\Users\Admin\AppData\Local\Temp\5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\assembly\GAC_32\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\WMIADAP.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\it-IT\5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\LocalService\Music\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\de-DE\5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\ServiceProfiles\LocalService\Music\wininit.exe
  "C:\Windows\ServiceProfiles\LocalService\Music\wininit.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef0e3ecd-1218-4a81-81c2-cc1309aa67c3.vbs"
    3⤵
    PID:408
  - - C:\Windows\ServiceProfiles\LocalService\Music\wininit.exe
      C:\Windows\ServiceProfiles\LocalService\Music\wininit.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2492
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbff9583-4871-4247-a0e6-b281f4674614.vbs"
        5⤵
        
        PID:1652
      - C:\Windows\ServiceProfiles\LocalService\Music\wininit.exe
        
        C:\Windows\ServiceProfiles\LocalService\Music\wininit.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b10c7e5-aa9b-410e-8028-529e7794228d.vbs"
        7⤵
        
        PID:2756
        
        C:\Windows\ServiceProfiles\LocalService\Music\wininit.exe
        
        C:\Windows\ServiceProfiles\LocalService\Music\wininit.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f96cf66c-2e81-457a-9444-c86c846b6029.vbs"
        9⤵
        
        PID:1980
        
        C:\Windows\ServiceProfiles\LocalService\Music\wininit.exe
        
        C:\Windows\ServiceProfiles\LocalService\Music\wininit.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b690d058-2fc6-4b60-aad6-589da6bc14c1.vbs"
        11⤵
        
        PID:1508
        
        C:\Windows\ServiceProfiles\LocalService\Music\wininit.exe
        
        C:\Windows\ServiceProfiles\LocalService\Music\wininit.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12798de3-d3ae-4592-b761-6f32ca469130.vbs"
        13⤵
        
        PID:1624
        
        C:\Windows\ServiceProfiles\LocalService\Music\wininit.exe
        
        C:\Windows\ServiceProfiles\LocalService\Music\wininit.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5a83c26-5e3a-4ba7-b415-c3b1a93ade97.vbs"
        15⤵
        
        PID:2304
        
        C:\Windows\ServiceProfiles\LocalService\Music\wininit.exe
        
        C:\Windows\ServiceProfiles\LocalService\Music\wininit.exe
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7934fafd-8025-43c4-aee8-a51df80ffd78.vbs"
        17⤵
        
        PID:1092
        
        C:\Windows\ServiceProfiles\LocalService\Music\wininit.exe
        
        C:\Windows\ServiceProfiles\LocalService\Music\wininit.exe
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d72e557e-949e-4641-8753-614039576abd.vbs"
        19⤵
        
        PID:2992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f64cb7cb-9ed2-4347-92dc-c16c82f867fb.vbs"
        19⤵
        
        PID:2088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\931f6014-c361-435c-be19-f50aecbfd738.vbs"
        17⤵
        
        PID:2044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0178e1a-e0bc-4898-9756-8fee41f03cdc.vbs"
        15⤵
        
        PID:2432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b55ab60-3fe1-4837-b14d-4ed0ce9d4306.vbs"
        13⤵
        
        PID:2000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22e9ba91-7218-4507-9e6b-199a807579fa.vbs"
        11⤵
        
        PID:1744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\384b4deb-c783-4083-947b-b446b4b8f429.vbs"
        9⤵
        
        PID:1620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b00f67c-d053-4508-aa48-f119d46cd240.vbs"
        7⤵
        
        PID:2664
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9ef012a-2930-40a4-a1c8-9fc1eb56c175.vbs"
        5⤵
        
        PID:2220
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce5678ca-7f0e-4e1d-9816-98efb3f7ff07.vbs"
    3⤵
    PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ModemLogs\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\ModemLogs\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Pictures\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default\Pictures\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Pictures\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f15" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\it-IT\5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\it-IT\5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f15" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\it-IT\5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Default\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Default\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\fr-FR\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\ServiceProfiles\LocalService\Music\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Music\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\ServiceProfiles\LocalService\Music\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f15" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f15" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe

Filesize
1.6MB

MD5
f2b3eaf7e7baa17103844c4c8fcc7029

SHA1
e020984343c316bfd73a09de9564855ad1e5f93f

SHA256
866436608ca5bcc10ca5fc8cf928adde073fb4e9fc4cae7d79d946fa6786944f

SHA512
c740c1256bdb682d581540f1fbbfd045f57bdb0b30a6c713566f913a5f7c9ea9421ed5b0e99cc522e2dc93e15cc783d8ff34c36ca0bdb491a428aeb22f8a2be8

Download Submit
C:\Program Files (x86)\Uninstall Information\services.exe

Filesize
1.6MB

MD5
53b548d3d6a46f4ccfd02593be997f4c

SHA1
03d53542ed7c65afa6c5fd64fcbd112626ebfb08

SHA256
4df7146fa2039b96a06e5524576490036971d96ce8404e8fcb3aedefcc32c5aa

SHA512
bb5fdffc7da306eba31bca29f63179e383f74dc9be140e34ffc70c638fdd0286da22c3027bc233a0018e6f1c336dc6972456d95f8dc5707e0d8392e0adb3d2bd

Download Submit
C:\Program Files (x86)\Windows Mail\de-DE\5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1.exe

Filesize
1.6MB

MD5
52ef95f874d8997b58f6702e55865ce1

SHA1
2fa0718bc4a05bb093b134e863aa28d253add0aa

SHA256
8213c1e337ebb7cc9dc2cae6b72b807c21dfea084c55848da07dcfd282566dcf

SHA512
76a26462b736970d5ee72386936ccced8da2e26d985f771dc97eadc9be01f1779a227fbdd5f6549362d5b7517bb5b2db5528722d8ce7ea59bf9104ec76c31436

Download Submit
C:\Program Files\Internet Explorer\System.exe

Filesize
1.6MB

MD5
4d0443bba1f11f93b017033e89fdfd6f

SHA1
66997a7f1a2baf6d11a5f07ed0b8c579f09d70fa

SHA256
15a012c2d1501c04f231e84c1ebe119ae39e06b88957e75d428bac7bb4d5544a

SHA512
197c304e6eefab410081cdbd5d88ab4251a489f4e9310806e8656a315755d3ab4068658fff96d97ffb791f388edc9a9662262713af1fd6cc0355fa436a65927b

Download Submit
C:\ProgramData\winlogon.exe

Filesize
1.6MB

MD5
9fdfcd1ab812050f8c37e95ba497003b

SHA1
9d667b26c8a70c49001b947bbb54656f4fced995

SHA256
43d807e1f21b207364c45487b233346cc6997f3eccd3b7a6b8f4547c22bc7c2d

SHA512
5a1bdf8f5e3034812389a17f0e3efc2d146d7d1ab6a1261b8e6a663ed00c772d6303f7d5112f0ca20fd748a363ebab1aab79a2e12bb627e7cc6c9030feebc699

Download Submit
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe

Filesize
1.6MB

MD5
f78812be8328346fd09f480c9737963a

SHA1
0db02b799e80a1659c9aede03b54a26aef2beb4a

SHA256
5250379192c5ba7c3145ad8bdf7939f44ab827de4db56a950a964fee01ea72f1

SHA512
4be91e19f7eb4d1475ad142cbe66620320f4ab62dbdf8555fe7701aa1d2ddd19d739c73b4a1c05669282de374ba1a5dca449464154bf141a62e6842250ad79ad

Download Submit
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe

Filesize
1.6MB

MD5
8b04a8783adf0907b98474eb1cacca1d

SHA1
94444b8db17d715674efbb63cad83992ecf0e120

SHA256
2fde8063ef49d64128fe49ef56913169856e94dea0c6c52bcb7c003e3c1c99d7

SHA512
515a50af525c5a4e260511b3249998f4b5f999ffcdeaff66003b3b265a2b3f810f6ff57cb3dbf6cbe3e10c5820771986dad10d22011af3a799bba0eeadef5d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\12798de3-d3ae-4592-b761-6f32ca469130.vbs

Filesize
733B

MD5
2eff5857592d5207bee20902ba7b4a55

SHA1
deebb3ea6ff1a24b9baf1ff725e645581b3023da

SHA256
263e21191537c17198fa79844cec496eb813714847ab882ad9fc4180f5056efe

SHA512
e96ae8187a963e91f7e50f0f1bafa017cba59927af393bb8ad947c9c1b07fcf2fbe30dea0034dbd5decc0ad37a2e43e88fddc6d1a20f53abae7a0cd3c24143bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b10c7e5-aa9b-410e-8028-529e7794228d.vbs

Filesize
733B

MD5
cf949886a165f8de99aa9efa11831c61

SHA1
2019575498d77a2731d9594b7e048d01dc2436b9

SHA256
25f7e4d62fda454adbfbcde1ce21f418bd73b6e63b53566a20f5f3d100c104ac

SHA512
2e69148f8eae03e56d399a2b411907c8a718a96e1775f1a1e2335650d9ca3b0f32bb85431c217c7ce9adf2b269923cc480347a217789e169dc67026b336f0781

Download Submit
C:\Users\Admin\AppData\Local\Temp\7934fafd-8025-43c4-aee8-a51df80ffd78.vbs

Filesize
733B

MD5
028405e385380e35fcade90cec780df8

SHA1
1e8eb9fc01cc990cd6a884342fcbe1bb454f5e33

SHA256
6f00d397e118d9f5105fa027edf9a9ded793ab3ddd4f9f8903f0965c2e4c2570

SHA512
e197151ceae24ac844add6ac0451ef230ae7c9e1d97cff718efd546b30bc31181524739386821f7f552473dcfc3f30a676b56693ee2038c13fbdc091d1f63a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aed8e25df82f4ea2ec0de33810a5339b52426169.exe

Filesize
1.6MB

MD5
d59edcbc14eeddcae03315e938ef38c7

SHA1
5017836f8e2aac7197dda555440fe2ce62ae26c9

SHA256
475020d44a1e41ba10da8094db735b5ead99bc47d8778b9824f53e5be0566545

SHA512
3bb13c621e5ea18a048e54c8192d00bd69c2a6770ab92f73da6b0c9a1472b673c1a6959cbe0514679b3213c42f2800ce3771d4179f2fab10058c255dd974dfc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\b690d058-2fc6-4b60-aad6-589da6bc14c1.vbs

Filesize
733B

MD5
1f7f79739158c46e1a8d1955a03e8b78

SHA1
6c787b8ffefca6b1fa1b862b0d589bd1e2457c7b

SHA256
83b1e9231b58d3d9105ff2a26de959822ec1ece4e6b39cff443fc6c73d3d5700

SHA512
962a15a12f847eac32561eb11ee9df14ec05ecb2f9ef03ea04edf9f6fc8e78f09a59a1b7889e2dc3e4d394e358f77a3239242d1d80ef9c8fa8401a7efb228482

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce5678ca-7f0e-4e1d-9816-98efb3f7ff07.vbs

Filesize
509B

MD5
365ba4820ab56c1b2b5831872c97c52c

SHA1
694ae1c40bad9c5c60aeb151d5b268b06dd22276

SHA256
6cf859b65eb50ac29f5d95729188c0aa1bb00e76f1dd45871690e00a8fab0ec4

SHA512
f4aa41f6d35da3e03906c7b58e7cd89bd4ffb7c95c5be4134976da8c8475d5074e1072c68e7530c7a60594d813f4cc1c49032bb42b4f1868dbc01d697851f867

Download Submit
C:\Users\Admin\AppData\Local\Temp\d72e557e-949e-4641-8753-614039576abd.vbs

Filesize
733B

MD5
b0d420107f03888a5a684575d61d8eed

SHA1
fbd163e4d13cf3bdbdd92fdf4cacc8990d46efb9

SHA256
db81408fc192670f04ec6b883ff8a131b3a7ff59fe8c2632a0f8fc8f1956c5a0

SHA512
024c330695f39ce36d05201e80df0374786573ae54cc1516bd9c1bc7498fef245f6f2f279a49d03bc78e119a8038776fb4288ae74db4ed15cf82aba9fb024d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef0e3ecd-1218-4a81-81c2-cc1309aa67c3.vbs

Filesize
733B

MD5
9a288602455bc285b832fc3635d82c84

SHA1
519078343ba347df7601b0bf5a997fbdf61f60e3

SHA256
a1c485ac91544da6e1705837d3d25e9e1291946951c420836a40733e50274a9b

SHA512
a9b962514faba02be1ee17fa8ef9ecfabc838a40da881d83b900521d947b4bdfcc05f428e971f63522d21896ba614f491ac93028633596b0c13f5486fb52d316

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5a83c26-5e3a-4ba7-b415-c3b1a93ade97.vbs

Filesize
733B

MD5
23ed502e6158e1e383637dd13d145ff7

SHA1
55df2c0c8e8894f3554b4c858ae3df75b93f53b8

SHA256
654a0d14f4500ffdd8b0d01c3f4dfd26a3c0afab58466bbadd1a9fd727d2e43c

SHA512
465337eae72756d274253b87e4f7a31e959c83ea20901f49acd95e44cf35e36aeb1cca6328a4017942391bf0d5859f982ff8a497e7e39c6343169ced72990cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\f96cf66c-2e81-457a-9444-c86c846b6029.vbs

Filesize
732B

MD5
69b6dac76b2abed127f40d22b4092cef

SHA1
b4c0328cb0147e791d054ad6ad25339bb0b1305e

SHA256
ae98b833bc3b9cfe823701192b18f51959dc534a03762a6e976efaf63d356c9d

SHA512
645d1ff3d0f1474b48ceec7233a97a6fba3b7f3d6d62195734db37fe579bf4a660138a3066d9aa69c9c14b55d30d1b5957f0c9abaa7f15c49d05529e35a8903e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbff9583-4871-4247-a0e6-b281f4674614.vbs

Filesize
733B

MD5
b15f3316a63b28a9435d17c026bbe250

SHA1
40de77af0b75a0ed31f441e8cdac2cc506a6efaf

SHA256
d3080d323bc14838ed806dc0791aa0383cc855aa7e37d7245ec400b4e7f63194

SHA512
92dbea0a69fad1e6229f439edd5a6eea6c0e42d6201739836b4d6ff0c6be777b285d36f039326bbf0b336a56c20f0471baea1d2f4c3690a0cd4968d24f0988cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
12298e246575d49f6058b429439f2a2b

SHA1
f0078055c17e0c13a8f6b2a9743d5c4ff309eae0

SHA256
48b32f1800983c38ac4284fb5a176a0bf7961ec52fad1a29acbe27368091d908

SHA512
4d4d706671a60a825cf92f35b4107d3f171498673df5db2e435a3a3f73cd2fe50f7fc24de67f81f91f4f4e8fef0fe0614c21a64422d26df1f1b531bffd34f96a

Download Submit
C:\Users\Default\Pictures\WMIADAP.exe

Filesize
1.6MB

MD5
34a494681a6831770763861c9b5ccb94

SHA1
9ea6660e9ccae79873d68678d3442a16a8195bd7

SHA256
46cfde4515229b38ca3db7d5ddea06cf02c73be5cca0b799bbb51a7f9c77cf0f

SHA512
f1faa629aab7e0d7aa7b1d0c2d529a43f00561d6ca3f5a44662828122fc453d975b710521bfeedae80fb7ab2c1315b39400d7e6c9c9c9e21f6d34b10dbae4596

Download Submit
C:\Windows\ServiceProfiles\LocalService\Music\wininit.exe

Filesize
1.6MB

MD5
257e57cf585c18d4c5bd322c65e0f678

SHA1
a9bb89439876f663b0979bce9e756a8d481df757

SHA256
29d7cf5777821ab4bd65e85414f01afe44f927bc0f4172eb96b0269eb0799145

SHA512
47f17c3f7728f82955905f4463b4029028006eed364323f04162e739ed034802a0817a814ca5fb57de706e932fa36531b114290ad75b54e1fda96106b5c44743

Download Submit
C:\Windows\fr-FR\RCXF284.tmp

Filesize
1.6MB

MD5
90d62e045531d7d360fae6d6c51d3fdb

SHA1
ab75fcb7beefd19c56c81e8b01366ee1e71212b9

SHA256
6cf85fd8dd3df3faf4c50d21ad126b47715d4cd224c808846dada3df3ce9ce8b

SHA512
6099f80bfdd1ec6ed978c1db7e2e331508d9cfb5ce2965b9bc423a62cff59f95b97a5fd9868f2f0fb2551ada902d35c078cc844109a302a1b9153dce44bf8661

Download Submit
memory/596-12-0x0000000000AC0000-0x0000000000ACE000-memory.dmp

Filesize
56KB

Download
memory/596-375-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/596-197-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/596-16-0x0000000002210000-0x000000000221C000-memory.dmp

Filesize
48KB

Download
memory/596-15-0x0000000002200000-0x000000000220A000-memory.dmp

Filesize
40KB

Download
memory/596-14-0x00000000021F0000-0x00000000021F8000-memory.dmp

Filesize
32KB

Download
memory/596-13-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

Filesize
32KB

Download
memory/596-185-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

Filesize
4KB

Download
memory/596-1-0x0000000000C40000-0x0000000000DE2000-memory.dmp

Filesize
1.6MB

Download
memory/596-0-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

Filesize
4KB

Download
memory/596-2-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/596-3-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/596-11-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

Filesize
40KB

Download
memory/596-10-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/596-9-0x0000000000A70000-0x0000000000A7C000-memory.dmp

Filesize
48KB

Download
memory/596-8-0x0000000000A50000-0x0000000000A58000-memory.dmp

Filesize
32KB

Download
memory/596-7-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/596-6-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/596-5-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/596-4-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/1352-454-0x0000000000EA0000-0x0000000001042000-memory.dmp

Filesize
1.6MB

Download
memory/1588-442-0x0000000000270000-0x0000000000412000-memory.dmp

Filesize
1.6MB

Download
memory/1632-297-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2060-374-0x0000000001130000-0x00000000012D2000-memory.dmp

Filesize
1.6MB

Download
memory/2420-430-0x0000000001370000-0x0000000001512000-memory.dmp

Filesize
1.6MB

Download
memory/2640-286-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download