dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
146s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
Size

1.6MB
MD5

c87ae2c7c0c0a77294bdf61219b952f5
SHA1

009d29952e3cec0966402de8b8ffeb264c78a956
SHA256

85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f
SHA512

b7477f968f2356dd08991668b6feb01bb878bad59a6b3857b0a226b1e246852ba0c40214c502e757b01bbd9fc130f9e0cad033a12ada3f1c6f42767b9b813c7c
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2580	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2580	schtasks.exe	31

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral13/memory/2744-1-0x0000000001160000-0x0000000001302000-memory.dmp	dcrat
behavioral13/files/0x000500000001960a-25.dat	dcrat
behavioral13/files/0x0006000000019436-81.dat	dcrat
behavioral13/files/0x00080000000194bd-104.dat	dcrat
behavioral13/memory/2452-298-0x0000000001380000-0x0000000001522000-memory.dmp	dcrat
behavioral13/memory/2788-309-0x0000000000380000-0x0000000000522000-memory.dmp	dcrat
behavioral13/memory/2496-321-0x00000000010B0000-0x0000000001252000-memory.dmp	dcrat
behavioral13/memory/2880-333-0x00000000012C0000-0x0000000001462000-memory.dmp	dcrat
behavioral13/memory/1736-367-0x0000000000110000-0x00000000002B2000-memory.dmp	dcrat
behavioral13/memory/2608-379-0x00000000012A0000-0x0000000001442000-memory.dmp	dcrat
behavioral13/memory/2608-435-0x00000000000F0000-0x0000000000292000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1548	powershell.exe
2404	powershell.exe
1536	powershell.exe
1672	powershell.exe
1964	powershell.exe
940	powershell.exe
600	powershell.exe
352	powershell.exe
1476	powershell.exe
2216	powershell.exe
1168	powershell.exe
1364	powershell.exe
1256	powershell.exe
2988	powershell.exe
1208	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2452	lsass.exe
2788	lsass.exe
2496	lsass.exe
2880	lsass.exe
2104	lsass.exe
2272	lsass.exe
1736	lsass.exe
2608	lsass.exe
2920	lsass.exe
2396	lsass.exe
2488	lsass.exe
660	lsass.exe
2608	lsass.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Journal\Templates\lsass.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files\Mozilla Firefox\fonts\7a0fd90576e088	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RCX7E2.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\RCX1073.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\lsass.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXFA4E.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXFA4F.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCXE6D.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6cb0b6c459d5d3	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RCX7E3.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCXA63.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\27d1bcfc3c54e0	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\f29b7f83f50a4c	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\RCXF84B.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCXE6E.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files\Windows Journal\Templates\6203df4a6bafc7	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\RCXF7DC.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\f29b7f83f50a4c	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\System.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCXA64.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\explorer.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\RCX1072.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\System.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files\Mozilla Firefox\fonts\explorer.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Performance\Idle.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Windows\Performance\Idle.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Windows\Performance\6ccacd8608530f	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Windows\Performance\RCXF366.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Windows\Performance\RCXF367.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
592	schtasks.exe
2368	schtasks.exe
1008	schtasks.exe
1656	schtasks.exe
2800	schtasks.exe
276	schtasks.exe
1792	schtasks.exe
1936	schtasks.exe
2984	schtasks.exe
2428	schtasks.exe
1780	schtasks.exe
2164	schtasks.exe
2880	schtasks.exe
1876	schtasks.exe
2564	schtasks.exe
1304	schtasks.exe
1908	schtasks.exe
2156	schtasks.exe
1972	schtasks.exe
2456	schtasks.exe
2092	schtasks.exe
2948	schtasks.exe
1564	schtasks.exe
2108	schtasks.exe
620	schtasks.exe
1980	schtasks.exe
1000	schtasks.exe
1504	schtasks.exe
3024	schtasks.exe
1124	schtasks.exe
912	schtasks.exe
2988	schtasks.exe
1636	schtasks.exe
2528	schtasks.exe
1976	schtasks.exe
1120	schtasks.exe
2376	schtasks.exe
2620	schtasks.exe
2280	schtasks.exe
1696	schtasks.exe
784	schtasks.exe
536	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
2404	powershell.exe
1364	powershell.exe
1168	powershell.exe
940	powershell.exe
1672	powershell.exe
1548	powershell.exe
1964	powershell.exe
352	powershell.exe
1256	powershell.exe
1536	powershell.exe
600	powershell.exe
1208	powershell.exe
2216	powershell.exe
1476	powershell.exe
2988	powershell.exe
2452	lsass.exe
2788	lsass.exe
2496	lsass.exe
2880	lsass.exe
2104	lsass.exe
2272	lsass.exe
1736	lsass.exe
2608	lsass.exe
2920	lsass.exe
2396	lsass.exe
2488	lsass.exe
660	lsass.exe
2608	lsass.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	352	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	600	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	2452	lsass.exe
Token: SeDebugPrivilege	2788	lsass.exe
Token: SeDebugPrivilege	2496	lsass.exe
Token: SeDebugPrivilege	2880	lsass.exe
Token: SeDebugPrivilege	2104	lsass.exe
Token: SeDebugPrivilege	2272	lsass.exe
Token: SeDebugPrivilege	1736	lsass.exe
Token: SeDebugPrivilege	2608	lsass.exe
Token: SeDebugPrivilege	2920	lsass.exe
Token: SeDebugPrivilege	2396	lsass.exe
Token: SeDebugPrivilege	2488	lsass.exe
Token: SeDebugPrivilege	660	lsass.exe
Token: SeDebugPrivilege	2608	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 1364	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	74
PID 2744 wrote to memory of 1364	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	74
PID 2744 wrote to memory of 1364	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	74
PID 2744 wrote to memory of 2404	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	75
PID 2744 wrote to memory of 2404	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	75
PID 2744 wrote to memory of 2404	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	75
PID 2744 wrote to memory of 1536	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	77
PID 2744 wrote to memory of 1536	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	77
PID 2744 wrote to memory of 1536	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	77
PID 2744 wrote to memory of 1208	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	78
PID 2744 wrote to memory of 1208	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	78
PID 2744 wrote to memory of 1208	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	78
PID 2744 wrote to memory of 1168	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	80
PID 2744 wrote to memory of 1168	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	80
PID 2744 wrote to memory of 1168	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	80
PID 2744 wrote to memory of 2988	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	82
PID 2744 wrote to memory of 2988	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	82
PID 2744 wrote to memory of 2988	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	82
PID 2744 wrote to memory of 1548	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	83
PID 2744 wrote to memory of 1548	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	83
PID 2744 wrote to memory of 1548	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	83
PID 2744 wrote to memory of 940	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	84
PID 2744 wrote to memory of 940	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	84
PID 2744 wrote to memory of 940	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	84
PID 2744 wrote to memory of 2216	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	85
PID 2744 wrote to memory of 2216	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	85
PID 2744 wrote to memory of 2216	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	85
PID 2744 wrote to memory of 1476	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	86
PID 2744 wrote to memory of 1476	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	86
PID 2744 wrote to memory of 1476	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	86
PID 2744 wrote to memory of 352	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	87
PID 2744 wrote to memory of 352	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	87
PID 2744 wrote to memory of 352	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	87
PID 2744 wrote to memory of 1964	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	88
PID 2744 wrote to memory of 1964	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	88
PID 2744 wrote to memory of 1964	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	88
PID 2744 wrote to memory of 1672	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	89
PID 2744 wrote to memory of 1672	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	89
PID 2744 wrote to memory of 1672	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	89
PID 2744 wrote to memory of 1256	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	91
PID 2744 wrote to memory of 1256	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	91
PID 2744 wrote to memory of 1256	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	91
PID 2744 wrote to memory of 600	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	93
PID 2744 wrote to memory of 600	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	93
PID 2744 wrote to memory of 600	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	93
PID 2744 wrote to memory of 2368	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	104
PID 2744 wrote to memory of 2368	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	104
PID 2744 wrote to memory of 2368	2744	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	104
PID 2368 wrote to memory of 3016	2368	cmd.exe	106
PID 2368 wrote to memory of 3016	2368	cmd.exe	106
PID 2368 wrote to memory of 3016	2368	cmd.exe	106
PID 2368 wrote to memory of 2452	2368	cmd.exe	107
PID 2368 wrote to memory of 2452	2368	cmd.exe	107
PID 2368 wrote to memory of 2452	2368	cmd.exe	107
PID 2452 wrote to memory of 2488	2452	lsass.exe	108
PID 2452 wrote to memory of 2488	2452	lsass.exe	108
PID 2452 wrote to memory of 2488	2452	lsass.exe	108
PID 2452 wrote to memory of 2356	2452	lsass.exe	109
PID 2452 wrote to memory of 2356	2452	lsass.exe	109
PID 2452 wrote to memory of 2356	2452	lsass.exe	109
PID 2488 wrote to memory of 2788	2488	WScript.exe	110
PID 2488 wrote to memory of 2788	2488	WScript.exe	110
PID 2488 wrote to memory of 2788	2488	WScript.exe	110
PID 2788 wrote to memory of 2732	2788	lsass.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
"C:\Users\Admin\AppData\Local\Temp\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\Templates\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Updater6\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\es-ES\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:600
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rZ7ZHhiPOX.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3016
- - C:\Program Files\Windows Journal\Templates\lsass.exe
    "C:\Program Files\Windows Journal\Templates\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fb16f32-6bc3-4f1d-a56d-bee51501b99e.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Program Files\Windows Journal\Templates\lsass.exe
        
        "C:\Program Files\Windows Journal\Templates\lsass.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4a6f8c9-3fd5-40c2-b0b5-66edd0d382ba.vbs"
        6⤵
        
        PID:2732
        
        C:\Program Files\Windows Journal\Templates\lsass.exe
        
        "C:\Program Files\Windows Journal\Templates\lsass.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65ed1c63-b835-49d5-8d88-9ee4e097d328.vbs"
        8⤵
        
        PID:3008
        
        C:\Program Files\Windows Journal\Templates\lsass.exe
        
        "C:\Program Files\Windows Journal\Templates\lsass.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28a8983c-fd88-4b25-a1c2-555726c1602a.vbs"
        10⤵
        
        PID:2936
        
        C:\Program Files\Windows Journal\Templates\lsass.exe
        
        "C:\Program Files\Windows Journal\Templates\lsass.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a875e6f6-f842-4f09-8723-f4fe5218d359.vbs"
        12⤵
        
        PID:2832
        
        C:\Program Files\Windows Journal\Templates\lsass.exe
        
        "C:\Program Files\Windows Journal\Templates\lsass.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5168a8b-076e-47fa-8188-ec66f06b2e50.vbs"
        14⤵
        
        PID:1092
        
        C:\Program Files\Windows Journal\Templates\lsass.exe
        
        "C:\Program Files\Windows Journal\Templates\lsass.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea7649d3-991b-4611-bbef-8c8bda6303cd.vbs"
        16⤵
        
        PID:2732
        
        C:\Program Files\Windows Journal\Templates\lsass.exe
        
        "C:\Program Files\Windows Journal\Templates\lsass.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb04dcb1-5ad5-439f-adfd-cb87c0d3fffd.vbs"
        18⤵
        
        PID:1904
        
        C:\Program Files\Windows Journal\Templates\lsass.exe
        
        "C:\Program Files\Windows Journal\Templates\lsass.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f54a6a75-e71c-4cb5-9d99-79f821d7083a.vbs"
        20⤵
        
        PID:272
        
        C:\Program Files\Windows Journal\Templates\lsass.exe
        
        "C:\Program Files\Windows Journal\Templates\lsass.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38a02af7-8e9e-4ba0-83b0-a38872f226f6.vbs"
        22⤵
        
        PID:2124
        
        C:\Program Files\Windows Journal\Templates\lsass.exe
        
        "C:\Program Files\Windows Journal\Templates\lsass.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9093e599-a671-43a8-8c54-a003722d2fcd.vbs"
        24⤵
        
        PID:808
        
        C:\Program Files\Windows Journal\Templates\lsass.exe
        
        "C:\Program Files\Windows Journal\Templates\lsass.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d68c4803-d1ee-4a06-99a7-68fc9d5d5b44.vbs"
        26⤵
        
        PID:1304
        
        C:\Program Files\Windows Journal\Templates\lsass.exe
        
        "C:\Program Files\Windows Journal\Templates\lsass.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3036b6f-2ddc-41d5-b7c6-dacc51838c2c.vbs"
        28⤵
        
        PID:2168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe628e81-927e-4813-8209-da807b522b1a.vbs"
        28⤵
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\157c27e0-3d19-4e2b-b37e-d596c8dee5a1.vbs"
        26⤵
        
        PID:2680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ccfc32e-33e7-453e-a86b-05721c594eea.vbs"
        24⤵
        
        PID:3036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2054b43-0f37-49a8-a736-1f971e0aa5be.vbs"
        22⤵
        
        PID:1168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d13290f-93af-456f-ac66-9863f28a1200.vbs"
        20⤵
        
        PID:1228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e992d03-aafe-4e74-8e32-cbdce49af23a.vbs"
        18⤵
        
        PID:1260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99cefc87-32ca-4be6-a149-5caa017402fb.vbs"
        16⤵
        
        PID:2496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4a88150-a1b0-41ee-b4c8-03b586451778.vbs"
        14⤵
        
        PID:332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b62aafc-50de-406d-a0c2-55a33dcebc1e.vbs"
        12⤵
        
        PID:2412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41cc6d15-cc43-409a-a930-6db3a1585995.vbs"
        10⤵
        
        PID:1256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ea4f6ee-0263-4caa-bc47-8672c9955bc8.vbs"
        8⤵
        
        PID:2596
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd9021bb-ab61-4be8-827f-e93da706c95a.vbs"
        6⤵
        
        PID:236
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db2722e1-2e86-4a30-8ab9-fa73b539a76c.vbs"
      4⤵
      PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Performance\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\Performance\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\Templates\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\Templates\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f8" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f8" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\Updater6\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Updater6\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f8" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f8" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\fonts\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\fonts\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f8" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f8" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Journal\Templates\lsass.exe

Filesize
1.6MB

MD5
7334d72969cad259f359c8a782f3b969

SHA1
e26a093fe40e6111652da2f96ad42f6020d6aecc

SHA256
00699b9ad42f30147e7e53f37310c892d7b787aaf38b5163da8fe503e401e55f

SHA512
cba70613bb062a10ae0b67f70c39aa092345516e8c2ef7149f7fe57f7e13f06a2fccc49c52ef7118ba16d024fea5cbca587393f58e1f3f2e1053dca99a7b9998

Download Submit
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe

Filesize
1.6MB

MD5
c87ae2c7c0c0a77294bdf61219b952f5

SHA1
009d29952e3cec0966402de8b8ffeb264c78a956

SHA256
85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f

SHA512
b7477f968f2356dd08991668b6feb01bb878bad59a6b3857b0a226b1e246852ba0c40214c502e757b01bbd9fc130f9e0cad033a12ada3f1c6f42767b9b813c7c

Download Submit
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe

Filesize
1.6MB

MD5
0656ec7fd9a96c9ee9f54c54d9c84eb6

SHA1
5e110159c1729210013d5058c1880afc4f296266

SHA256
91db9e6721dcb4b919438776988030207672685ad1746fe34fb21282a9f00849

SHA512
4940ccd7d5e5812c85f2db290d9162e6805146819a8063ead2a730b19b96d247d4a137722ae8e4803c5bfdef83146786035eeae455f9c1c712c0dc6fd000eade

Download Submit
C:\Users\Admin\AppData\Local\Temp\28a8983c-fd88-4b25-a1c2-555726c1602a.vbs

Filesize
728B

MD5
868d8f0df8dabe3334dd186195aba600

SHA1
5d951ab44f30f550cf068698708562958b25f732

SHA256
fe6e6a4fb7feb4e12c6f605923f3d114809192285cd370df102713fe3cce66ed

SHA512
ef9122a3747671b55525f87463e305d4bd93d59066e7109e939109804e2f827918d5aef1db67c285e666f388a5d3e26e790216627877d820601649bd5b1d03ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\38a02af7-8e9e-4ba0-83b0-a38872f226f6.vbs

Filesize
728B

MD5
4d1d7129156d10a447b6bbcd0fa4e8c3

SHA1
46a133f3e4b2422d04d065e42547493fdd86aa55

SHA256
73cda6c967c70e2cb639603ba57c815a3bdc769d78f8dce46c6ccbea96d70def

SHA512
2e26a197daab051d6cdda9da1d3afb08ead829cfe525682d9b016a900579cf6db70ba94573e33a2d70e700e39547cfb7de334fd1348f35192fb7ccc93f6536e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5fb16f32-6bc3-4f1d-a56d-bee51501b99e.vbs

Filesize
728B

MD5
3ab8df8a7241bb06dadb7ea616fd11a5

SHA1
3740f7155fa5cfbdd4150db092411367ac06f508

SHA256
cd236b163d2d53f41f21dc524574f0411d8797a33fe628aee6574e4fb01d86c4

SHA512
4c17e2ed509960b647690ebf3063f089dccb9cbba13662c26fa94078847bff17db189c2c463298da8a235a0708ecc0cf37b544fb26df6a5b0487c77f664eabbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\65ed1c63-b835-49d5-8d88-9ee4e097d328.vbs

Filesize
728B

MD5
c814e40b11ead94904d274889985c1a7

SHA1
43ef97579aacf7f60ebe174fd3ecfdb0ff8ae387

SHA256
84ae631ce85dd58ea010f4f6acd372d7080b51f924839bb72f1783bc11657be9

SHA512
dfb490febe9c75dd29c626b2301c5aa61d86f84e7bf1f16911ad3e106999c2181bf66e983f7012b1414e25ff55b1970505723dea28f1443d7c616d7d40aa037b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9093e599-a671-43a8-8c54-a003722d2fcd.vbs

Filesize
728B

MD5
7aec6886a14eb17691a2ab6e7b73cea6

SHA1
531da94fbda0220d697c9b96efb5a73d2af4cf2e

SHA256
337b94693363efb4b714d59905239085aa380fcbdb20346918bf743c8ad7821f

SHA512
4b118cb4cd1cbff5fb6aa0e79024c3859f80df1e445963e71b60abcb7016e3349cdc7ede231e4df9cbf82994d274bc37c888610e0ab8a37de607d321c9790e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a875e6f6-f842-4f09-8723-f4fe5218d359.vbs

Filesize
728B

MD5
9a0bfbdbc2a9bb4b5f301a7fbdac2501

SHA1
d0b823da3ffab67dc96c30a155eab26c8036cab6

SHA256
918b065bebb7c4fc53f43a21710de8b8651767fc82ff3145c32d8fbccb23d7ea

SHA512
a511b6ff6f105be1b6ad1b08e35b25070eb8cde5fea6da6ba4b94d08fb85cfc8511d8d3e7df738a8ffed33b8de17f079a30517f61b1364167022dec40e895244

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb04dcb1-5ad5-439f-adfd-cb87c0d3fffd.vbs

Filesize
728B

MD5
82d0c356aa3f5096a5de189611a9183e

SHA1
efcb39b09609f08ccfe5da52a621da396b183da6

SHA256
8491a06d9d60628954162e3ae6544de144f0296426d4b67ef9d251333537e658

SHA512
039a6d71d91a726f01c9d165576545317f29db0bf69635298f8e3cca870703dd4f9b51927f972d0b5a224a42ce2591d547643baf025ba69b054cc3aa9005a4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4a6f8c9-3fd5-40c2-b0b5-66edd0d382ba.vbs

Filesize
728B

MD5
f2f1db89ef5e95e86baa92e798661a07

SHA1
07f2bb9516835ac11170bd1f7fe7eac7ce435446

SHA256
2576c8d04b526e1a0738cfb2d48751f40db582689a78b32d6747771fd4fee4df

SHA512
5d0a1acd4fec75dddaac3ef3f1dc4a65cc6a3282b68d68ec3daec23786c70c6e22083c1414dae903edf29973fbda42909108a4f21b5acc8fc9a7f63b231544f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d68c4803-d1ee-4a06-99a7-68fc9d5d5b44.vbs

Filesize
727B

MD5
99f437b2c2136fa479227212bf498887

SHA1
7f1ad75f59669b9fc80d95f0f431452e0cd2b88e

SHA256
a4f9145733ddb40d77b2d54f2e775cb05ea36c4dfe505288bfa9e4d4ea22c25e

SHA512
2bb4e32fad45920d8d4e70e4656c300c3741aecd0373e66444e42667a9ff70d12c0337c4c3e405372c67b2dc8b94c759afd09f381cadf80f651e5ffc4acdd60c

Download Submit
C:\Users\Admin\AppData\Local\Temp\db2722e1-2e86-4a30-8ab9-fa73b539a76c.vbs

Filesize
504B

MD5
53dd1a6724dbdd39eb5c98bc957ae9eb

SHA1
243a92486feaf5142c6df2192c0dc45274e2efbd

SHA256
c07349ccbe521aa36a2fc5079eafe8bde1427d6075c3b857cf80802cc10a9a4a

SHA512
60621eeb8132eb958999fd29674abe0acf2f9633e68be5f45b22acfc3730f9051d9140ba75448cf44602ea01d097ae84de6b9c12c8fdedd257e9f6a2d18b9218

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5168a8b-076e-47fa-8188-ec66f06b2e50.vbs

Filesize
728B

MD5
c9149b5ae006d1a7ee87590325e329c0

SHA1
5bbc3a032fdac1e47ce870d5daabb331a42c15c9

SHA256
05742cea55f27209a212f084ca5dc91c0ed8fb5d2c36e982889fb479bb22abae

SHA512
a5b16766df4610b7e3f3d70f8d6bf70580136f51e6ac3ab434814cc6cf09b9bd89918a8f7fce91afc5429a3ea58e3e19ec7b6c944e278f7625a54aea3222ed6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea7649d3-991b-4611-bbef-8c8bda6303cd.vbs

Filesize
728B

MD5
183adf43c7a88a34801cf8324a98933b

SHA1
16619f82d9f8d579a5cf224bc931eca0f345957f

SHA256
a7d6c649673e8b570c0cd74423d90b45d7809995b52db450dd9ee4b2ba711136

SHA512
f0d4659fbb31e4c992262d38d681ddf591ab6a631f4931f668e47c071c667e991bfd11404de585a3fe1d12a9e25138ba5c28b1794445ad32b0715aefc4723260

Download Submit
C:\Users\Admin\AppData\Local\Temp\f54a6a75-e71c-4cb5-9d99-79f821d7083a.vbs

Filesize
728B

MD5
79ce4b86910745684e16cafe5a7316c8

SHA1
d076c03775c9f8b8df6136019ef3fcf61c3d526c

SHA256
d1d1ddae83751bc89f3581842f59cc0dcc19c3a462962cfd94db9594f233ea6e

SHA512
15cac36ebbca7abd764e2d0a28e3f32346b492c87643ba90af41d435320aef566eaac04a7aeb5e72db5f7f82d8a8a79237b49c06ed4c675b6df85044ada872bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\rZ7ZHhiPOX.bat

Filesize
217B

MD5
60d50da1dc484f0dfc62f09180a904f7

SHA1
d51795b833fd9d0f6f418ae3203c2b6e4d6a20ad

SHA256
fc83a71922be3bd95d3702e793bf22b1c9ca145eae9a466b32180ded314d9e99

SHA512
5d159cdb48a873833a24f225f2013194dc90be593f1449280a7fb5dd63192f7f5b66a26fae151ea92b5be5d018225f347823bb8eb8e935e4ce7983fcfe4aaece

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ed323bb7b9ce72c8b44ea48468212621

SHA1
13c840b331b3c62b4b0ddec5e6203655b8eb993b

SHA256
8bfe8175782d3bbf3d10f918036ff8eb32fa17f548c148cb9c1c050cc896e6f4

SHA512
e9e30f597c2dbea82217bb777b7f6838ba341ae7faa23cc6da372ceb4f0cc454ed6ed47801f3a2ffdc1a2fc148a58ad7fee846dcd91e0cff1bc5c1e6b3c0e847

Download Submit
memory/1736-367-0x0000000000110000-0x00000000002B2000-memory.dmp

Filesize
1.6MB

Download
memory/2404-227-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2404-228-0x0000000002030000-0x0000000002038000-memory.dmp

Filesize
32KB

Download
memory/2452-298-0x0000000001380000-0x0000000001522000-memory.dmp

Filesize
1.6MB

Download
memory/2496-321-0x00000000010B0000-0x0000000001252000-memory.dmp

Filesize
1.6MB

Download
memory/2608-435-0x00000000000F0000-0x0000000000292000-memory.dmp

Filesize
1.6MB

Download
memory/2608-379-0x00000000012A0000-0x0000000001442000-memory.dmp

Filesize
1.6MB

Download
memory/2744-250-0x000007FEF6620000-0x000007FEF700C000-memory.dmp

Filesize
9.9MB

Download
memory/2744-14-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/2744-212-0x000007FEF6623000-0x000007FEF6624000-memory.dmp

Filesize
4KB

Download
memory/2744-6-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/2744-1-0x0000000001160000-0x0000000001302000-memory.dmp

Filesize
1.6MB

Download
memory/2744-10-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2744-11-0x0000000000580000-0x000000000058A000-memory.dmp

Filesize
40KB

Download
memory/2744-12-0x0000000000590000-0x000000000059E000-memory.dmp

Filesize
56KB

Download
memory/2744-2-0x000007FEF6620000-0x000007FEF700C000-memory.dmp

Filesize
9.9MB

Download
memory/2744-16-0x0000000000780000-0x000000000078C000-memory.dmp

Filesize
48KB

Download
memory/2744-13-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/2744-0-0x000007FEF6623000-0x000007FEF6624000-memory.dmp

Filesize
4KB

Download
memory/2744-15-0x0000000000770000-0x000000000077A000-memory.dmp

Filesize
40KB

Download
memory/2744-7-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2744-8-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/2744-9-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/2744-5-0x0000000000170000-0x0000000000186000-memory.dmp

Filesize
88KB

Download
memory/2744-3-0x0000000000140000-0x000000000015C000-memory.dmp

Filesize
112KB

Download
memory/2744-4-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/2788-309-0x0000000000380000-0x0000000000522000-memory.dmp

Filesize
1.6MB

Download
memory/2880-333-0x00000000012C0000-0x0000000001462000-memory.dmp

Filesize
1.6MB

Download