dcrat | aff3e08b50336ce6a1cfe39c45d32d918dc6f190662aef666addb193f44d47a8

Analysis

max time kernel
148s
max time network
157s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Size

1.6MB
MD5

5c40a0842a538e01695fdfb1b5268840
SHA1

77815adb386d69b1615b318ba20434663a5416bf
SHA256

76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a
SHA512

30ef7616b385e77a350310f7ea4cf193e0bca1107366c51f1808ae8d9277904fce4dfec23e72fc7fffa022b5ad87d2aa7dfa35b140b93ab84d2d87d365237a8d
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2836	schtasks.exe	30

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral27/memory/2904-1-0x0000000000370000-0x0000000000512000-memory.dmp	dcrat
behavioral27/files/0x000500000001a48a-25.dat	dcrat
behavioral27/files/0x000800000001c85a-91.dat	dcrat
behavioral27/files/0x000400000001c917-113.dat	dcrat
behavioral27/files/0x000c00000001a482-149.dat	dcrat
behavioral27/files/0x000800000001a48a-205.dat	dcrat
behavioral27/memory/2480-360-0x0000000000CC0000-0x0000000000E62000-memory.dmp	dcrat
behavioral27/memory/1972-382-0x0000000000E00000-0x0000000000FA2000-memory.dmp	dcrat
behavioral27/memory/1612-394-0x0000000000390000-0x0000000000532000-memory.dmp	dcrat
behavioral27/memory/2740-406-0x0000000000F80000-0x0000000001122000-memory.dmp	dcrat
behavioral27/memory/884-418-0x0000000001310000-0x00000000014B2000-memory.dmp	dcrat
behavioral27/memory/2504-441-0x0000000000190000-0x0000000000332000-memory.dmp	dcrat
behavioral27/memory/2888-453-0x0000000001360000-0x0000000001502000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2620	powershell.exe
1132	powershell.exe
1804	powershell.exe
2804	powershell.exe
2424	powershell.exe
1936	powershell.exe
1744	powershell.exe
2332	powershell.exe
2368	powershell.exe
2004	powershell.exe
1324	powershell.exe
2208	powershell.exe
904	powershell.exe
1624	powershell.exe
1772	powershell.exe
2376	powershell.exe
2276	powershell.exe
1408	powershell.exe
2012	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2480	audiodg.exe
2516	audiodg.exe
1972	audiodg.exe
1612	audiodg.exe
2740	audiodg.exe
884	audiodg.exe
564	audiodg.exe
2504	audiodg.exe
2888	audiodg.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\MSBuild\RCXB231.tmp	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\RCXB669.tmp	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\RCXB87E.tmp	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File opened for modification	C:\Program Files\DVD Maker\lsass.exe	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\6cb0b6c459d5d3	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File created	C:\Program Files\Windows Sidebar\de-DE\csrss.exe	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File created	C:\Program Files\Windows Sidebar\de-DE\886983d96e3d3e	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File created	C:\Program Files\DVD Maker\6203df4a6bafc7	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCXB1B3.tmp	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File opened for modification	C:\Program Files (x86)\MSBuild\lsm.exe	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\OSPPSVC.exe	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File opened for modification	C:\Program Files\DVD Maker\RCXBDA0.tmp	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File created	C:\Program Files (x86)\MSBuild\27d1bcfc3c54e0	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File created	C:\Program Files (x86)\Microsoft Office\OSPPSVC.exe	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File created	C:\Program Files (x86)\MSBuild\lsm.exe	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File opened for modification	C:\Program Files (x86)\MSBuild\System.exe	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\dwm.exe	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\RCXBAA2.tmp	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File created	C:\Program Files (x86)\MSBuild\System.exe	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File created	C:\Program Files (x86)\MSBuild\101b941d020240	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCXA82A.tmp	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\csrss.exe	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File opened for modification	C:\Program Files\DVD Maker\RCXBD22.tmp	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File created	C:\Program Files\DVD Maker\lsass.exe	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\RCXB659.tmp	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\RCXB86D.tmp	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\RCXBA81.tmp	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File created	C:\Program Files (x86)\Microsoft Office\1610b97d3ab4a7	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\dwm.exe	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCXA81A.tmp	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2332	schtasks.exe
896	schtasks.exe
1408	schtasks.exe
1376	schtasks.exe
888	schtasks.exe
1288	schtasks.exe
1696	schtasks.exe
884	schtasks.exe
2748	schtasks.exe
2000	schtasks.exe
2164	schtasks.exe
2220	schtasks.exe
1596	schtasks.exe
2248	schtasks.exe
1612	schtasks.exe
2112	schtasks.exe
2756	schtasks.exe
1092	schtasks.exe
264	schtasks.exe
2320	schtasks.exe
2488	schtasks.exe
2376	schtasks.exe
748	schtasks.exe
564	schtasks.exe
1636	schtasks.exe
2092	schtasks.exe
2456	schtasks.exe
2492	schtasks.exe
2708	schtasks.exe
2360	schtasks.exe
2860	schtasks.exe
2080	schtasks.exe
1440	schtasks.exe
1660	schtasks.exe
1516	schtasks.exe
2200	schtasks.exe
3060	schtasks.exe
2584	schtasks.exe
772	schtasks.exe
2560	schtasks.exe
2008	schtasks.exe
2020	schtasks.exe
2436	schtasks.exe
2744	schtasks.exe
2252	schtasks.exe
1720	schtasks.exe
1860	schtasks.exe
108	schtasks.exe
3052	schtasks.exe
2676	schtasks.exe
396	schtasks.exe
2528	schtasks.exe
1312	schtasks.exe
2620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
1324	powershell.exe
1624	powershell.exe
904	powershell.exe
2004	powershell.exe
1408	powershell.exe
2424	powershell.exe
2376	powershell.exe
2276	powershell.exe
1132	powershell.exe
1804	powershell.exe
2208	powershell.exe
1772	powershell.exe
1744	powershell.exe
2804	powershell.exe
1936	powershell.exe
2620	powershell.exe
2012	powershell.exe
2368	powershell.exe
2332	powershell.exe
2480	audiodg.exe
2516	audiodg.exe
1972	audiodg.exe
1612	audiodg.exe
2740	audiodg.exe
884	audiodg.exe
564	audiodg.exe
2504	audiodg.exe
2888	audiodg.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2480	audiodg.exe
Token: SeDebugPrivilege	2516	audiodg.exe
Token: SeDebugPrivilege	1972	audiodg.exe
Token: SeDebugPrivilege	1612	audiodg.exe
Token: SeDebugPrivilege	2740	audiodg.exe
Token: SeDebugPrivilege	884	audiodg.exe
Token: SeDebugPrivilege	564	audiodg.exe
Token: SeDebugPrivilege	2504	audiodg.exe
Token: SeDebugPrivilege	2888	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2376	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	85
PID 2904 wrote to memory of 2376	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	85
PID 2904 wrote to memory of 2376	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	85
PID 2904 wrote to memory of 2276	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	86
PID 2904 wrote to memory of 2276	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	86
PID 2904 wrote to memory of 2276	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	86
PID 2904 wrote to memory of 1408	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	88
PID 2904 wrote to memory of 1408	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	88
PID 2904 wrote to memory of 1408	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	88
PID 2904 wrote to memory of 1624	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	89
PID 2904 wrote to memory of 1624	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	89
PID 2904 wrote to memory of 1624	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	89
PID 2904 wrote to memory of 2804	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	92
PID 2904 wrote to memory of 2804	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	92
PID 2904 wrote to memory of 2804	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	92
PID 2904 wrote to memory of 904	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	93
PID 2904 wrote to memory of 904	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	93
PID 2904 wrote to memory of 904	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	93
PID 2904 wrote to memory of 2208	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	94
PID 2904 wrote to memory of 2208	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	94
PID 2904 wrote to memory of 2208	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	94
PID 2904 wrote to memory of 2004	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	95
PID 2904 wrote to memory of 2004	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	95
PID 2904 wrote to memory of 2004	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	95
PID 2904 wrote to memory of 1804	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	96
PID 2904 wrote to memory of 1804	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	96
PID 2904 wrote to memory of 1804	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	96
PID 2904 wrote to memory of 1324	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	97
PID 2904 wrote to memory of 1324	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	97
PID 2904 wrote to memory of 1324	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	97
PID 2904 wrote to memory of 2424	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	98
PID 2904 wrote to memory of 2424	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	98
PID 2904 wrote to memory of 2424	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	98
PID 2904 wrote to memory of 2368	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	99
PID 2904 wrote to memory of 2368	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	99
PID 2904 wrote to memory of 2368	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	99
PID 2904 wrote to memory of 1132	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	101
PID 2904 wrote to memory of 1132	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	101
PID 2904 wrote to memory of 1132	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	101
PID 2904 wrote to memory of 2332	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	103
PID 2904 wrote to memory of 2332	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	103
PID 2904 wrote to memory of 2332	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	103
PID 2904 wrote to memory of 1744	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	105
PID 2904 wrote to memory of 1744	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	105
PID 2904 wrote to memory of 1744	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	105
PID 2904 wrote to memory of 2620	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	106
PID 2904 wrote to memory of 2620	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	106
PID 2904 wrote to memory of 2620	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	106
PID 2904 wrote to memory of 1936	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	108
PID 2904 wrote to memory of 1936	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	108
PID 2904 wrote to memory of 1936	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	108
PID 2904 wrote to memory of 1772	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	110
PID 2904 wrote to memory of 1772	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	110
PID 2904 wrote to memory of 1772	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	110
PID 2904 wrote to memory of 2012	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	111
PID 2904 wrote to memory of 2012	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	111
PID 2904 wrote to memory of 2012	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	111
PID 2904 wrote to memory of 888	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	123
PID 2904 wrote to memory of 888	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	123
PID 2904 wrote to memory of 888	2904	76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe	123
PID 888 wrote to memory of 2520	888	cmd.exe	125
PID 888 wrote to memory of 2520	888	cmd.exe	125
PID 888 wrote to memory of 2520	888	cmd.exe	125
PID 888 wrote to memory of 2480	888	cmd.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe
"C:\Users\Admin\AppData\Local\Temp\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Media Renderer\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\de-DE\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s9W2tFAszy.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2520
- - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe
    "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2480
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e46e5b15-8765-4d85-8f89-f5642e76d8ac.vbs"
      4⤵
      PID:2708
    - - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\538da72a-e3eb-49c7-92a9-62d0fe52153f.vbs"
        6⤵
        
        PID:2416
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfde9e91-55b9-44ec-8d5a-e942b38fa15e.vbs"
        8⤵
        
        PID:748
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c640b3c9-8775-4897-9bb7-9037f930e2da.vbs"
        10⤵
        
        PID:2904
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\acce0d4b-2d50-42ad-88bb-0bca5c4ec354.vbs"
        12⤵
        
        PID:880
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85105ecf-c86c-40e6-8d1f-34dab3c71505.vbs"
        14⤵
        
        PID:2396
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c70d8b4-428b-4a16-866f-6d84da04a258.vbs"
        16⤵
        
        PID:1844
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01dd2041-7c6e-4011-bbb8-3d4b31e7a2cb.vbs"
        18⤵
        
        PID:1976
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62119b8b-f4c2-4200-82c9-8b9a0b51dac5.vbs"
        20⤵
        
        PID:1648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad3ecc63-01b3-452a-9eba-490cb20dd343.vbs"
        20⤵
        
        PID:1256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88ce2ec5-1438-4853-86cd-a0f90d958467.vbs"
        18⤵
        
        PID:1568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6431bfc8-d44f-44e4-b4b6-abe5a4fcbb6f.vbs"
        16⤵
        
        PID:952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b1fbdc0-2ca1-4af5-8837-dc68f4e481e5.vbs"
        14⤵
        
        PID:2572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89abf258-d00a-41b5-b57e-0c06783ba865.vbs"
        12⤵
        
        PID:2248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03a7a399-7299-4b48-a824-55a5be388d95.vbs"
        10⤵
        
        PID:2404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e19dc76a-617e-436d-9a9e-e2fa846d68fe.vbs"
        8⤵
        
        PID:2896
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cf9298e-e60a-48a8-89c0-ee56306552d0.vbs"
        6⤵
        
        PID:304
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4018b61-ec3c-4ba8-a154-4c7cbb9affa9.vbs"
      4⤵
      PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\Sample Music\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\Sample Music\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\PrintHood\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\PrintHood\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Media Renderer\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\Media Renderer\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\smss.exe

Filesize
1.6MB

MD5
174da833bf532080d200f599e04aba8f

SHA1
1aec1f290e302f7f41b686b3deb8b795c702d815

SHA256
ff22a5cde3feebb7165615da1ad05db088fd1a437d624fa11a0ec2198a90a6a0

SHA512
d33547753e3d162858868fa92b0ecfa0dc23ff78371b9a4060aed319b9ddbb80301550492590d81398e7ba1fcc2354d8defae17575cdc10f1242150c80f286fb

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\smss.exe

Filesize
1.6MB

MD5
5c40a0842a538e01695fdfb1b5268840

SHA1
77815adb386d69b1615b318ba20434663a5416bf

SHA256
76dd2ca60d223e71018ff94913c12bf34a1af1037b3c74a3984b2ba72623e61a

SHA512
30ef7616b385e77a350310f7ea4cf193e0bca1107366c51f1808ae8d9277904fce4dfec23e72fc7fffa022b5ad87d2aa7dfa35b140b93ab84d2d87d365237a8d

Download Submit
C:\Program Files (x86)\MSBuild\lsm.exe

Filesize
1.6MB

MD5
43d9bedf931a23f4dfd18171c3f78d89

SHA1
1b6734ab9ea6c2875a11ac366e86c27795483869

SHA256
177930d092a42b81ea8a4c66d3301b7ae77618de693fe1c1ef3a4fd06d494720

SHA512
e3db4043e71697d67844e994a17b1f3a7b6aed819cc41f3d5168461845f7f7b804ca5d0daed31f580b0558f1ebb936f6c62221c714b10a7c8736c20862b505df

Download Submit
C:\Program Files\DVD Maker\lsass.exe

Filesize
1.6MB

MD5
6913c34511f85b77daa7fcff408a2122

SHA1
804a912000b98d9b32392c191cfe81812f959aa0

SHA256
68383ed4e9a0ee5a1023e03db80582719f6471e2060a27376afe9e46fc162a29

SHA512
7ba94520d58af093a8559b8e914c2f05f98c08967264686e83a4dfe76e227641b674eb3a3a4b391dfcaa5f19f3f45f709e97de1364e2dea6e93b5efe255f520b

Download Submit
C:\Users\Admin\AppData\Local\Temp\01dd2041-7c6e-4011-bbb8-3d4b31e7a2cb.vbs

Filesize
736B

MD5
1559108190e2066cffd5a87440d26fea

SHA1
a67963a3a145b754319e0978bf00016f750a20fa

SHA256
d93a0e5d1ebe22e5f1d17a6fa0c06cf06941a2c90a2a8ade31ebbc3e1d1f0a36

SHA512
94ad674f99eca79a70d207497e71161369fa85442891404a60db8ff22cb36b822846060208d49b14a89774365958aa8edc1d14ea7874e64ff2533d5acabe8e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c70d8b4-428b-4a16-866f-6d84da04a258.vbs

Filesize
735B

MD5
d8f86c68bb2a903061b79b5df15502cf

SHA1
07a67200d4396e5f46461f60c801d02bd1ed97ab

SHA256
ddf26c4ebaa57d51d9fa363dd3c5ecc1a2a6a70672bebb66dc26b6eb2fce3e9a

SHA512
03eb211712527bbec42b6210f4157443422602f5be3eec0eaf3302a77f30d8586843be1a8f0c9da04d1ab5b970e433d3347c4e3c69c50ff6d7f304f7c893fdf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\538da72a-e3eb-49c7-92a9-62d0fe52153f.vbs

Filesize
736B

MD5
2fb44fdeb65606b5f9e9a613bf92e0e5

SHA1
087943599b870653467a8251703a2bec1e77efd4

SHA256
30f1a0b2c8fbea90f183f7929d106bd64d0f8763010b1c47e75a55ffc2fd06d0

SHA512
e40480416c7723c0e20235bdc794fa7e4321ba28156b1a07efd138d7163c8cd0ae39a8ffa1f239e0b53b52de4787b1ec77843c6d1429db5ec3fc34dd0deb1dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\62119b8b-f4c2-4200-82c9-8b9a0b51dac5.vbs

Filesize
736B

MD5
1b2a920ba20308992adc33abf59cfa6f

SHA1
0b6f69f01e1266412cd031bde4a7894544307851

SHA256
db443a27b0a410e17f75086290e98d7eb72c02bfc6d1e7d420fb903c2c6f4a3f

SHA512
65973c71123f3f6653efaba50ce5417bd3319aed516daa6ddf57e525dd49920d6fb1ae75103f2bd0fd6491e24d78d00f070c004d1123175ebf80cba26c34640b

Download Submit
C:\Users\Admin\AppData\Local\Temp\85105ecf-c86c-40e6-8d1f-34dab3c71505.vbs

Filesize
735B

MD5
60326b42ad4b00703af099edba1ab535

SHA1
afa00952b97c1446a9e75ba5dbfe74789fd34d72

SHA256
9c4519756e1cbaa0b328204c18489c7f10b3904a3e32e8ecde756028954e1565

SHA512
cf80042d5f8230c316c62337bb5e1c9ac043feea1d4c772a5ed67e740c51e1fe81db57152a0c0a84cae774a69731aff2149459549820db62165133a351277dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\acce0d4b-2d50-42ad-88bb-0bca5c4ec354.vbs

Filesize
736B

MD5
8c978db19fdfaa7b1b5904f424dde834

SHA1
14a0ef136a3e37b02976cea3288e95bd92e33c30

SHA256
34997396aa1ad8886e9e2e29a94bc3982b168cdff5e8a2dc614c490f1a117be3

SHA512
20ef57cd49acf80ddd70d1248193c293844741e5f8516d924e75945c8eb08173cbd25b4dba2009a63253bbad0e9d5c0ca688afea00be5382c82f0963383ba525

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4018b61-ec3c-4ba8-a154-4c7cbb9affa9.vbs

Filesize
512B

MD5
a21c0bebf9760fcaa4f8256fedf163c3

SHA1
fa83415f4c654f2fbf57de64f217c162b981d5e8

SHA256
194e0e5a3a26aab542b14079c544f01606fd4f086e3fc26a8ec4e1caad23310f

SHA512
0ffdc10a5d0e2f5d2329f4607017a6500a76b05e2c360b1ce1b475d6742799d2222a00a838b143bdc86c37f91364511b28c3ee683ced9d07c38984f3f7adcb4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c640b3c9-8775-4897-9bb7-9037f930e2da.vbs

Filesize
736B

MD5
89c5c240c1e1c5a0443fd85e99aa7faf

SHA1
848b376712b288d80e706a90bcef5434f9a59576

SHA256
2f6a3ed9d3a3bcab2f1cabed8cae9497ed507e60bb2dba87849942e69d514d97

SHA512
ba77961980f29f45d0403d2890073dbe17e38f1288596c3b6de884b76df8d686672ad6e3dc735667fee947cd62ac1bdcf11be5169e72504da0c1240adf4664b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfde9e91-55b9-44ec-8d5a-e942b38fa15e.vbs

Filesize
736B

MD5
6ca18f0562592ab9c7660eae15e77bbd

SHA1
95e5a5467afd921266d9a6f8b90d60f620693c5b

SHA256
a008894cf4e265e92ec17b158e3617c0568665861d04f2218274d930b211afe6

SHA512
8cde5f2643e9f8c189ef69dae93ca180bae2927970b41c75f2a30ef470db6d05dda8ff168bd2cb293f3956ec6de9d8e15d536eac5a1d4f527f708584ac0404e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\e46e5b15-8765-4d85-8f89-f5642e76d8ac.vbs

Filesize
736B

MD5
aea6e2978e9896b13eb86cf714b7efd6

SHA1
8a5f5d642997fd65656a35cdbea74b4822634393

SHA256
a633d6532f0b77a4cd3a65764f7927f27c4739a897fe80798e9bf4248f4cdbaa

SHA512
297a02b7278168553f79dfa5702e362c6173e428381578cb6d4c12b8554a2d62bc492bbe859b3371468863140d7805b6969f21f2b0459373ecb82014173ecec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\s9W2tFAszy.bat

Filesize
225B

MD5
4248bb004dfb2e965de5043cf6c789fc

SHA1
73a37c54df244097a87938534d48538ac858ded5

SHA256
8e8896889c527aaca0e7893625f997e7c5120caf0ee13a52654e7dc92e0e94b1

SHA512
e80e947e5cafc37e2ccf2dc1d4dec25343624b96fe3c945ee09472bedabfad597f540f1b409c77da3e11a6c1c02494349de995cb335abc1de78e06178ec385f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
671bf4fa268b34676c40ff1fd8240769

SHA1
e785caf5ff89f0a83cbb4696ff4edc1107466455

SHA256
43021a134c77941707018d7c77e8d2d6fe0b3b83e12a1815d58bf15499010aa7

SHA512
fc9e45e29e16e181de8599d7e5a3ccd2c3c33e589cb43306c57d0a56ac8696fac8e79fc7dcb29cc62169e60f2a0bead430fafa072fe97a39b5ec52ff529f3c31

Download Submit
C:\Users\Default\taskhost.exe

Filesize
1.6MB

MD5
6ebbaf68960dc45d8046f7718b9805d0

SHA1
3cc00dcc59b6593c9f74060d56a87b90056e5c3b

SHA256
56b278eb9ba4e5e1fd66a184809ca9d8af8d4fc2712e79fbd8987444f31f0f6e

SHA512
37548b133a9f70d5f65c4a56dcd217b02add919f9c581d2012361046ff1fcddff61eb83513d4fed796bf8e5d8ce8df16840eb54e04348449422ec5f89fee1572

Download Submit
memory/884-418-0x0000000001310000-0x00000000014B2000-memory.dmp

Filesize
1.6MB

Download
memory/1324-351-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/1612-394-0x0000000000390000-0x0000000000532000-memory.dmp

Filesize
1.6MB

Download
memory/1744-333-0x000000001B3F0000-0x000000001B6D2000-memory.dmp

Filesize
2.9MB

Download
memory/1972-382-0x0000000000E00000-0x0000000000FA2000-memory.dmp

Filesize
1.6MB

Download
memory/2480-360-0x0000000000CC0000-0x0000000000E62000-memory.dmp

Filesize
1.6MB

Download
memory/2504-441-0x0000000000190000-0x0000000000332000-memory.dmp

Filesize
1.6MB

Download
memory/2740-406-0x0000000000F80000-0x0000000001122000-memory.dmp

Filesize
1.6MB

Download
memory/2888-453-0x0000000001360000-0x0000000001502000-memory.dmp

Filesize
1.6MB

Download
memory/2904-9-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/2904-8-0x0000000000650000-0x0000000000658000-memory.dmp

Filesize
32KB

Download
memory/2904-357-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2904-14-0x0000000002130000-0x0000000002138000-memory.dmp

Filesize
32KB

Download
memory/2904-12-0x0000000001FE0000-0x0000000001FEE000-memory.dmp

Filesize
56KB

Download
memory/2904-11-0x0000000001FD0000-0x0000000001FDA000-memory.dmp

Filesize
40KB

Download
memory/2904-10-0x0000000000790000-0x000000000079C000-memory.dmp

Filesize
48KB

Download
memory/2904-0-0x000007FEF56D3000-0x000007FEF56D4000-memory.dmp

Filesize
4KB

Download
memory/2904-116-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2904-13-0x0000000002120000-0x0000000002128000-memory.dmp

Filesize
32KB

Download
memory/2904-7-0x0000000000670000-0x0000000000680000-memory.dmp

Filesize
64KB

Download
memory/2904-15-0x000000001A810000-0x000000001A81A000-memory.dmp

Filesize
40KB

Download
memory/2904-6-0x0000000000640000-0x0000000000648000-memory.dmp

Filesize
32KB

Download
memory/2904-5-0x0000000000620000-0x0000000000636000-memory.dmp

Filesize
88KB

Download
memory/2904-4-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/2904-3-0x0000000000570000-0x000000000058C000-memory.dmp

Filesize
112KB

Download
memory/2904-16-0x000000001A820000-0x000000001A82C000-memory.dmp

Filesize
48KB

Download
memory/2904-2-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2904-82-0x000007FEF56D3000-0x000007FEF56D4000-memory.dmp

Filesize
4KB

Download
memory/2904-1-0x0000000000370000-0x0000000000512000-memory.dmp

Filesize
1.6MB

Download