dcrat | a1ddae9574bbeadd40b789fc8c7719b47c0d4bd8ed93abbd1d07f7e866ac40a6

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
Size

1.6MB
MD5

c108bff5d7cf5216d440596c5c03fea4
SHA1

33eba9f19413d2d26bcd5b21b49bb43563cc0808
SHA256

99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08
SHA512

e92f8bd34f4aba2d026741fc883531532687579a97ceea6ea65926e2ff9e3a6905d959e21a24f0e8395cae8d676f972c05ea4e107875d3e41e9f6e05d436f4b3
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 47 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	2596	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2596	schtasks.exe	30

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral9/memory/2772-1-0x0000000000340000-0x00000000004E2000-memory.dmp	dcrat
behavioral9/files/0x000500000001a0a3-25.dat	dcrat
behavioral9/files/0x000900000001a466-98.dat	dcrat
behavioral9/files/0x0007000000019efb-109.dat	dcrat
behavioral9/files/0x000600000001a4dc-171.dat	dcrat
behavioral9/memory/876-252-0x00000000010E0000-0x0000000001282000-memory.dmp	dcrat
behavioral9/memory/2632-334-0x00000000012E0000-0x0000000001482000-memory.dmp	dcrat
behavioral9/memory/2860-357-0x0000000000380000-0x0000000000522000-memory.dmp	dcrat
behavioral9/memory/1964-369-0x00000000002B0000-0x0000000000452000-memory.dmp	dcrat
behavioral9/memory/1632-381-0x00000000013D0000-0x0000000001572000-memory.dmp	dcrat
behavioral9/memory/1180-393-0x0000000000350000-0x00000000004F2000-memory.dmp	dcrat
behavioral9/memory/1524-416-0x0000000000BD0000-0x0000000000D72000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1688	powershell.exe
744	powershell.exe
1924	powershell.exe
1856	powershell.exe
1956	powershell.exe
2532	powershell.exe
1648	powershell.exe
1500	powershell.exe
628	powershell.exe
2028	powershell.exe
1272	powershell.exe
2220	powershell.exe
3060	powershell.exe
2000	powershell.exe
1680	powershell.exe
1708	powershell.exe
2964	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
876	services.exe
1356	services.exe
1624	services.exe
2632	services.exe
2900	services.exe
2860	services.exe
1964	services.exe
1632	services.exe
1180	services.exe
2880	services.exe
1524	services.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\sppsvc.exe	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\RCX73D.tmp	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File opened for modification	C:\Program Files\Google\Chrome\dwm.exe	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCX154C.tmp	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\1610b97d3ab4a7	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File created	C:\Program Files\Windows Sidebar\0a1fd5f707cd16	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\6203df4a6bafc7	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\RCX6CE.tmp	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File opened for modification	C:\Program Files\Google\Chrome\RCXDF7.tmp	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCX19E2.tmp	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCX19E3.tmp	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File created	C:\Program Files\Google\Chrome\dwm.exe	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File created	C:\Program Files\Google\Chrome\6cb0b6c459d5d3	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File opened for modification	C:\Program Files\Google\Chrome\RCXDF6.tmp	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCX155C.tmp	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File opened for modification	C:\Program Files\Windows Sidebar\sppsvc.exe	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Migration\WTR\audiodg.exe	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File created	C:\Windows\Logs\CBS\7a0fd90576e088	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File opened for modification	C:\Windows\Vss\Writers\System\wininit.exe	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File created	C:\Windows\Vss\Writers\System\wininit.exe	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File created	C:\Windows\Vss\Writers\System\56085415360792	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File created	C:\Windows\Migration\WTR\42af1c969fbb7b	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File opened for modification	C:\Windows\Migration\WTR\RCX20CA.tmp	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File created	C:\Windows\Logs\CBS\explorer.exe	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File created	C:\Windows\Migration\WTR\audiodg.exe	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File opened for modification	C:\Windows\Logs\CBS\RCXBF2.tmp	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File opened for modification	C:\Windows\Logs\CBS\explorer.exe	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File opened for modification	C:\Windows\Vss\Writers\System\RCX1770.tmp	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File opened for modification	C:\Windows\Vss\Writers\System\RCX1771.tmp	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File opened for modification	C:\Windows\Migration\WTR\RCX20CB.tmp	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File created	C:\Windows\CSC\v2.0.6\spoolsv.exe	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
File opened for modification	C:\Windows\Logs\CBS\RCXBF1.tmp	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1848	schtasks.exe
2512	schtasks.exe
3064	schtasks.exe
2868	schtasks.exe
1484	schtasks.exe
1744	schtasks.exe
644	schtasks.exe
280	schtasks.exe
2212	schtasks.exe
2632	schtasks.exe
1784	schtasks.exe
2860	schtasks.exe
2892	schtasks.exe
1180	schtasks.exe
952	schtasks.exe
2156	schtasks.exe
2944	schtasks.exe
1604	schtasks.exe
1972	schtasks.exe
2324	schtasks.exe
1632	schtasks.exe
1040	schtasks.exe
1924	schtasks.exe
1572	schtasks.exe
2152	schtasks.exe
812	schtasks.exe
2832	schtasks.exe
1156	schtasks.exe
1648	schtasks.exe
2848	schtasks.exe
1356	schtasks.exe
568	schtasks.exe
904	schtasks.exe
2544	schtasks.exe
1628	schtasks.exe
2592	schtasks.exe
2644	schtasks.exe
1936	schtasks.exe
1868	schtasks.exe
1576	schtasks.exe
1184	schtasks.exe
2668	schtasks.exe
2580	schtasks.exe
1500	schtasks.exe
2356	schtasks.exe
620	schtasks.exe
688	schtasks.exe
2520	schtasks.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
1956	powershell.exe
1500	powershell.exe
2220	powershell.exe
2028	powershell.exe
1688	powershell.exe
1856	powershell.exe
744	powershell.exe
1680	powershell.exe
628	powershell.exe
876	services.exe
1272	powershell.exe
1924	powershell.exe
2000	powershell.exe
2964	powershell.exe
1708	powershell.exe
1648	powershell.exe
2532	powershell.exe
3060	powershell.exe
1356	services.exe
1624	services.exe
2632	services.exe
2900	services.exe
2860	services.exe
1964	services.exe
1632	services.exe
1180	services.exe
2880	services.exe
1524	services.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	876	services.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	744	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	1356	services.exe
Token: SeDebugPrivilege	1624	services.exe
Token: SeDebugPrivilege	2632	services.exe
Token: SeDebugPrivilege	2900	services.exe
Token: SeDebugPrivilege	2860	services.exe
Token: SeDebugPrivilege	1964	services.exe
Token: SeDebugPrivilege	1632	services.exe
Token: SeDebugPrivilege	1180	services.exe
Token: SeDebugPrivilege	2880	services.exe
Token: SeDebugPrivilege	1524	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2028	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	79
PID 2772 wrote to memory of 2028	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	79
PID 2772 wrote to memory of 2028	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	79
PID 2772 wrote to memory of 1500	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	80
PID 2772 wrote to memory of 1500	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	80
PID 2772 wrote to memory of 1500	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	80
PID 2772 wrote to memory of 1272	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	81
PID 2772 wrote to memory of 1272	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	81
PID 2772 wrote to memory of 1272	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	81
PID 2772 wrote to memory of 1688	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	82
PID 2772 wrote to memory of 1688	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	82
PID 2772 wrote to memory of 1688	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	82
PID 2772 wrote to memory of 744	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	83
PID 2772 wrote to memory of 744	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	83
PID 2772 wrote to memory of 744	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	83
PID 2772 wrote to memory of 1680	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	84
PID 2772 wrote to memory of 1680	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	84
PID 2772 wrote to memory of 1680	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	84
PID 2772 wrote to memory of 1924	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	85
PID 2772 wrote to memory of 1924	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	85
PID 2772 wrote to memory of 1924	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	85
PID 2772 wrote to memory of 1856	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	86
PID 2772 wrote to memory of 1856	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	86
PID 2772 wrote to memory of 1856	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	86
PID 2772 wrote to memory of 2220	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	87
PID 2772 wrote to memory of 2220	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	87
PID 2772 wrote to memory of 2220	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	87
PID 2772 wrote to memory of 1956	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	88
PID 2772 wrote to memory of 1956	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	88
PID 2772 wrote to memory of 1956	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	88
PID 2772 wrote to memory of 628	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	89
PID 2772 wrote to memory of 628	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	89
PID 2772 wrote to memory of 628	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	89
PID 2772 wrote to memory of 1708	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	99
PID 2772 wrote to memory of 1708	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	99
PID 2772 wrote to memory of 1708	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	99
PID 2772 wrote to memory of 1648	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	103
PID 2772 wrote to memory of 1648	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	103
PID 2772 wrote to memory of 1648	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	103
PID 2772 wrote to memory of 2000	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	104
PID 2772 wrote to memory of 2000	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	104
PID 2772 wrote to memory of 2000	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	104
PID 2772 wrote to memory of 2532	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	105
PID 2772 wrote to memory of 2532	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	105
PID 2772 wrote to memory of 2532	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	105
PID 2772 wrote to memory of 3060	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	106
PID 2772 wrote to memory of 3060	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	106
PID 2772 wrote to memory of 3060	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	106
PID 2772 wrote to memory of 2964	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	107
PID 2772 wrote to memory of 2964	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	107
PID 2772 wrote to memory of 2964	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	107
PID 2772 wrote to memory of 876	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	113
PID 2772 wrote to memory of 876	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	113
PID 2772 wrote to memory of 876	2772	99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe	113
PID 876 wrote to memory of 1244	876	services.exe	114
PID 876 wrote to memory of 1244	876	services.exe	114
PID 876 wrote to memory of 1244	876	services.exe	114
PID 876 wrote to memory of 2760	876	services.exe	115
PID 876 wrote to memory of 2760	876	services.exe	115
PID 876 wrote to memory of 2760	876	services.exe	115
PID 1244 wrote to memory of 1356	1244	WScript.exe	116
PID 1244 wrote to memory of 1356	1244	WScript.exe	116
PID 1244 wrote to memory of 1356	1244	WScript.exe	116
PID 1356 wrote to memory of 2976	1356	services.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe
"C:\Users\Admin\AppData\Local\Temp\99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\CBS\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\System\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
  "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca01aa29-21ea-49db-bb9b-784837dd5cd4.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
      "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1356
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46cb3abf-bd5e-4aca-826a-08bdb8e51ada.vbs"
        5⤵
        
        PID:2976
      - C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37a86899-0b1a-4e61-a77d-bcc5cbe1afa3.vbs"
        7⤵
        
        PID:1180
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce7c2879-4c2a-41e7-a300-b0653cff73ad.vbs"
        9⤵
        
        PID:2832
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15e30562-a2a0-4dc4-84b0-ac48cdeee495.vbs"
        11⤵
        
        PID:880
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\071acc26-eaea-457b-8b67-dade8f278551.vbs"
        13⤵
        
        PID:1560
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\527199c3-77f0-4d23-a780-c0780c05635e.vbs"
        15⤵
        
        PID:2976
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\802c462c-7250-4299-92b1-a12c67c845e2.vbs"
        17⤵
        
        PID:3052
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e67605b-6736-4794-9d32-44545fa2d8ad.vbs"
        19⤵
        
        PID:2828
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6592eefb-da13-45e5-9f06-054920ee55a2.vbs"
        21⤵
        
        PID:2028
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16122456-1c64-4925-866c-c6767d943a93.vbs"
        23⤵
        
        PID:644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea6aa341-6aec-4f4b-b87b-36bcbd4ecd78.vbs"
        23⤵
        
        PID:2824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\552bcc9a-cab4-49c3-8dd6-4fc7a552784f.vbs"
        21⤵
        
        PID:1676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07ddd1be-b3e7-4341-945c-cf429a80a69d.vbs"
        19⤵
        
        PID:2728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b392982-3d6e-47f9-8fdb-60a7f5347af1.vbs"
        17⤵
        
        PID:1728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61f53dec-814d-4495-998c-1f56141789d5.vbs"
        15⤵
        
        PID:1648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e543360-36d1-43e9-8258-6c2694ae09f8.vbs"
        13⤵
        
        PID:1356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a01a697-a1b1-4908-a1a6-ee407a47af81.vbs"
        11⤵
        
        PID:996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\437cc99d-5d2e-48bb-a9b4-3dfe14b30928.vbs"
        9⤵
        
        PID:1828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0241d936-131e-4840-a77b-a735a72d757a.vbs"
        7⤵
        
        PID:600
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70029557-8bb0-4a30-aa79-8989c976d2d6.vbs"
        5⤵
        
        PID:1048
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5328e8f7-96f2-48bc-bf2a-308a122a7de4.vbs"
    3⤵
    PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\CBS\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Logs\CBS\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Logs\CBS\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Desktop\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\System\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\System\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\Migration\WTR\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe

Filesize
1.6MB

MD5
587a7dd1853fe91a7a947b1e9855a3b4

SHA1
acaa63733acc3002ba85ab837b6ebf6c903f726a

SHA256
fb7f145f53f1fd53fa0b5fe46463cc2a748e6e7c4ce37eed3a005886e8b14ff1

SHA512
3b30604d7d8db1b956bda94925ad49f1cc7962ebbb6c17baefe236e4af83472eb046872c5b1b0168b013d24bf58e3f38b5f62a417843dc6015f4f1c0f39f17c6

Download Submit
C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe

Filesize
1.6MB

MD5
c108bff5d7cf5216d440596c5c03fea4

SHA1
33eba9f19413d2d26bcd5b21b49bb43563cc0808

SHA256
99171e268b3be0136512009ba3ca2c1b075462cee1598970b6537a992068fe08

SHA512
e92f8bd34f4aba2d026741fc883531532687579a97ceea6ea65926e2ff9e3a6905d959e21a24f0e8395cae8d676f972c05ea4e107875d3e41e9f6e05d436f4b3

Download Submit
C:\Program Files (x86)\Windows Mail\de-DE\OSPPSVC.exe

Filesize
1.6MB

MD5
561a7cf843a8115e6b85d02ce8f956c6

SHA1
100b6b0e123c6bb8f4d9c1ac43fd33da4b2c656b

SHA256
6386caefb341627b903052b0c2c5f783addae520c0398f5390c2a5532429d691

SHA512
a3522aaabb08cc230dfa04ec1e51705e66e5df02564fec06a5132264f1ba98d227b677ebf7ccea1d5138550a9109d4ffd8e170be902917f19a193df4cad41594

Download Submit
C:\Program Files\Windows Sidebar\RCX154C.tmp

Filesize
1.6MB

MD5
9b8135009d6e30944952caa171cb7f6c

SHA1
42a496e0f5faa7470c9714de39b6d218d5a49796

SHA256
17fcd1c6fea9af6b82ac39f9542a41f2b1217b19e6e9e558b1ce8ded25d657bb

SHA512
09e985526fb7dac559944f14e9c48f51937f0687b2dad07be1a0d8df45d5f537f614bbd55e9762a81278da74d3088bbde4169477edc04bebfa6ede43790ce851

Download Submit
C:\Users\Admin\AppData\Local\Temp\071acc26-eaea-457b-8b67-dade8f278551.vbs

Filesize
751B

MD5
7df396545790c64a31491d7f8418c7eb

SHA1
b97941d65f0cf344d3c2e0e82898908a8eb7f452

SHA256
32b95f19debd7824df5f9b860dc84bf4133c39a4b91700ea6b7762be67ac3f53

SHA512
c26a47201a6965ffdf02d1409aa5380d9ecdc6563127019381ae535e2f992ba984c952647c83bfb4f310fb832cbf74e3b9835a680dae3bcaa1aaa26492248cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\15e30562-a2a0-4dc4-84b0-ac48cdeee495.vbs

Filesize
751B

MD5
f4471e2c9873882d2bca46e3bfa8a1f1

SHA1
e079abd417efb4fe1bbfadc5e6b35af84bf42970

SHA256
17bbf73fe0dbd6c6a82f2d35a54795e694c05c6289cfc711c9f65669f263a85d

SHA512
c4ed6c111145ab9d91af3d8af9f237a81e1e20162e662801f8c73cab9ad3779fe3091c61965e26116cc53c8699da8b97aea4830318f5c1e338d345ebfca5abf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\16122456-1c64-4925-866c-c6767d943a93.vbs

Filesize
751B

MD5
9501ac49760c4a14f4c7c6ec33ec6e40

SHA1
bda391be9680182e2a628bf04087786d1e67c18d

SHA256
76a778d9aa34ce1488e73dd168e9051e096b97e7fcdc4d26fb6e8e0dfabe4d63

SHA512
1738da039ff0c4b0cab418fa951d3aab309ce0d5f95d2fbded840be42fa183b9cdeb227d45144339ea62764e242705a2742ba2474593e67825aa94c978fd5a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\37a86899-0b1a-4e61-a77d-bcc5cbe1afa3.vbs

Filesize
751B

MD5
e5ddfe7610c6ddbd8e50b55862ed324e

SHA1
1c7661acd6976f31b60332cd6e25045530938721

SHA256
71a2c331f51a90a7111cf5dfc46301b171ba8b8c20ff9db3e6b129a79c3f8c31

SHA512
c4f667e8d08c9cdb2164e72e564d9300878734f1133847a0453d83d7f9631c0cefb1911d26b6e8309719852c5a715ec3f8055e9eed18818a37a747ae81d8d2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\46cb3abf-bd5e-4aca-826a-08bdb8e51ada.vbs

Filesize
751B

MD5
a59f1176709e7075727c25cc6a3913c3

SHA1
568975fd65404468925d8c8392eae5935f3d2115

SHA256
ec2ffe2d5de3c4140533812667e16f76063501f06bb825422aa98290de0ec152

SHA512
f4439cfb9c5759ff0ca74f34a25cbc5094bc619df802b80df6c4326d2747b1627b188d8a09940ae7aa498ecf35a4a54c1a65117398aeff6e39ff9e7a04dad5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\527199c3-77f0-4d23-a780-c0780c05635e.vbs

Filesize
751B

MD5
a460a257dd2e1324d014f7d8187cc61f

SHA1
32945e7cc6fbbb6a52d4d79f047ce82eb9662cf8

SHA256
a6be1ac44effbebc13d18a4fe53190d21f9bca1db4156e9950dc71aa2bf57637

SHA512
4b86e0525cffd7d37bb827fde4461760f8842ed51dea3251c2e0940a00420f39b44649be5c6d061d286b06f7d1237a969e4d2c6fbaf9c3f4d785d75b9e699ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\5328e8f7-96f2-48bc-bf2a-308a122a7de4.vbs

Filesize
527B

MD5
e8b2e11e651b892e9f004555e608ad14

SHA1
ecf2c60c2f79c9656f0511bbc657a7bb464bd727

SHA256
27a1ef2723f361304308ba5d0cb2fe5ff94845d407e7673d9c0e2eb1ec1525b7

SHA512
3d5d1f0a79764facb6a02b38de32f9c2a9e6e68430d24004555980a3c88ba256c7819e6aea2c9ad337248e9450a78839616317242b00051dbcdecc6c2d1f0774

Download Submit
C:\Users\Admin\AppData\Local\Temp\6592eefb-da13-45e5-9f06-054920ee55a2.vbs

Filesize
751B

MD5
3c93ae50acf7dc9afafed83e3453b8c7

SHA1
45fbcc79cdd416840fb8c8408573b935d3788f55

SHA256
5422d922d6d585cc469c53347f1e842d07ab5f7112cc1298a27f6ea0e820b189

SHA512
0666b077b675318a2d7daa3a713339b32de02ebb23d586f50891d4701c7703fd0ddff62d86feb6736836fadc86d7068200d37a96ed1b6cecd5684e9fea79fe3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e67605b-6736-4794-9d32-44545fa2d8ad.vbs

Filesize
751B

MD5
053bcda680cae2506e56bc5313419c1a

SHA1
227f7dccf4619b332f202e6fc03055a558203de5

SHA256
aca8bedd139ce56d235a8988147378e32d1da2c40b282dd36b37f4fa36bf1336

SHA512
81664c6408e644cbddc2aee699720146a52fe4d6d0bff4b4de4d0d0ad2a1d9ad7954577c6884c46d0216f7224f83bc46cecf988a9c641ca37af163ac8d663f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\802c462c-7250-4299-92b1-a12c67c845e2.vbs

Filesize
751B

MD5
c95598bdde6c4aa989282ebd8f3b4f18

SHA1
3fb1aa15e546785c777821aacb84a0a24b24c649

SHA256
238302c667f2fe1cb2865a32fbf778475f2cd4153e4c91d54fd09af5190818e4

SHA512
c61d26b4ffcbc129ff4d066d5d00e20d9ea5e309ccaa99f342057e9694d2e30d61eb8a52a6f0dccf7c814b59bf1888747322f94dfba94a12d294afe5020f47c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca01aa29-21ea-49db-bb9b-784837dd5cd4.vbs

Filesize
750B

MD5
785afe29751441a1d07a6b52dccaf796

SHA1
0edae432d66acc773ec0ee059c48197a17d17ec8

SHA256
6cd7067928c9b4b30ffe770577072a90eb923360a2bb3b8046643f40f0ade794

SHA512
2838cbcbdfb2d3309c068702a8c16bb8992b8cfe4268cdd4a27b21a85e2182d36913b8aa52b04a6efbd88c3c3fb30ec6c1dfff36d88a743d8ba75baa4b506f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce7c2879-4c2a-41e7-a300-b0653cff73ad.vbs

Filesize
751B

MD5
04936dce1aacb2274ec308afd046c974

SHA1
5d81a2f9ae1df1031a8bb31d789bfe2d30642b9c

SHA256
f13b065ff53bc27dea8ff6156d6322cf673b24d743cf41a054885a88dfc213b5

SHA512
cf4f5807fde8c994867315391f5b8b21beaeb2288227d80eb2fcbb32e75975ba70ecbf4c266d18a997a7ba3c9eceb3dac70d490b6dc12fba1bb20b7514825f33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H1W90TJX909NVSNWLOIQ.temp

Filesize
7KB

MD5
ae568389f4f9177e1ff0699332e3f8ac

SHA1
8219eee0be0b1bb9efc2ab5a30a6f039b82acfa7

SHA256
69b8099c06dce3095f3df9d527bbde6d00cf20ff0daaf90a090a88db861518da

SHA512
decd66077946a3b6cb9ff41788afb56a83e74e97b7f79f1da98f4290555a3f37c952d965506f6ce320cab05681c7b4d15570c0b339c90313f90e53cd390cff71

Download Submit
memory/876-252-0x00000000010E0000-0x0000000001282000-memory.dmp

Filesize
1.6MB

Download
memory/1180-393-0x0000000000350000-0x00000000004F2000-memory.dmp

Filesize
1.6MB

Download
memory/1524-416-0x0000000000BD0000-0x0000000000D72000-memory.dmp

Filesize
1.6MB

Download
memory/1632-381-0x00000000013D0000-0x0000000001572000-memory.dmp

Filesize
1.6MB

Download
memory/1956-243-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/1956-242-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/1964-369-0x00000000002B0000-0x0000000000452000-memory.dmp

Filesize
1.6MB

Download
memory/2632-334-0x00000000012E0000-0x0000000001482000-memory.dmp

Filesize
1.6MB

Download
memory/2772-11-0x0000000001FF0000-0x0000000001FFA000-memory.dmp

Filesize
40KB

Download
memory/2772-10-0x0000000001FE0000-0x0000000001FEC000-memory.dmp

Filesize
48KB

Download
memory/2772-226-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/2772-203-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

Filesize
4KB

Download
memory/2772-16-0x0000000002140000-0x000000000214C000-memory.dmp

Filesize
48KB

Download
memory/2772-13-0x0000000002090000-0x0000000002098000-memory.dmp

Filesize
32KB

Download
memory/2772-14-0x00000000020A0000-0x00000000020A8000-memory.dmp

Filesize
32KB

Download
memory/2772-15-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/2772-12-0x0000000002080000-0x000000000208E000-memory.dmp

Filesize
56KB

Download
memory/2772-0-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

Filesize
4KB

Download
memory/2772-1-0x0000000000340000-0x00000000004E2000-memory.dmp

Filesize
1.6MB

Download
memory/2772-265-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/2772-9-0x0000000001FB0000-0x0000000001FBC000-memory.dmp

Filesize
48KB

Download
memory/2772-8-0x00000000006F0000-0x00000000006F8000-memory.dmp

Filesize
32KB

Download
memory/2772-4-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2772-5-0x0000000000310000-0x0000000000326000-memory.dmp

Filesize
88KB

Download
memory/2772-6-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/2772-7-0x0000000000700000-0x0000000000710000-memory.dmp

Filesize
64KB

Download
memory/2772-3-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/2772-2-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/2860-357-0x0000000000380000-0x0000000000522000-memory.dmp

Filesize
1.6MB

Download