dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
60s
max time network
61s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f0343adab1970d928320ce2aa587fd3.exe
Size

1.6MB
MD5

1f0343adab1970d928320ce2aa587fd3
SHA1

e9ba72eefebbc990b9d87fdc6c900ba0ab4160b8
SHA256

9543bb2076f9b8c0d465689514dfc89f7cddc872620b5158cff2e2fa270963c4
SHA512

c6ae66f4ee2e2307da2176d9ea1e8a57ee96c59a15c633d8ca618cc4c167744063fa189d03eb134e1789ad544cef426e1b6da8c61dd1785888b204f84cdc316c
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 63 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2840	schtasks.exe	30

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral19/memory/2032-1-0x0000000000BD0000-0x0000000000D72000-memory.dmp	dcrat
behavioral19/files/0x0005000000019406-25.dat	dcrat
behavioral19/files/0x000500000001a4cf-62.dat	dcrat
behavioral19/files/0x000c0000000120ea-97.dat	dcrat
behavioral19/files/0x0006000000019406-119.dat	dcrat
behavioral19/files/0x000a000000019438-166.dat	dcrat
behavioral19/files/0x000700000001961b-226.dat	dcrat
behavioral19/files/0x000700000001961c-238.dat	dcrat
behavioral19/memory/2744-404-0x0000000000AC0000-0x0000000000C62000-memory.dmp	dcrat
behavioral19/memory/1912-426-0x0000000001050000-0x00000000011F2000-memory.dmp	dcrat
behavioral19/memory/2864-438-0x0000000000350000-0x00000000004F2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 25 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2608	powershell.exe
1660	powershell.exe
1568	powershell.exe
2736	powershell.exe
1784	powershell.exe
2116	powershell.exe
2664	powershell.exe
2760	powershell.exe
2892	powershell.exe
2068	powershell.exe
2976	powershell.exe
448	powershell.exe
1792	powershell.exe
2376	powershell.exe
1208	powershell.exe
1524	powershell.exe
572	powershell.exe
1556	powershell.exe
1844	powershell.exe
2456	powershell.exe
2140	powershell.exe
2548	powershell.exe
2108	powershell.exe
2124	powershell.exe
2912	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
2500	1f0343adab1970d928320ce2aa587fd3.exe
2744	powershell.exe
2176	powershell.exe
1912	powershell.exe
2864	powershell.exe

Drops file in Program Files directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\RCXCD79.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\RCXCD7A.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\Internet Explorer\fr-FR\conhost.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\powershell.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXC2F4.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\conhost.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\powershell.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\RCXD1F0.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Google\Temp\cc11b995f2a76d	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXB58F.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXB590.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\taskhost.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\RCXCF7E.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\RCXCFEC.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\e978f868350d50	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Google\Temp\winlogon.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\Mozilla Firefox\f3b6ecef712a24	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\1610b97d3ab4a7	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\Google\powershell.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\taskhost.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\OSPPSVC.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\24dbde2999530e	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\RCXC96F.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\WmiPrvSE.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Google\powershell.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\6203df4a6bafc7	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXC2F5.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\Google\e978f868350d50	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\OSPPSVC.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\b75386f1303e64	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\Mozilla Firefox\spoolsv.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\winlogon.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\spoolsv.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\Internet Explorer\fr-FR\088424020bedd6	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\WmiPrvSE.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\RCXC970.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\RCXD25E.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe	1f0343adab1970d928320ce2aa587fd3.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\dllhost.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\Fonts\5940a34987c991	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\Registration\CRMLog\6cb0b6c459d5d3	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\Fonts\RCXB794.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\Fonts\RCXB802.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCXBEEB.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\Registration\CRMLog\dwm.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\Fonts\dllhost.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCXBEEA.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\Registration\CRMLog\dwm.exe	1f0343adab1970d928320ce2aa587fd3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1160	schtasks.exe
2940	schtasks.exe
1252	schtasks.exe
2316	schtasks.exe
1564	schtasks.exe
2752	schtasks.exe
756	schtasks.exe
1208	schtasks.exe
2576	schtasks.exe
2124	schtasks.exe
1844	schtasks.exe
3004	schtasks.exe
2724	schtasks.exe
2696	schtasks.exe
2484	schtasks.exe
2688	schtasks.exe
1252	schtasks.exe
2212	schtasks.exe
2976	schtasks.exe
2596	schtasks.exe
700	schtasks.exe
1688	schtasks.exe
1292	schtasks.exe
1572	schtasks.exe
2328	schtasks.exe
2116	schtasks.exe
2528	schtasks.exe
2468	schtasks.exe
2568	schtasks.exe
2912	schtasks.exe
2176	schtasks.exe
2196	schtasks.exe
1596	schtasks.exe
1088	schtasks.exe
1596	schtasks.exe
2488	schtasks.exe
2892	schtasks.exe
1848	schtasks.exe
648	schtasks.exe
768	schtasks.exe
2304	schtasks.exe
2096	schtasks.exe
2224	schtasks.exe
1412	schtasks.exe
1184	schtasks.exe
1692	schtasks.exe
2568	schtasks.exe
2652	schtasks.exe
1224	schtasks.exe
1380	schtasks.exe
2320	schtasks.exe
2900	schtasks.exe
3036	schtasks.exe
2988	schtasks.exe
2816	schtasks.exe
908	schtasks.exe
1880	schtasks.exe
2108	schtasks.exe
1264	schtasks.exe
3024	schtasks.exe
2916	schtasks.exe
1788	schtasks.exe
1248	schtasks.exe
2540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2032	1f0343adab1970d928320ce2aa587fd3.exe
1568	powershell.exe
1784	powershell.exe
2976	powershell.exe
2736	powershell.exe
448	powershell.exe
2116	powershell.exe
2108	powershell.exe
1660	powershell.exe
2912	powershell.exe
572	powershell.exe
1792	powershell.exe
2608	powershell.exe
2500	1f0343adab1970d928320ce2aa587fd3.exe
2548	powershell.exe
1524	powershell.exe
1844	powershell.exe
2124	powershell.exe
1556	powershell.exe
1208	powershell.exe
2456	powershell.exe
2664	powershell.exe
2140	powershell.exe
2068	powershell.exe
2376	powershell.exe
2760	powershell.exe
2892	powershell.exe
2744	powershell.exe
2176	powershell.exe
1912	powershell.exe
2864	powershell.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	1f0343adab1970d928320ce2aa587fd3.exe
Token: SeDebugPrivilege	2500	1f0343adab1970d928320ce2aa587fd3.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 572	2032	1f0343adab1970d928320ce2aa587fd3.exe	80
PID 2032 wrote to memory of 572	2032	1f0343adab1970d928320ce2aa587fd3.exe	80
PID 2032 wrote to memory of 572	2032	1f0343adab1970d928320ce2aa587fd3.exe	80
PID 2032 wrote to memory of 2736	2032	1f0343adab1970d928320ce2aa587fd3.exe	81
PID 2032 wrote to memory of 2736	2032	1f0343adab1970d928320ce2aa587fd3.exe	81
PID 2032 wrote to memory of 2736	2032	1f0343adab1970d928320ce2aa587fd3.exe	81
PID 2032 wrote to memory of 2976	2032	1f0343adab1970d928320ce2aa587fd3.exe	82
PID 2032 wrote to memory of 2976	2032	1f0343adab1970d928320ce2aa587fd3.exe	82
PID 2032 wrote to memory of 2976	2032	1f0343adab1970d928320ce2aa587fd3.exe	82
PID 2032 wrote to memory of 1568	2032	1f0343adab1970d928320ce2aa587fd3.exe	86
PID 2032 wrote to memory of 1568	2032	1f0343adab1970d928320ce2aa587fd3.exe	86
PID 2032 wrote to memory of 1568	2032	1f0343adab1970d928320ce2aa587fd3.exe	86
PID 2032 wrote to memory of 1524	2032	1f0343adab1970d928320ce2aa587fd3.exe	87
PID 2032 wrote to memory of 1524	2032	1f0343adab1970d928320ce2aa587fd3.exe	87
PID 2032 wrote to memory of 1524	2032	1f0343adab1970d928320ce2aa587fd3.exe	87
PID 2032 wrote to memory of 2548	2032	1f0343adab1970d928320ce2aa587fd3.exe	88
PID 2032 wrote to memory of 2548	2032	1f0343adab1970d928320ce2aa587fd3.exe	88
PID 2032 wrote to memory of 2548	2032	1f0343adab1970d928320ce2aa587fd3.exe	88
PID 2032 wrote to memory of 1660	2032	1f0343adab1970d928320ce2aa587fd3.exe	90
PID 2032 wrote to memory of 1660	2032	1f0343adab1970d928320ce2aa587fd3.exe	90
PID 2032 wrote to memory of 1660	2032	1f0343adab1970d928320ce2aa587fd3.exe	90
PID 2032 wrote to memory of 2116	2032	1f0343adab1970d928320ce2aa587fd3.exe	91
PID 2032 wrote to memory of 2116	2032	1f0343adab1970d928320ce2aa587fd3.exe	91
PID 2032 wrote to memory of 2116	2032	1f0343adab1970d928320ce2aa587fd3.exe	91
PID 2032 wrote to memory of 1792	2032	1f0343adab1970d928320ce2aa587fd3.exe	93
PID 2032 wrote to memory of 1792	2032	1f0343adab1970d928320ce2aa587fd3.exe	93
PID 2032 wrote to memory of 1792	2032	1f0343adab1970d928320ce2aa587fd3.exe	93
PID 2032 wrote to memory of 2608	2032	1f0343adab1970d928320ce2aa587fd3.exe	95
PID 2032 wrote to memory of 2608	2032	1f0343adab1970d928320ce2aa587fd3.exe	95
PID 2032 wrote to memory of 2608	2032	1f0343adab1970d928320ce2aa587fd3.exe	95
PID 2032 wrote to memory of 1784	2032	1f0343adab1970d928320ce2aa587fd3.exe	96
PID 2032 wrote to memory of 1784	2032	1f0343adab1970d928320ce2aa587fd3.exe	96
PID 2032 wrote to memory of 1784	2032	1f0343adab1970d928320ce2aa587fd3.exe	96
PID 2032 wrote to memory of 1844	2032	1f0343adab1970d928320ce2aa587fd3.exe	97
PID 2032 wrote to memory of 1844	2032	1f0343adab1970d928320ce2aa587fd3.exe	97
PID 2032 wrote to memory of 1844	2032	1f0343adab1970d928320ce2aa587fd3.exe	97
PID 2032 wrote to memory of 2912	2032	1f0343adab1970d928320ce2aa587fd3.exe	98
PID 2032 wrote to memory of 2912	2032	1f0343adab1970d928320ce2aa587fd3.exe	98
PID 2032 wrote to memory of 2912	2032	1f0343adab1970d928320ce2aa587fd3.exe	98
PID 2032 wrote to memory of 2124	2032	1f0343adab1970d928320ce2aa587fd3.exe	101
PID 2032 wrote to memory of 2124	2032	1f0343adab1970d928320ce2aa587fd3.exe	101
PID 2032 wrote to memory of 2124	2032	1f0343adab1970d928320ce2aa587fd3.exe	101
PID 2032 wrote to memory of 448	2032	1f0343adab1970d928320ce2aa587fd3.exe	103
PID 2032 wrote to memory of 448	2032	1f0343adab1970d928320ce2aa587fd3.exe	103
PID 2032 wrote to memory of 448	2032	1f0343adab1970d928320ce2aa587fd3.exe	103
PID 2032 wrote to memory of 2108	2032	1f0343adab1970d928320ce2aa587fd3.exe	104
PID 2032 wrote to memory of 2108	2032	1f0343adab1970d928320ce2aa587fd3.exe	104
PID 2032 wrote to memory of 2108	2032	1f0343adab1970d928320ce2aa587fd3.exe	104
PID 2032 wrote to memory of 1556	2032	1f0343adab1970d928320ce2aa587fd3.exe	105
PID 2032 wrote to memory of 1556	2032	1f0343adab1970d928320ce2aa587fd3.exe	105
PID 2032 wrote to memory of 1556	2032	1f0343adab1970d928320ce2aa587fd3.exe	105
PID 2032 wrote to memory of 2500	2032	1f0343adab1970d928320ce2aa587fd3.exe	114
PID 2032 wrote to memory of 2500	2032	1f0343adab1970d928320ce2aa587fd3.exe	114
PID 2032 wrote to memory of 2500	2032	1f0343adab1970d928320ce2aa587fd3.exe	114
PID 2500 wrote to memory of 1208	2500	1f0343adab1970d928320ce2aa587fd3.exe	136
PID 2500 wrote to memory of 1208	2500	1f0343adab1970d928320ce2aa587fd3.exe	136
PID 2500 wrote to memory of 1208	2500	1f0343adab1970d928320ce2aa587fd3.exe	136
PID 2500 wrote to memory of 2140	2500	1f0343adab1970d928320ce2aa587fd3.exe	137
PID 2500 wrote to memory of 2140	2500	1f0343adab1970d928320ce2aa587fd3.exe	137
PID 2500 wrote to memory of 2140	2500	1f0343adab1970d928320ce2aa587fd3.exe	137
PID 2500 wrote to memory of 2376	2500	1f0343adab1970d928320ce2aa587fd3.exe	138
PID 2500 wrote to memory of 2376	2500	1f0343adab1970d928320ce2aa587fd3.exe	138
PID 2500 wrote to memory of 2376	2500	1f0343adab1970d928320ce2aa587fd3.exe	138
PID 2500 wrote to memory of 2456	2500	1f0343adab1970d928320ce2aa587fd3.exe	140

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe
"C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\1f0343adab1970d928320ce2aa587fd3.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\it-IT\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1556
- C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe
  "C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\fr-FR\conhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\wininit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\powershell.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\de-DE\powershell.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2892
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\powershell.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\powershell.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- - C:\Users\All Users\powershell.exe
    "C:\Users\All Users\powershell.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ee231af-11ce-4c87-8889-7617be3cabc6.vbs"
      4⤵
      PID:812
    - - C:\Users\All Users\powershell.exe
        
        "C:\Users\All Users\powershell.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3978e5ce-6521-4291-859c-ada1df68e228.vbs"
        6⤵
        
        PID:2628
        
        C:\Users\All Users\powershell.exe
        
        "C:\Users\All Users\powershell.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fe68298-e4ec-45e9-aacc-afa441e12d03.vbs"
        8⤵
        
        PID:352
        
        C:\Users\All Users\powershell.exe
        
        "C:\Users\All Users\powershell.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bbebfc6-a916-4eaa-a47c-508355582faa.vbs"
        8⤵
        
        PID:604
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6cc1871-debb-449c-85cd-a16bca1c9aa1.vbs"
        6⤵
        
        PID:2484
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17495615-63c4-48cb-8788-b8212204c4bd.vbs"
      4⤵
      PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\PrintHood\sppsvc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Default\PrintHood\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1f0343adab1970d928320ce2aa587fd31" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\1f0343adab1970d928320ce2aa587fd3.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1f0343adab1970d928320ce2aa587fd3" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\1f0343adab1970d928320ce2aa587fd3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1f0343adab1970d928320ce2aa587fd31" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\1f0343adab1970d928320ce2aa587fd3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Registration\CRMLog\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Registration\CRMLog\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\fr-FR\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\fr-FR\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\All Users\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Recent\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Default\Recent\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Recent\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Google\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\1f0343adab1970d928320ce2aa587fd3.exe

Filesize
1.6MB

MD5
267a97fe705669437ae7ac2fda528311

SHA1
a653e8fb50c9413ecbad169eaeb902bdc7f36531

SHA256
29777850131462092084e3e6140e47f087b7b49dd57b1b5adaef4a0948992cbc

SHA512
9589a3831fd2a545d21645f4d43434ed373fbd9f4c59857aae6e00a0e580e95012063ec7b822cab9a62930042c37eb37edeec3236dd446492fb3788df3420460

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\WmiPrvSE.exe

Filesize
1.6MB

MD5
bf6c8c4e703c8634d2c23fecbf80ff93

SHA1
39dc11d644b4b1523bea4796e6c00f4abc818d42

SHA256
bc75d2073749c1d2a1d9309031df3398b2b52bacc4e716148fc24ff059c094ef

SHA512
d0b6e28b9030a23bfd4d75ace114fb456cf3b1471dac70f7e525405c34e717f376d6c63879fa280198f3027f59e060615733af5f12814c9ab5c9b115a9768bad

Download Submit
C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\OSPPSVC.exe

Filesize
1.6MB

MD5
c3cff235ffe2f1aea1a9dc5d58244b8d

SHA1
ba3050f3a50d6b0b0ec3ae6e121d3555a4bf6e5e

SHA256
d4a9ae6693856ebd0b70ba1f595fd618a69a1184ed0671d7bc0b439273fe374d

SHA512
a4b40c6dc8761f01833cbda8d1e3f3f8c7813715a9b30580ad87e707578da461417906ea48090373ad96d319ba3e43e8210408ced7378adc345652a239f469d3

Download Submit
C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\wininit.exe

Filesize
1.6MB

MD5
1f0343adab1970d928320ce2aa587fd3

SHA1
e9ba72eefebbc990b9d87fdc6c900ba0ab4160b8

SHA256
9543bb2076f9b8c0d465689514dfc89f7cddc872620b5158cff2e2fa270963c4

SHA512
c6ae66f4ee2e2307da2176d9ea1e8a57ee96c59a15c633d8ca618cc4c167744063fa189d03eb134e1789ad544cef426e1b6da8c61dd1785888b204f84cdc316c

Download Submit
C:\Users\Admin\AppData\Local\Temp\17495615-63c4-48cb-8788-b8212204c4bd.vbs

Filesize
485B

MD5
93beaf918065e7cff83037e7e910603d

SHA1
48be033473a2b0c596b11c1557de21ab8e3ff7ed

SHA256
a5acb6ee82c38afb9203ff378497837f4922ee8f1a8e126d2f94a4010cf19e5b

SHA512
8b4f48dcb39383456e9938dacd7d7ea4f8f682721a94a82625217251162954b7e39bac747e9d91a6a2007796154f3dcd074e457514f013622d879d61c940e587

Download Submit
C:\Users\Admin\AppData\Local\Temp\3978e5ce-6521-4291-859c-ada1df68e228.vbs

Filesize
709B

MD5
bcf2188d7f52534e0d2236e6455685a9

SHA1
265a74aa30687c19cd06acf5300db604c178fd7c

SHA256
c866330f2e5379ff7db73a51be44f1ad144c22357b7dc76ab2028147d1dfb413

SHA512
b47e2a5080781b844cbe8a9538fe2ba7d482ba572735a6479be8366d60aec9d70b54935eda9d73ec5d883fe9482122669f476ba93275e039a1bd7cdfef8da4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ee231af-11ce-4c87-8889-7617be3cabc6.vbs

Filesize
709B

MD5
23a128be4001d9acc6298f62149af6d5

SHA1
0524ea7f1cab15dd1da145f4db3b2d9852a3530d

SHA256
49ecd58be291535edc34d34a529831ab6b28795e10006cb5232489e99c73efba

SHA512
46a36ce9be47cfaa01f9e467926aecbfc10ac56b5fe5bdb53654c5b89e9397c65a6543d27c45563d3cdc395a9d1ae85c8eb767755975c5f4a3f63fcf29222109

Download Submit
C:\Users\Admin\AppData\Local\Temp\8fe68298-e4ec-45e9-aacc-afa441e12d03.vbs

Filesize
709B

MD5
347940d92f163120fc0085c355e88f42

SHA1
05fdf34d8db4631b127e5a047ea1580f27534267

SHA256
e4944df6c43a64898f92363b69f3af4535ba390e456404af039b995350179e57

SHA512
5395c19b92190ddf0daebfdf2b25e649aa8f42727f6440d2d68a75753720982e9bf36183c6518402b137db8555ed33564a7a5ecf310032b5c28b924a0025ba33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bd6abe09db052dc712c9f208a3db0b90

SHA1
09b51d66d27ba205fb84649ce340b30d60f3ca65

SHA256
5d59962f52a52823e8dcb9ad00f0f3330e468b585aa96e1ae286390734500895

SHA512
f3ec0fdb30c9d3acda7fb27ee791bfc815d60f8b68e44657511efdc4dedda7144d5990374fbe3d23e5d9f6b24f8cb9a4a7b2f21bf7793d9360a73c84e9e2825f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5d0c33598fc48f25469f540edbd1cc05

SHA1
2e7f376d11e4e64c76ab912fd0009fbb4d32bceb

SHA256
340fdef531a7a977426b67e254eb28ed222d65869a873f8a885381bd87a9da11

SHA512
af289fbd646aea9e8fc582802d0c1396ecee4a62a346a095c72e7d92a777f2ca6ba540e3deac884d6f66e32a85af6596520bf55a1d1e4e9ac64a94e15e5024f7

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\sppsvc.exe

Filesize
1.6MB

MD5
ee1aa9d4ff8dc15fdaf3c4ab5fc5defd

SHA1
7b2ebfbebedf08ba273850486553d3e605c16406

SHA256
ed888f884306d25b9bd0af6e446d9c67413dcbea1c2650715cea95e1394f83a7

SHA512
cda76a57ece9a067fe643e7e946650135410a84b84eaf4cb8fff5d23d64da955245bf50b4f19c34dd30ac31ff50f02c5c5fcb4a02eef24798ba751a796025cff

Download Submit
C:\Users\Default\lsass.exe

Filesize
1.6MB

MD5
6ff066bb255d8e141ffc22719311c70e

SHA1
e5cb847a5fe05edd0897ee98195e2ce2017d3a58

SHA256
f4468e078dbf3e27804acbe65e79f9f60511265d5e9b15e574e35c98a804eb39

SHA512
4510c13c89bdf8c44e3703ff3ad5bf86c4ddcc55b122eb093543b4dae68b3ab1e9a06f3d009dffd38bdc5a212500b1b2c871865bc2ec3d32eba3977d033bdd17

Download Submit
C:\Windows\Fonts\dllhost.exe

Filesize
1.6MB

MD5
74d0fd23e2b25a302a16d14f4199d6c9

SHA1
e4c833e55c93dfd4f1cec629d6d2a227bcfa6816

SHA256
bbe583317796d7349ed125cdac84ef63b1a2ec0ac16c7c7a8bfa7cd5139bcc46

SHA512
34067bd99f14044ff851747be8e1a560e5fb6b24cf436bd076cd7ef42b9cc412ca4126faa5119f86f7e1a64838f42231bcf5156c2313d5df911af2ac9936b6c6

Download Submit
memory/1208-374-0x0000000002730000-0x0000000002738000-memory.dmp

Filesize
32KB

Download
memory/1208-371-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/1568-299-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/1568-327-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/1912-426-0x0000000001050000-0x00000000011F2000-memory.dmp

Filesize
1.6MB

Download
memory/2032-16-0x0000000002300000-0x000000000230C000-memory.dmp

Filesize
48KB

Download
memory/2032-0-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

Filesize
4KB

Download
memory/2032-6-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/2032-217-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

Filesize
4KB

Download
memory/2032-7-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

Filesize
64KB

Download
memory/2032-229-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/2032-9-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

Filesize
48KB

Download
memory/2032-10-0x00000000022A0000-0x00000000022AC000-memory.dmp

Filesize
48KB

Download
memory/2032-15-0x00000000022F0000-0x00000000022FA000-memory.dmp

Filesize
40KB

Download
memory/2032-325-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/2032-14-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/2032-12-0x00000000022C0000-0x00000000022CE000-memory.dmp

Filesize
56KB

Download
memory/2032-8-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

Filesize
32KB

Download
memory/2032-13-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/2032-5-0x0000000000470000-0x0000000000486000-memory.dmp

Filesize
88KB

Download
memory/2032-1-0x0000000000BD0000-0x0000000000D72000-memory.dmp

Filesize
1.6MB

Download
memory/2032-4-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2032-3-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/2032-2-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/2032-11-0x00000000022B0000-0x00000000022BA000-memory.dmp

Filesize
40KB

Download
memory/2744-404-0x0000000000AC0000-0x0000000000C62000-memory.dmp

Filesize
1.6MB

Download
memory/2864-438-0x0000000000350000-0x00000000004F2000-memory.dmp

Filesize
1.6MB

Download