dcrat | 03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2025, 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
Size

1.6MB
MD5

3460086ec800f981300049f405f07ab7
SHA1

6e642473448a705bfa2a9d9d54d1b0fdd88ed791
SHA256

03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371
SHA512

f7c9ac03a980ee2dfda8cb7e94a01375c326c32be75c628a9848409f2e621f69965b28fec3f8851cedb122c16aa66f8cb29dc92816ba0c83270a09b876828f88
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	720	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5380	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5296	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5948	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	228	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5600	228	schtasks.exe	87

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/976-1-0x0000000000F30000-0x00000000010D2000-memory.dmp	dcrat
behavioral2/files/0x00070000000242f8-26.dat	dcrat
behavioral2/files/0x001000000002413c-85.dat	dcrat
behavioral2/files/0x00090000000242f8-121.dat	dcrat
behavioral2/files/0x0009000000024300-130.dat	dcrat
behavioral2/files/0x0009000000024303-143.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4408	powershell.exe
5388	powershell.exe
4428	powershell.exe
768	powershell.exe
2580	powershell.exe
456	powershell.exe
644	powershell.exe
5328	powershell.exe
1884	powershell.exe
4204	powershell.exe
5268	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	lsass.exe

Executes dropped EXE 14 IoCs

pid	Process
2216	lsass.exe
4272	lsass.exe
4584	lsass.exe
3496	lsass.exe
216	lsass.exe
3800	lsass.exe
5220	lsass.exe
3052	lsass.exe
4144	lsass.exe
6132	lsass.exe
3068	lsass.exe
4152	lsass.exe
5464	lsass.exe
4972	lsass.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCX973E.tmp	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\StartMenuExperienceHost.exe	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File created	C:\Program Files (x86)\Microsoft\Temp\OfficeClickToRun.exe	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\OfficeClickToRun.exe	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File created	C:\Program Files (x86)\Microsoft\Temp\e6c9b481da804f	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\StartMenuExperienceHost.exe	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\RCX8946.tmp	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\RCX8947.tmp	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\55b276f4edf653	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCX96C0.tmp	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\SppExtComObj.exe	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File opened for modification	C:\Windows\de-DE\RCX8B7C.tmp	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File opened for modification	C:\Windows\Panther\actionqueue\RCX99E0.tmp	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File created	C:\Windows\de-DE\e1ef82546f0b02	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File created	C:\Windows\Panther\actionqueue\services.exe	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File created	C:\Windows\Panther\actionqueue\c5b4cb5e9653cc	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File opened for modification	C:\Windows\de-DE\RCX8B6B.tmp	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File opened for modification	C:\Windows\de-DE\SppExtComObj.exe	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File opened for modification	C:\Windows\Panther\actionqueue\RCX9962.tmp	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File opened for modification	C:\Windows\Panther\actionqueue\services.exe	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	lsass.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4192	schtasks.exe
4552	schtasks.exe
4820	schtasks.exe
4724	schtasks.exe
2044	schtasks.exe
2056	schtasks.exe
3156	schtasks.exe
3564	schtasks.exe
5600	schtasks.exe
5296	schtasks.exe
4560	schtasks.exe
4576	schtasks.exe
5948	schtasks.exe
4664	schtasks.exe
4492	schtasks.exe
4120	schtasks.exe
4836	schtasks.exe
4676	schtasks.exe
4476	schtasks.exe
4628	schtasks.exe
4756	schtasks.exe
720	schtasks.exe
5380	schtasks.exe
4296	schtasks.exe
3960	schtasks.exe
400	schtasks.exe
1952	schtasks.exe
2204	schtasks.exe
4540	schtasks.exe
956	schtasks.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
976	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
644	powershell.exe
644	powershell.exe
5268	powershell.exe
5268	powershell.exe
5328	powershell.exe
5328	powershell.exe
5388	powershell.exe
5388	powershell.exe
2580	powershell.exe
2580	powershell.exe
4408	powershell.exe
4408	powershell.exe
768	powershell.exe
768	powershell.exe
4428	powershell.exe
4428	powershell.exe
1884	powershell.exe
1884	powershell.exe
456	powershell.exe
456	powershell.exe
4204	powershell.exe
4204	powershell.exe
4204	powershell.exe
1884	powershell.exe
5268	powershell.exe
5328	powershell.exe
2580	powershell.exe
5388	powershell.exe
456	powershell.exe
768	powershell.exe
644	powershell.exe
644	powershell.exe
4408	powershell.exe
4428	powershell.exe
2216	lsass.exe
4272	lsass.exe
4584	lsass.exe
4584	lsass.exe
3496	lsass.exe
3496	lsass.exe
216	lsass.exe
216	lsass.exe
3800	lsass.exe
5220	lsass.exe
3052	lsass.exe
4144	lsass.exe
6132	lsass.exe
3068	lsass.exe
4152	lsass.exe
5464	lsass.exe
4972	lsass.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	976	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
Token: SeDebugPrivilege	644	powershell.exe
Token: SeDebugPrivilege	5268	powershell.exe
Token: SeDebugPrivilege	5328	powershell.exe
Token: SeDebugPrivilege	5388	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	4204	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	456	powershell.exe
Token: SeDebugPrivilege	2216	lsass.exe
Token: SeDebugPrivilege	4272	lsass.exe
Token: SeDebugPrivilege	4584	lsass.exe
Token: SeDebugPrivilege	3496	lsass.exe
Token: SeDebugPrivilege	216	lsass.exe
Token: SeDebugPrivilege	3800	lsass.exe
Token: SeDebugPrivilege	5220	lsass.exe
Token: SeDebugPrivilege	3052	lsass.exe
Token: SeDebugPrivilege	4144	lsass.exe
Token: SeDebugPrivilege	6132	lsass.exe
Token: SeDebugPrivilege	3068	lsass.exe
Token: SeDebugPrivilege	4152	lsass.exe
Token: SeDebugPrivilege	5464	lsass.exe
Token: SeDebugPrivilege	4972	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 644	976	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	124
PID 976 wrote to memory of 644	976	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	124
PID 976 wrote to memory of 5388	976	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	125
PID 976 wrote to memory of 5388	976	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	125
PID 976 wrote to memory of 4428	976	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	126
PID 976 wrote to memory of 4428	976	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	126
PID 976 wrote to memory of 768	976	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	127
PID 976 wrote to memory of 768	976	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	127
PID 976 wrote to memory of 5328	976	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	128
PID 976 wrote to memory of 5328	976	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	128
PID 976 wrote to memory of 1884	976	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	129
PID 976 wrote to memory of 1884	976	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	129
PID 976 wrote to memory of 456	976	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	130
PID 976 wrote to memory of 456	976	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	130
PID 976 wrote to memory of 2580	976	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	131
PID 976 wrote to memory of 2580	976	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	131
PID 976 wrote to memory of 4408	976	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	132
PID 976 wrote to memory of 4408	976	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	132
PID 976 wrote to memory of 5268	976	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	133
PID 976 wrote to memory of 5268	976	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	133
PID 976 wrote to memory of 4204	976	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	134
PID 976 wrote to memory of 4204	976	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	134
PID 976 wrote to memory of 5448	976	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	146
PID 976 wrote to memory of 5448	976	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	146
PID 5448 wrote to memory of 5596	5448	cmd.exe	148
PID 5448 wrote to memory of 5596	5448	cmd.exe	148
PID 5448 wrote to memory of 2216	5448	cmd.exe	151
PID 5448 wrote to memory of 2216	5448	cmd.exe	151
PID 2216 wrote to memory of 3252	2216	lsass.exe	152
PID 2216 wrote to memory of 3252	2216	lsass.exe	152
PID 2216 wrote to memory of 6060	2216	lsass.exe	153
PID 2216 wrote to memory of 6060	2216	lsass.exe	153
PID 3252 wrote to memory of 4272	3252	WScript.exe	154
PID 3252 wrote to memory of 4272	3252	WScript.exe	154
PID 4272 wrote to memory of 5608	4272	lsass.exe	155
PID 4272 wrote to memory of 5608	4272	lsass.exe	155
PID 4272 wrote to memory of 5800	4272	lsass.exe	156
PID 4272 wrote to memory of 5800	4272	lsass.exe	156
PID 5608 wrote to memory of 4584	5608	WScript.exe	160
PID 5608 wrote to memory of 4584	5608	WScript.exe	160
PID 4584 wrote to memory of 5272	4584	lsass.exe	161
PID 4584 wrote to memory of 5272	4584	lsass.exe	161
PID 4584 wrote to memory of 5104	4584	lsass.exe	162
PID 4584 wrote to memory of 5104	4584	lsass.exe	162
PID 5272 wrote to memory of 3496	5272	WScript.exe	165
PID 5272 wrote to memory of 3496	5272	WScript.exe	165
PID 3496 wrote to memory of 4444	3496	lsass.exe	166
PID 3496 wrote to memory of 4444	3496	lsass.exe	166
PID 3496 wrote to memory of 2000	3496	lsass.exe	167
PID 3496 wrote to memory of 2000	3496	lsass.exe	167
PID 4444 wrote to memory of 216	4444	WScript.exe	168
PID 4444 wrote to memory of 216	4444	WScript.exe	168
PID 216 wrote to memory of 4772	216	lsass.exe	171
PID 216 wrote to memory of 4772	216	lsass.exe	171
PID 216 wrote to memory of 5068	216	lsass.exe	172
PID 216 wrote to memory of 5068	216	lsass.exe	172
PID 4772 wrote to memory of 3800	4772	WScript.exe	174
PID 4772 wrote to memory of 3800	4772	WScript.exe	174
PID 3800 wrote to memory of 1252	3800	lsass.exe	175
PID 3800 wrote to memory of 1252	3800	lsass.exe	175
PID 3800 wrote to memory of 5572	3800	lsass.exe	176
PID 3800 wrote to memory of 5572	3800	lsass.exe	176
PID 1252 wrote to memory of 5220	1252	WScript.exe	177
PID 1252 wrote to memory of 5220	1252	WScript.exe	177

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
"C:\Users\Admin\AppData\Local\Temp\03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Temp\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\actionqueue\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7mEKGU2bzn.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5448
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5596
- - C:\Recovery\WindowsRE\lsass.exe
    "C:\Recovery\WindowsRE\lsass.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfb2ec3d-adcb-40b3-ae7e-0f00bd4313cd.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3252
    - - C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4272
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6785316-b770-4000-bea1-b0aa3c8191bf.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5608
        
        C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c61b96e3-d969-44e5-b7e1-cb90762eb95a.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5272
        
        C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fced4da-b44b-4f60-8e3e-5ab4e54b7c63.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de591708-71ef-4651-a672-b76d03f09b30.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bdcfc09-2e0e-4038-a7df-bcb7d4e083bf.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\796fe36d-7e87-4cb7-b6aa-2d0646615557.vbs"
        16⤵
        
        PID:3352
        
        C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b22b4d5e-270e-44fb-aa8d-18d478c8d79b.vbs"
        18⤵
        
        PID:1848
        
        C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25bd3f82-b7b2-40db-acae-b13bd8a0c81f.vbs"
        20⤵
        
        PID:3564
        
        C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8d0bc72-c968-456a-afdb-4d3d2d3c3577.vbs"
        22⤵
        
        PID:5280
        
        C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6e8f166-fcee-4388-8dc4-5e7b7827519a.vbs"
        24⤵
        
        PID:1964
        
        C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14d2cdf6-1fa9-4b4a-b837-b2b02d243999.vbs"
        26⤵
        
        PID:2744
        
        C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdcb539e-2adb-4d62-9925-b1c869f4d0a0.vbs"
        28⤵
        
        PID:1532
        
        C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8095e7d3-f008-4459-97c6-6291f1488b0f.vbs"
        30⤵
        
        PID:4560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8c7989d-387f-4536-b998-06c0608778e8.vbs"
        30⤵
        
        PID:1512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1b3f9c1-72fc-4398-9448-1bca326e6f02.vbs"
        28⤵
        
        PID:312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5390524-3fb2-48f8-b3c1-a685716626d9.vbs"
        26⤵
        
        PID:4604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de03ac9e-7cad-49da-8a80-2903466621a4.vbs"
        24⤵
        
        PID:1008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\039e62b1-fd54-4879-a243-8eaba7949d8a.vbs"
        22⤵
        
        PID:456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c26fb6af-9676-4f3b-bce9-e996394dd01f.vbs"
        20⤵
        
        PID:1448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fe55e78-d3fa-43bd-b4c6-d09137856570.vbs"
        18⤵
        
        PID:1688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f6fcc63-2b31-431c-b5df-c9292b8bcd14.vbs"
        16⤵
        
        PID:4108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\624e382a-f6e7-4372-9a82-0794c94f51e8.vbs"
        14⤵
        
        PID:5572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7064594-792e-4a3e-8516-32b278efdd57.vbs"
        12⤵
        
        PID:5068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a74340e8-3ea4-4647-b771-0fa8f134d537.vbs"
        10⤵
        
        PID:2000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b3f0e84-0b21-4f6b-a113-23d00be29e38.vbs"
        8⤵
        
        PID:5104
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\282e6813-cad9-456e-92a8-8cb9abbacf8b.vbs"
        6⤵
        
        PID:5800
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b79788a-7433-4e76-9797-bf25b63d6327.vbs"
      4⤵
      PID:6060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Temp\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Temp\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Windows\de-DE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\de-DE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c413710" /sc MINUTE /mo 7 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c413710" /sc MINUTE /mo 7 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\4d7dcf6448637544ea7e961be1ad\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\4d7dcf6448637544ea7e961be1ad\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\4d7dcf6448637544ea7e961be1ad\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\4d7dcf6448637544ea7e961be1ad\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\Panther\actionqueue\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Panther\actionqueue\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4d7dcf6448637544ea7e961be1ad\explorer.exe

Filesize
1.6MB

MD5
3460086ec800f981300049f405f07ab7

SHA1
6e642473448a705bfa2a9d9d54d1b0fdd88ed791

SHA256
03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371

SHA512
f7c9ac03a980ee2dfda8cb7e94a01375c326c32be75c628a9848409f2e621f69965b28fec3f8851cedb122c16aa66f8cb29dc92816ba0c83270a09b876828f88

Download Submit
C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe

Filesize
1.6MB

MD5
f45f243eb3ddec7c609574cd2e7468bd

SHA1
6562dd7195267e8c500c5ebce54e5106015a5f6a

SHA256
ca6418ff1fb7ff3bc7e19b9ba8b344d3aa51261351432fe98634af5771fe0548

SHA512
c3d7914aa087592c9d60da1ac675f3c1d75f2114d29404c4b48facc16470a9bb5952e3c65367ba99f0542165bb7bf8adbcb22785b70c96fc09848f0df647779c

Download Submit
C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\lsass.exe

Filesize
1.6MB

MD5
4a0291caaac6141fedd5638ae108534a

SHA1
1605a460050be89c958eed446e6ed260c45023db

SHA256
038f3c55500c72dfc1efa9df7c5cb691fe2d40778ee034fad7cdfa1ccd7813c9

SHA512
52cce4fd0857aba1aa61b1188a06e9b49143adbd3287b9595ba1b768f0d22ab6df221a09a881ba771890684a0bc89b27e96b1361d00ab38c641ad169a5bfa128

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\StartMenuExperienceHost.exe

Filesize
1.6MB

MD5
1658e831adc9517d4ce1fe9df1a6c44d

SHA1
21d58aaae0a2aa2de435398701a9e2c1416ec747

SHA256
59bf327228b37190d89b487a479303b7a6725df0f9a97351b0b75fdffd0ef021

SHA512
29720ed0111b19af03a36caecff5454399c345bc817c006b8f81de78d14d8a085e7b4ec9d8ae8952c2fb1a9ef89eb55b8f3587cc84cf8a2db9b476e91774a1f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e10ceaefa38a8a0c7cf27b2938747eae

SHA1
18dd07de4b7d6f6d0fb7e1feebd78f0a93f6c89e

SHA256
d2f2ece67e3314a38df3789214221bbdd06f9f577470b543f6d094b621fba43b

SHA512
84c811e7d313674fff4c24945d275f2aa88380955679bd3a60c7dbde83a370143f3b1b8a677a8b543a571c9069a9262a3f414ff5aff74a283adb81e6321138ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f3d606f9a5f1201bfc1f01c54e842c4

SHA1
f1917e50b557b135953ecbe63e1fc1e675b541f1

SHA256
dcc09d3b5b17ef60cb35e4148230306cdcd68d18d18a39fd5fe220c34997a32a

SHA512
d85e1e1b4a552a8cdd21c4195a2ea082d3fcb40907d2a6a0ceb297f32defd1fba17d3b54dc954c26b3b731bc179bee5cfc011de3c667af47cdbe289b30fdfb38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2cb0c163f92e343cbfa657ce4d842fb6

SHA1
0299696d7430f09f9e3d32aa5b95f01363b405f5

SHA256
c604c709aa50f7f59c87b4420713c8563bc5b80d9bce8f812d26e0a7c25d13f7

SHA512
780353a0fa086a96d6b186a4f38160b0521e972ccfa18803db64ecd2ef6d3c1c69ea4dba0b557f1cf7c1ff6ab8720e447e827c92549b6aea5a0ecacd0494b8d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c2e67766ebbf9a065d2d6698d1e76a22

SHA1
880bd6eb37a65027fd6b100beb69326469e62786

SHA256
2123e4031ccd3bb8f144c209b0d0b1fc37623a472caa18fa31b6ccf787001120

SHA512
d39497ddd1abb45733a35e4fa7a9958cc736addbd37e18820cc3149b704814e9db4d8146e6737fcb2e3c93c0e945d567d0995c7657e982c574886b29dfdd8a73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f68785608a60c0961b2926f9c4d4ff87

SHA1
e90357d9a679b851acf30e5e7aa6f76f2e6d3bb4

SHA256
edeed8daa6363551c6ffe770dc95fc9a767da6a020004c61c8e3d81eccb9d673

SHA512
fa369a235b3d4375e7856e39f42b17fb118fadb0b48fbe71074fa47354d0713662b950142ab5083c01cc850f79bbb0abe154eefe0e754b9b76e8d3b330daf652

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8e7675df15697eee65b731b90f33a5f

SHA1
8fe1308e032c5cb61b8ea50672fd650889cecdcd

SHA256
656a10810af26e008c2c5d4748b4a476b97b9fd5ef7837ae197feff6ec00b932

SHA512
fed3aa124a90998c734d36397f7fa6e26973bbeaa2c11b999ee05b0fb2378473b14765ca606f021c2f778613ce61f3a1c6836e955b7c6b192a7774973a945992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47dc8ed1f00b2cf40d90efa529ee35cc

SHA1
851d6a181ebb44256367c73042ed4f774bce9bdd

SHA256
2a1fa5eb6fa8a3b821776f5db5d69d414ca120a4612e613ec6ad34d216b2223e

SHA512
3dc49732881a4c8d2edfd4619ea4d206cca74fabba7d00f2021a7e07dba47c436a10f2d591ca43930c674ffe6b5f528a9e10e543dd87edf97d3f2f078c23c928

Download Submit
C:\Users\Admin\AppData\Local\Temp\14d2cdf6-1fa9-4b4a-b837-b2b02d243999.vbs

Filesize
707B

MD5
abf4aa4d240c0d8315606d217e7ee663

SHA1
b47945d178af23136b95d280fb73272f03625918

SHA256
b5e4028ce6cb9ae0419ad7ed51fd072eac8d9588d8ca1aeb318ed2173d3b7f7f

SHA512
5931604c4aaaa9451daa6cf86b61f08af93b53953a2a9d8cbf836954496378e73e03c1b4b8657a22205bee2c3de1399da98df8087b0de7968eeccd9e762ade14

Download Submit
C:\Users\Admin\AppData\Local\Temp\25bd3f82-b7b2-40db-acae-b13bd8a0c81f.vbs

Filesize
707B

MD5
a6f9b91186fb4f1b2b1de8991444c6d5

SHA1
c88f3333221531e711ac5f98f2a0682d2ae48f75

SHA256
bff4dbd2e470058f9c145f904ac3c24eb68c327aeada20408710ea9b690b2611

SHA512
02204f3ded2e4eb5c7e14257662068f62732f230bbf49927a17bc945063530491ed3455ca28e47adeb602d1cb8164385fc0fe46ca2ad053ca30947d4f1e3aec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bdcfc09-2e0e-4038-a7df-bcb7d4e083bf.vbs

Filesize
707B

MD5
e9c8d24988406b155cc78bce2eea8af4

SHA1
c12b3b13077990a9010656ae2c930f34ada98ec6

SHA256
86ae02fd8a7bdf3808a25635069d4538bbf85aee30d7ecc57de003a2a1df726d

SHA512
87c4c2c1431d7acad6fff3ed08018188d2cbb180de47a605b648d0564c4ad2e0eb1756438099356fa3ce630a59a8890774b4c49038948b70fe7fdf8c490af8a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\70637d2caef85698756d15591ba0b2984e772f68.exe

Filesize
1.6MB

MD5
a157d3bbc681fb48183e7b6d78db1bc5

SHA1
8fe0ff8e60515ec26954f86d995ea8eac4b5597b

SHA256
f43076b341a1321cefad7f5fa8b1c5a31117bdd5ceee520ad974a69e96bba46e

SHA512
2f92aa1d7a190d98a89397bcc585dd50c3d08142d519d5143ca58c64e64248988d5e5c9f0c0cd11e8bdacbd3f0e62e8189830f0b342d790347d40d711981649d

Download Submit
C:\Users\Admin\AppData\Local\Temp\796fe36d-7e87-4cb7-b6aa-2d0646615557.vbs

Filesize
707B

MD5
a742e2e24a1023177f70ebcaee84fb59

SHA1
09fb5d6a0a7652e2ee38902a50c654ee20f1d537

SHA256
2bf57ff99a525885ffc641ba41916d6194c933b0ac6b4ad8e067f1b65460be2d

SHA512
1ea2da6a50d3b84dcc543ced9f8494fcb45600fd202a486a1f9f431098f80a23154603aad8b6821f0636bcd4abfa0690d648033974788388cdcc5eef3f1bbe98

Download Submit
C:\Users\Admin\AppData\Local\Temp\7mEKGU2bzn.bat

Filesize
196B

MD5
d539f516842281ae604078046cb656ba

SHA1
b8b289e4fbc153a0116b12ab4eddf3054710b0e9

SHA256
7c28420af1e17900c193af4a9f80d401b8ff0b12075b11fb2728996b8b06b64d

SHA512
adb0a5f29869a6c94772345a82ed412048771a20a08c35ab08b632020c3053a237720854f2903c677d39a38855fd079bd77ce77ef16542aa186ef487594d7d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b79788a-7433-4e76-9797-bf25b63d6327.vbs

Filesize
483B

MD5
dcfd4b27551f696be564d81b3b9d8bd8

SHA1
f13d2bd7f7f89b67b5c9af968130b8a0c6f20365

SHA256
d2590a82086794fc4482cc2fa12db14322e0d1f24a2eb81dd399c0c625996ae1

SHA512
c8cb1647b483d5e3f9ab37fe91e3ed7bf760a38f5bc36c3e8421e6de99a581c7024a03a086d91d910b1364197f2e9f7a28de7872d20b3246b45a3fc89ea6cf5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8fced4da-b44b-4f60-8e3e-5ab4e54b7c63.vbs

Filesize
707B

MD5
190518efee5befcb5593796cd52f9f11

SHA1
50d50d3ed6960d8a52e0bfa4630e52dc00c0c430

SHA256
7c989a05335ab5d446d44911da7f4e27c14bed7f08e2edf5d75667fe11aca14e

SHA512
2e1369d9ba5993a54e993d3199d11ca0f2866d9943692b0eb200bad9baef331b1205ac9d419927b7eb53f30bf2615a2b6d3604f3ef8aae0d44585fe7eab402f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5q2ggzus.d4m.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8d0bc72-c968-456a-afdb-4d3d2d3c3577.vbs

Filesize
707B

MD5
7ba3ec28e543e3890a8b3b465ae9c8ce

SHA1
7859267bc5ae6b9b281fd508930d20aa8519b01f

SHA256
2c245514be3858a06254b3bd3461d33afd950708f060605112a012ab8ba479df

SHA512
8a7502a162a2d6561db775e3df1fae60f57a6d261782f1be6d2a5e477c46d94e3c5bf8e27f074d6012cf16bfa36a5673cc23ff5a22f1b33039c4417ad0a44048

Download Submit
C:\Users\Admin\AppData\Local\Temp\b22b4d5e-270e-44fb-aa8d-18d478c8d79b.vbs

Filesize
707B

MD5
1d4cac5f2957db6bb99cd20fb67640cb

SHA1
b268ecd82e6adc68f94f433524f3e509f25cb7e4

SHA256
28a6cb1c550a0d614eaafc89d96b94bbf422c23931f07bc5e6e30e0f8310cc5a

SHA512
bbbba230df7912b304cb3b0cc4d8942f30ae4d39a454bfc529def65f75eb273be29ab0ff463d9005047bb6e9d6da98bea5244b9baebe40768ac37552c932055e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c61b96e3-d969-44e5-b7e1-cb90762eb95a.vbs

Filesize
707B

MD5
0f19ce3446c0901808dcde0501e0a3c1

SHA1
9eb999a030d2868745bbc2a3cc8c214a50a4a468

SHA256
37f1cbedd85d2f49fe0dc4e1db0376a6c8f06a232c516b479d3564c52068faad

SHA512
df1ec81545e7ab4870071c48ece101452a933294f071901ab6d025a0b06c563391566f6ec0987d9fad1c4593bd56260572c24aeeb3bb13fb68f88b66953cee33

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6785316-b770-4000-bea1-b0aa3c8191bf.vbs

Filesize
707B

MD5
09a8453bac8ccda2e15c840b263c47f5

SHA1
226ece5e787ac24acb1619b55b7fe91147ae1b50

SHA256
7f83705fcadc7ec84c8b49fea28f241d25c8210f13fe12484472694d1d361a2b

SHA512
3ce656aab07d25351bb477cca7fc45d5ae1ff4f0020132284e501b7bc6e95dd0b405f61e5845ccd1aef32ee483ff1bd10ad52c7a900a93d1a17a76d51567290b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6e8f166-fcee-4388-8dc4-5e7b7827519a.vbs

Filesize
707B

MD5
75da6833eb694785d8b9192fa4d635f0

SHA1
428aef7fe79535cc3052f138739a5c2a33321219

SHA256
c06234090ca5315490e4f8dd8668b1b6df5a3e4f1d40009c933bf26e130dfcc5

SHA512
0337fbfb7e1dd86f2c5eff9326c74583e47f191a5025194e73cae1393800106978a5d91437a2d9e7d3bf1331825878369cde187b564adddb48b6bb8b979ffe5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfb2ec3d-adcb-40b3-ae7e-0f00bd4313cd.vbs

Filesize
707B

MD5
45326ea889ad68299bba8ab5262bc41f

SHA1
7ad20b17d68b2759b79a0265cfdc6d6c879d2281

SHA256
44b18b82bcdfb3e2d90061b3e7ec37a8cab56e1329b11a9d6d6108753f7c2a2f

SHA512
3dec2f867bc293240953858728c9c99449e219d11035c8438d4404266448cef365d0780515fd017d32f81bc9a7945cd14dbe02aaaae23fdaf438acad2a9e799b

Download Submit
C:\Users\Admin\AppData\Local\Temp\de591708-71ef-4651-a672-b76d03f09b30.vbs

Filesize
706B

MD5
09844e258880ad8572387b3681198770

SHA1
b6a785cdbd6eef3fecd820955843cfd8c41ccfbd

SHA256
1715d5b580e3aaf3a6edf93db8201d71f66e449a8e93f1767de81592be8c01f9

SHA512
8b17ce179eaaea7820a0259104035d511786c14cf701aa479f4ba7305c634c530e884cbc7e11f48a81c1c5878f42385ab1d9d6aadd6a9b0f5a1744c6c175fb07

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdcb539e-2adb-4d62-9925-b1c869f4d0a0.vbs

Filesize
707B

MD5
e1b1259bd573d66065156bb98c0ed170

SHA1
5ef7793b6cdf488356b59422474f49faf21f00d8

SHA256
9aad9cd0026bf7c9d1b6e33ce63af673b93f60a7fcb9fc77d43c2873075ab5d1

SHA512
de1e8c8b3a675b74463ec7e216a3f7c0acea69738c04871706dd09b59312bb7c7303848240067564709b59158a0b038be46d00bd67b7cdd1ea667f7d7221b797

Download Submit
C:\Windows\Panther\actionqueue\services.exe

Filesize
1.6MB

MD5
d9181629137b77e7b183b7ff3a18973a

SHA1
453ced54634a0e668919fa53fff5dc2eae5b1c0c

SHA256
2ed4b3bbda4a35ef5b2cdc8a7948db3d062cdd2e50cc53e1b84ead801c9f6ca9

SHA512
6653eb4633811d1a33642ad91b393638cb018e7277fe61fab8d4c1eafa4208da9e2d5c094d03b375c0ee2a2a61aa58a100636a16d70ede1f0850e8dc454c5a4d

Download Submit
memory/976-12-0x000000001BD70000-0x000000001BD7A000-memory.dmp

Filesize
40KB

Download
memory/976-11-0x000000001BD60000-0x000000001BD6C000-memory.dmp

Filesize
48KB

Download
memory/976-1-0x0000000000F30000-0x00000000010D2000-memory.dmp

Filesize
1.6MB

Download
memory/976-17-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

Filesize
48KB

Download
memory/976-15-0x000000001BDA0000-0x000000001BDA8000-memory.dmp

Filesize
32KB

Download
memory/976-16-0x000000001C5C0000-0x000000001C5CA000-memory.dmp

Filesize
40KB

Download
memory/976-14-0x000000001BD90000-0x000000001BD98000-memory.dmp

Filesize
32KB

Download
memory/976-13-0x000000001BD80000-0x000000001BD8E000-memory.dmp

Filesize
56KB

Download
memory/976-0-0x00007FF8159C3000-0x00007FF8159C5000-memory.dmp

Filesize
8KB

Download
memory/976-182-0x00007FF8159C0000-0x00007FF816481000-memory.dmp

Filesize
10.8MB

Download
memory/976-10-0x000000001BD50000-0x000000001BD5C000-memory.dmp

Filesize
48KB

Download
memory/976-9-0x000000001BD40000-0x000000001BD48000-memory.dmp

Filesize
32KB

Download
memory/976-8-0x000000001BD30000-0x000000001BD40000-memory.dmp

Filesize
64KB

Download
memory/976-6-0x0000000003320000-0x0000000003336000-memory.dmp

Filesize
88KB

Download
memory/976-7-0x000000001BD20000-0x000000001BD28000-memory.dmp

Filesize
32KB

Download
memory/976-5-0x0000000003310000-0x0000000003320000-memory.dmp

Filesize
64KB

Download
memory/976-4-0x000000001C3C0000-0x000000001C410000-memory.dmp

Filesize
320KB

Download
memory/976-3-0x00000000032F0000-0x000000000330C000-memory.dmp

Filesize
112KB

Download
memory/976-2-0x00007FF8159C0000-0x00007FF816481000-memory.dmp

Filesize
10.8MB

Download
memory/5268-172-0x000001B68BCC0000-0x000001B68BCE2000-memory.dmp

Filesize
136KB

Download