dcrat | 4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
Size

1.7MB
MD5

17ec06d456ef3bb342d301f1a0e7f5ae
SHA1

da6432e5a3cc4f5c52420e0e4adbbb6c22249071
SHA256

4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261
SHA512

bc434febf5ac6600e40134ea72feeef048b895167701bef85c447776a423d533a120bc1feee1173cdeb8b0a13f8d2bddb2d8200b7ec005f3b8aaad430300de28
SSDEEP

49152:D+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:uTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2184	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2184	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2184	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2184	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2184	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2184	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2184	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2184	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	2184	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2184	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2184	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2184	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2184	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2184	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2184	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2184	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2184	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2184	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2184	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2184	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2184	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2184	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2184	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2184	schtasks.exe	30

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2440-1-0x00000000001A0000-0x0000000000360000-memory.dmp	dcrat
behavioral1/files/0x000600000001747b-27.dat	dcrat
behavioral1/files/0x0008000000016d0b-82.dat	dcrat
behavioral1/memory/2776-140-0x00000000000B0000-0x0000000000270000-memory.dmp	dcrat
behavioral1/memory/1952-214-0x0000000000B00000-0x0000000000CC0000-memory.dmp	dcrat
behavioral1/memory/3004-227-0x0000000000340000-0x0000000000500000-memory.dmp	dcrat
behavioral1/memory/2460-239-0x0000000000330000-0x00000000004F0000-memory.dmp	dcrat
behavioral1/memory/2428-252-0x00000000000A0000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/356-265-0x00000000000E0000-0x00000000002A0000-memory.dmp	dcrat
behavioral1/memory/1036-277-0x0000000001140000-0x0000000001300000-memory.dmp	dcrat
behavioral1/memory/1500-312-0x0000000000080000-0x0000000000240000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1704	powershell.exe
2216	powershell.exe
888	powershell.exe
692	powershell.exe
1532	powershell.exe
2488	powershell.exe
2176	powershell.exe
1304	powershell.exe
1596	powershell.exe
856	powershell.exe
1684	powershell.exe
2380	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe

Executes dropped EXE 9 IoCs

pid	Process
2776	dwm.exe
1952	dwm.exe
3004	dwm.exe
2460	dwm.exe
2428	dwm.exe
356	dwm.exe
1036	dwm.exe
1980	dwm.exe
816	dwm.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\smss.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\smss.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\69ddcba757bf72	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\RCX6812.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\RCX6813.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\TAPI\69ddcba757bf72	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\TAPI\smss.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\TAPI\RCX6A18.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\dllhost.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\5940a34987c991	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Windows\TAPI\smss.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\RCX5EB7.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\RCX5EB8.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\dllhost.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\TAPI\RCX6A17.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2128	schtasks.exe
2896	schtasks.exe
2876	schtasks.exe
2008	schtasks.exe
1788	schtasks.exe
568	schtasks.exe
920	schtasks.exe
1780	schtasks.exe
2880	schtasks.exe
1736	schtasks.exe
588	schtasks.exe
2428	schtasks.exe
2612	schtasks.exe
2908	schtasks.exe
1140	schtasks.exe
2292	schtasks.exe
2716	schtasks.exe
3036	schtasks.exe
1660	schtasks.exe
2616	schtasks.exe
2112	schtasks.exe
3060	schtasks.exe
2596	schtasks.exe
2536	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
1704	powershell.exe
1532	powershell.exe
1684	powershell.exe
2488	powershell.exe
888	powershell.exe
2216	powershell.exe
2776	dwm.exe
1596	powershell.exe
2776	dwm.exe
2380	powershell.exe
2776	dwm.exe
1304	powershell.exe
2176	powershell.exe
692	powershell.exe
856	powershell.exe
2776	dwm.exe
2776	dwm.exe
2776	dwm.exe
2776	dwm.exe
2776	dwm.exe
2776	dwm.exe
2776	dwm.exe
2776	dwm.exe
2776	dwm.exe
2776	dwm.exe
2776	dwm.exe
2776	dwm.exe
2776	dwm.exe
2776	dwm.exe
2776	dwm.exe
2776	dwm.exe
2776	dwm.exe
2776	dwm.exe
2776	dwm.exe
2776	dwm.exe
2776	dwm.exe
2776	dwm.exe
2776	dwm.exe
2776	dwm.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
Token: SeDebugPrivilege	2776	dwm.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	1952	dwm.exe
Token: SeDebugPrivilege	3004	dwm.exe
Token: SeDebugPrivilege	2460	dwm.exe
Token: SeDebugPrivilege	2428	dwm.exe
Token: SeDebugPrivilege	356	dwm.exe
Token: SeDebugPrivilege	1036	dwm.exe
Token: SeDebugPrivilege	1980	dwm.exe
Token: SeDebugPrivilege	816	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 1532	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	55
PID 2440 wrote to memory of 1532	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	55
PID 2440 wrote to memory of 1532	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	55
PID 2440 wrote to memory of 2488	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	56
PID 2440 wrote to memory of 2488	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	56
PID 2440 wrote to memory of 2488	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	56
PID 2440 wrote to memory of 1684	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	57
PID 2440 wrote to memory of 1684	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	57
PID 2440 wrote to memory of 1684	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	57
PID 2440 wrote to memory of 2380	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	58
PID 2440 wrote to memory of 2380	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	58
PID 2440 wrote to memory of 2380	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	58
PID 2440 wrote to memory of 1704	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	59
PID 2440 wrote to memory of 1704	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	59
PID 2440 wrote to memory of 1704	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	59
PID 2440 wrote to memory of 2176	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	60
PID 2440 wrote to memory of 2176	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	60
PID 2440 wrote to memory of 2176	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	60
PID 2440 wrote to memory of 2216	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	61
PID 2440 wrote to memory of 2216	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	61
PID 2440 wrote to memory of 2216	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	61
PID 2440 wrote to memory of 1304	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	62
PID 2440 wrote to memory of 1304	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	62
PID 2440 wrote to memory of 1304	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	62
PID 2440 wrote to memory of 888	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	63
PID 2440 wrote to memory of 888	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	63
PID 2440 wrote to memory of 888	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	63
PID 2440 wrote to memory of 692	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	64
PID 2440 wrote to memory of 692	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	64
PID 2440 wrote to memory of 692	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	64
PID 2440 wrote to memory of 1596	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	65
PID 2440 wrote to memory of 1596	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	65
PID 2440 wrote to memory of 1596	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	65
PID 2440 wrote to memory of 856	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	66
PID 2440 wrote to memory of 856	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	66
PID 2440 wrote to memory of 856	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	66
PID 2440 wrote to memory of 2776	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	79
PID 2440 wrote to memory of 2776	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	79
PID 2440 wrote to memory of 2776	2440	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	79
PID 2776 wrote to memory of 408	2776	dwm.exe	80
PID 2776 wrote to memory of 408	2776	dwm.exe	80
PID 2776 wrote to memory of 408	2776	dwm.exe	80
PID 2776 wrote to memory of 1896	2776	dwm.exe	81
PID 2776 wrote to memory of 1896	2776	dwm.exe	81
PID 2776 wrote to memory of 1896	2776	dwm.exe	81
PID 408 wrote to memory of 1952	408	WScript.exe	82
PID 408 wrote to memory of 1952	408	WScript.exe	82
PID 408 wrote to memory of 1952	408	WScript.exe	82
PID 1952 wrote to memory of 1804	1952	dwm.exe	83
PID 1952 wrote to memory of 1804	1952	dwm.exe	83
PID 1952 wrote to memory of 1804	1952	dwm.exe	83
PID 1952 wrote to memory of 1620	1952	dwm.exe	84
PID 1952 wrote to memory of 1620	1952	dwm.exe	84
PID 1952 wrote to memory of 1620	1952	dwm.exe	84
PID 1804 wrote to memory of 3004	1804	WScript.exe	86
PID 1804 wrote to memory of 3004	1804	WScript.exe	86
PID 1804 wrote to memory of 3004	1804	WScript.exe	86
PID 3004 wrote to memory of 2316	3004	dwm.exe	87
PID 3004 wrote to memory of 2316	3004	dwm.exe	87
PID 3004 wrote to memory of 2316	3004	dwm.exe	87
PID 3004 wrote to memory of 1136	3004	dwm.exe	88
PID 3004 wrote to memory of 1136	3004	dwm.exe	88
PID 3004 wrote to memory of 1136	3004	dwm.exe	88
PID 2316 wrote to memory of 2460	2316	WScript.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
"C:\Users\Admin\AppData\Local\Temp\4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
  "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59c54c52-8e18-4a1b-8471-fbb2a9ea2b0d.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
      "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0f5d309-4d22-41e0-80ee-3a444385055e.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1804
      - C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4531ac52-ce81-4385-906a-ff8bfe8fd5c5.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58c0341b-e50b-431a-9449-524fbff19f5b.vbs"
        9⤵
        
        PID:3040
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e78a3f1-dbdb-4970-b4a6-ea9a041d42eb.vbs"
        11⤵
        
        PID:2236
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ec72fdc-fd6d-4c11-8b17-3a1567409edd.vbs"
        13⤵
        
        PID:3060
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\400aa31c-0146-4d52-b164-ac7eb117e735.vbs"
        15⤵
        
        PID:2232
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9662be81-b659-4a4e-a019-9be440d79bf2.vbs"
        17⤵
        
        PID:3020
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5ca0790-5311-4439-a494-78877d7f3444.vbs"
        19⤵
        
        PID:2440
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe"
        20⤵
        
        PID:1500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1faca6c8-0a39-490c-b090-6f280f0b7b79.vbs"
        19⤵
        
        PID:2428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e24718de-5813-428f-a45c-ba2d9d3534ce.vbs"
        17⤵
        
        PID:1664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85813a6d-6919-4080-b313-4b4c6da863b6.vbs"
        15⤵
        
        PID:872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89b5243b-ac8d-45c7-9682-321dac08b151.vbs"
        13⤵
        
        PID:2736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16373085-4f68-47a4-9e05-9e2302082191.vbs"
        11⤵
        
        PID:1848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99dd0889-4742-4ae6-adcf-ad39dd2836f2.vbs"
        9⤵
        
        PID:2512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fcec1f4-6f30-4d3e-8e00-3246afc77fc9.vbs"
        7⤵
        
        PID:1136
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3483ab8a-626d-4bb0-bd67-4e7928395f5e.vbs"
        5⤵
        
        PID:1620
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96abf6ab-e636-4588-80f6-9b157b1d9093.vbs"
    3⤵
    PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\TAPI\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe

Filesize
1.7MB

MD5
17ec06d456ef3bb342d301f1a0e7f5ae

SHA1
da6432e5a3cc4f5c52420e0e4adbbb6c22249071

SHA256
4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261

SHA512
bc434febf5ac6600e40134ea72feeef048b895167701bef85c447776a423d533a120bc1feee1173cdeb8b0a13f8d2bddb2d8200b7ec005f3b8aaad430300de28

Download Submit
C:\Users\Admin\AppData\Local\Temp\400aa31c-0146-4d52-b164-ac7eb117e735.vbs

Filesize
751B

MD5
420a170e1d3b098a512620d7026d1ac5

SHA1
6d03e30b82a7d53c37281576ea2e0dc591f2f2e5

SHA256
0fb8afb46de1f76431d08b9fad03dcf8f26a97494ad8bdbbe6965844b7198935

SHA512
c855c86aafc510ad5d04ba6cbb164550fca245624bc787de8116c380cbff086e25d8d49e9c24e504dbdd127c7a3ffb82d18bfa1c4630a30a5496738f9f1f17f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4531ac52-ce81-4385-906a-ff8bfe8fd5c5.vbs

Filesize
751B

MD5
5d6ad6a185fc9359b1d6081e1f9c9472

SHA1
97dc4586b123ac1226befa6386b87f6cc7567721

SHA256
bb0f0765094a2ef8f392b6716316c485c54bc4cc8afbb98cb9552061e268f7a3

SHA512
3a4c8ac7f17fa780c8a8c823d125cb27438f23b3ef1f51069d83915d07d6b92cb10bfc9cbe3be6bcbdc059d22218d12a6813a6024d114cf1be5df2b61d11fbe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e78a3f1-dbdb-4970-b4a6-ea9a041d42eb.vbs

Filesize
751B

MD5
762da43212fcceeb41543acedc644b93

SHA1
982241408e404625723d0e953fef023a2253534b

SHA256
d3b93a9439a1a2a4405e3e8294d27c7557c41608825df7772cfa8ee7d08c67ea

SHA512
2d10e8bba93a2ce31b5ea9740600d87cb68943f61e6aa7abf87b8e1bb29a9084acfb64b5ef4012ac9829dddd98b8d9145f2a7b20fb7188f329ffe7404d341417

Download Submit
C:\Users\Admin\AppData\Local\Temp\58c0341b-e50b-431a-9449-524fbff19f5b.vbs

Filesize
751B

MD5
827929ac19aba7b7b32a01e77af5be34

SHA1
ea31371bbafc81d436e9f6c3cbf8a4581f48ebce

SHA256
962bcfc80251d80a0072e80d47813b35956d4c7a9f4a7fd90073364a5351ff08

SHA512
f5609816b979840ccf8c96d1c143c5d36e1f6d302f48633ff584328a43a7fcaa36fd952f80392d02b8f8e2f5c5fec4bff3fdd1979e31b13b3f82819eb2a4838c

Download Submit
C:\Users\Admin\AppData\Local\Temp\59c54c52-8e18-4a1b-8471-fbb2a9ea2b0d.vbs

Filesize
751B

MD5
88b172f91f82dbc4d83477edc363551f

SHA1
d514a235b6652f61ca817756854357ab087e591a

SHA256
e4c218f4081f9967e8fdd66ef909893d307547a6c1699949315a4cfc5b47326f

SHA512
e0f417b3d3dd363371762a733a300de9ea902017a3c378c3159a9b176fc29f5746f2228fbefc254d0cbc8211f147f4fa7e15c0ec6bf5af325caf4453aa6ca6d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ec72fdc-fd6d-4c11-8b17-3a1567409edd.vbs

Filesize
750B

MD5
31533c03512bb9e440ae4900fb23ad75

SHA1
f89f8af0401ccdc648b21f5cc3332196e7dff586

SHA256
e35a0df01641753a2e218c318feeb68ddc74ffb6d81487302b1b31193f2bf6ab

SHA512
2cb75f28b10733202a9530de7bf664777ba78557d1cb8bc9d132a1729e1795046baa9405750077e6fb67882a266dbc55d710a555a583fbd3dba3a489f39b6894

Download Submit
C:\Users\Admin\AppData\Local\Temp\9662be81-b659-4a4e-a019-9be440d79bf2.vbs

Filesize
751B

MD5
4d0d8715de6d32cedd35ffb58a030ada

SHA1
e4861598cde25e9882fdbc0403e28dff261066ab

SHA256
021ac2007bcedb7058dc567721ff4c7cc182cc62a687db5a1d5e9a6e8e2a5dc0

SHA512
3f3b227779c9ef921e23a1ba3d46d532f9fa098478f7cef2f17349bc49dd015d90b056292370d8b253d09ff10794fcb95d8e5bded0789fc28f755115e1288739

Download Submit
C:\Users\Admin\AppData\Local\Temp\96abf6ab-e636-4588-80f6-9b157b1d9093.vbs

Filesize
527B

MD5
2eab4f6abfb7fad080b4e3680d9dbfa7

SHA1
49551d2dc66545a23e0c592a08eabab234b98e22

SHA256
18dfb5c852d60a4d472dcc25a1514a3a960238aa0766de2c4f3b99abd6dd4bc2

SHA512
21569c8b8cf8bfc1484ddb217db61fb18cc82c1f5f98ce1f07743bece3ed5f932f98a7ead710158d2fe6684cd982efa9153c1a5e4e6235c52193688bd235ee3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0f5d309-4d22-41e0-80ee-3a444385055e.vbs

Filesize
751B

MD5
e467622c660d931ce2c2430f69ef379e

SHA1
1d8aded53056a84af45930f64d243630cddeb0d4

SHA256
9998ed79a4c77e88387a9f4a970152456a5badd202b3305f04ed5eb9ec023ede

SHA512
5ff34c78250f41f94ca2f38e3d2bf0693c4f6d5d2c3b8321ad256eb7e266188056f8676ec59c90e1cf8bc365057a81f9a0c02856559b9679abe0e68f4ebe4b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5ca0790-5311-4439-a494-78877d7f3444.vbs

Filesize
750B

MD5
aa71a78a7980e06d0a75e940ea4f7630

SHA1
88ec480a0015aa9ac6deb5a10809bc08b5a8fe78

SHA256
b1f7259ebca099a12d44b643af74a34c29eb8b92a83c8ea294d8230b3fb40cfd

SHA512
fe3f7ff8f560a2cda5c5fa39d370e2b12491c409150a74b6c25c31936375fd8b5ae16b05e096aee3c44708969b3e2f3f879222ed0f3a281c52d690042f9948e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\759ZPUEK4PZDJCG1L891.temp

Filesize
7KB

MD5
c126d62f4bf37d108d9690c941dbad1e

SHA1
d60637ce3d38cbab99cb1b41e51aa80404a3f2a3

SHA256
f69d38b0abc14d7527a4b9fff54d56758fbd5246a367f13ae6d6d60766719c8e

SHA512
740f3a120d98db0d76d0de4ed7eb21b2108b1e5e109aa236f7a02741badc0375c96d7d0f8bcd423d554e0098b98dcec36d5f36f049a0e373c9c26fc896ca40f7

Download Submit
C:\Users\Default\explorer.exe

Filesize
1.7MB

MD5
b8fd822e45665223c6008f7d574d8106

SHA1
8c6b88bfce49ba550db2299b43b3d51bfe218414

SHA256
b34aec2689f66abbce062131f02542e62a302c6c25c0547961635c35a0b64b7e

SHA512
76c1ec2e85938ca246e0b8893d3db9305e46b22b5c79639b2337724f661920129d4425fc76bc0df96389f3fa6935019f2f07e62ec8849165aee41776002cb363

Download Submit
memory/356-265-0x00000000000E0000-0x00000000002A0000-memory.dmp

Filesize
1.8MB

Download
memory/1036-277-0x0000000001140000-0x0000000001300000-memory.dmp

Filesize
1.8MB

Download
memory/1036-278-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/1500-312-0x0000000000080000-0x0000000000240000-memory.dmp

Filesize
1.8MB

Download
memory/1704-153-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/1704-152-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/1952-215-0x00000000006E0000-0x00000000006F2000-memory.dmp

Filesize
72KB

Download
memory/1952-214-0x0000000000B00000-0x0000000000CC0000-memory.dmp

Filesize
1.8MB

Download
memory/2428-253-0x0000000000760000-0x0000000000772000-memory.dmp

Filesize
72KB

Download
memory/2428-252-0x00000000000A0000-0x0000000000260000-memory.dmp

Filesize
1.8MB

Download
memory/2440-8-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2440-18-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2440-1-0x00000000001A0000-0x0000000000360000-memory.dmp

Filesize
1.8MB

Download
memory/2440-15-0x0000000000700000-0x0000000000708000-memory.dmp

Filesize
32KB

Download
memory/2440-13-0x00000000006E0000-0x00000000006EA000-memory.dmp

Filesize
40KB

Download
memory/2440-16-0x0000000000710000-0x000000000071C000-memory.dmp

Filesize
48KB

Download
memory/2440-17-0x0000000000720000-0x000000000072C000-memory.dmp

Filesize
48KB

Download
memory/2440-14-0x0000000000650000-0x000000000065E000-memory.dmp

Filesize
56KB

Download
memory/2440-2-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2440-12-0x0000000000640000-0x000000000064C000-memory.dmp

Filesize
48KB

Download
memory/2440-3-0x0000000000150000-0x000000000016C000-memory.dmp

Filesize
112KB

Download
memory/2440-5-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/2440-11-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/2440-4-0x0000000000170000-0x0000000000178000-memory.dmp

Filesize
32KB

Download
memory/2440-139-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2440-9-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/2440-0-0x000007FEF55D3000-0x000007FEF55D4000-memory.dmp

Filesize
4KB

Download
memory/2440-6-0x0000000000460000-0x0000000000476000-memory.dmp

Filesize
88KB

Download
memory/2440-7-0x0000000000190000-0x00000000001A0000-memory.dmp

Filesize
64KB

Download
memory/2460-240-0x0000000000730000-0x0000000000742000-memory.dmp

Filesize
72KB

Download
memory/2460-239-0x0000000000330000-0x00000000004F0000-memory.dmp

Filesize
1.8MB

Download
memory/2776-140-0x00000000000B0000-0x0000000000270000-memory.dmp

Filesize
1.8MB

Download
memory/2776-163-0x0000000002150000-0x0000000002162000-memory.dmp

Filesize
72KB

Download
memory/3004-227-0x0000000000340000-0x0000000000500000-memory.dmp

Filesize
1.8MB

Download