dcrat | 2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
Size

1.7MB
MD5

b2b9f784a9e98c98a8ddd644eb168fa6
SHA1

9e8c68675777a2718322ae626a5187d95e9d5210
SHA256

2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c
SHA512

d17d6ab45e162319bd30511019f7befa54e8aa245497d7bbc868043f851fbddbc5fb4aeb20f93aadc3e690c4a6b301ff763055513e5eed6e78f087610360f681
SSDEEP

49152:/+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvD:STHUxUoh1IF9gl2M

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2484	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2484	schtasks.exe	30

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2128-1-0x0000000000E80000-0x0000000001040000-memory.dmp	dcrat
behavioral1/files/0x000600000001707c-27.dat	dcrat
behavioral1/files/0x0008000000012118-57.dat	dcrat
behavioral1/files/0x0010000000016210-104.dat	dcrat
behavioral1/memory/1100-138-0x0000000000DC0000-0x0000000000F80000-memory.dmp	dcrat
behavioral1/memory/2280-201-0x0000000001210000-0x00000000013D0000-memory.dmp	dcrat
behavioral1/memory/3056-235-0x00000000000C0000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/1380-248-0x0000000000A90000-0x0000000000C50000-memory.dmp	dcrat
behavioral1/memory/316-261-0x0000000000140000-0x0000000000300000-memory.dmp	dcrat
behavioral1/memory/848-273-0x0000000000CB0000-0x0000000000E70000-memory.dmp	dcrat
behavioral1/memory/1356-297-0x00000000013C0000-0x0000000001580000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2344	powershell.exe
644	powershell.exe
276	powershell.exe
1144	powershell.exe
1756	powershell.exe
628	powershell.exe
1556	powershell.exe
1392	powershell.exe
1900	powershell.exe
1244	powershell.exe
940	powershell.exe
2832	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe

Executes dropped EXE 10 IoCs

pid	Process
1100	winlogon.exe
2280	winlogon.exe
2896	winlogon.exe
2152	winlogon.exe
3056	winlogon.exe
1380	winlogon.exe
316	winlogon.exe
848	winlogon.exe
2420	winlogon.exe
1356	winlogon.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\es-ES\cc11b995f2a76d	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCXB981.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCXB982.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\RCXC6F5.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\RCXC6F6.tmp	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files (x86)\Common Files\Services\OSPPSVC.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\OSPPSVC.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files (x86)\Common Files\Services\1610b97d3ab4a7	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2924	schtasks.exe
2152	schtasks.exe
604	schtasks.exe
2864	schtasks.exe
2868	schtasks.exe
2336	schtasks.exe
2624	schtasks.exe
1484	schtasks.exe
2824	schtasks.exe
2964	schtasks.exe
524	schtasks.exe
1304	schtasks.exe
264	schtasks.exe
1652	schtasks.exe
340	schtasks.exe
2884	schtasks.exe
2748	schtasks.exe
2668	schtasks.exe
2732	schtasks.exe
2396	schtasks.exe
936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
1144	powershell.exe
1756	powershell.exe
1900	powershell.exe
644	powershell.exe
1556	powershell.exe
628	powershell.exe
1244	powershell.exe
276	powershell.exe
2344	powershell.exe
940	powershell.exe
1392	powershell.exe
2832	powershell.exe
1100	winlogon.exe
1100	winlogon.exe
1100	winlogon.exe
1100	winlogon.exe
1100	winlogon.exe
1100	winlogon.exe
1100	winlogon.exe
1100	winlogon.exe
1100	winlogon.exe
1100	winlogon.exe
1100	winlogon.exe
1100	winlogon.exe
1100	winlogon.exe
1100	winlogon.exe
1100	winlogon.exe
1100	winlogon.exe
1100	winlogon.exe
1100	winlogon.exe
1100	winlogon.exe
1100	winlogon.exe
1100	winlogon.exe
1100	winlogon.exe
1100	winlogon.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
Token: SeDebugPrivilege	1100	winlogon.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	644	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	276	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2280	winlogon.exe
Token: SeDebugPrivilege	2896	winlogon.exe
Token: SeDebugPrivilege	2152	winlogon.exe
Token: SeDebugPrivilege	3056	winlogon.exe
Token: SeDebugPrivilege	1380	winlogon.exe
Token: SeDebugPrivilege	316	winlogon.exe
Token: SeDebugPrivilege	848	winlogon.exe
Token: SeDebugPrivilege	2420	winlogon.exe
Token: SeDebugPrivilege	1356	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1144	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	52
PID 2128 wrote to memory of 1144	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	52
PID 2128 wrote to memory of 1144	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	52
PID 2128 wrote to memory of 1756	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	53
PID 2128 wrote to memory of 1756	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	53
PID 2128 wrote to memory of 1756	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	53
PID 2128 wrote to memory of 628	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	54
PID 2128 wrote to memory of 628	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	54
PID 2128 wrote to memory of 628	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	54
PID 2128 wrote to memory of 1556	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	55
PID 2128 wrote to memory of 1556	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	55
PID 2128 wrote to memory of 1556	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	55
PID 2128 wrote to memory of 1244	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	56
PID 2128 wrote to memory of 1244	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	56
PID 2128 wrote to memory of 1244	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	56
PID 2128 wrote to memory of 940	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	57
PID 2128 wrote to memory of 940	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	57
PID 2128 wrote to memory of 940	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	57
PID 2128 wrote to memory of 1392	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	58
PID 2128 wrote to memory of 1392	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	58
PID 2128 wrote to memory of 1392	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	58
PID 2128 wrote to memory of 2832	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	59
PID 2128 wrote to memory of 2832	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	59
PID 2128 wrote to memory of 2832	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	59
PID 2128 wrote to memory of 2344	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	60
PID 2128 wrote to memory of 2344	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	60
PID 2128 wrote to memory of 2344	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	60
PID 2128 wrote to memory of 644	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	61
PID 2128 wrote to memory of 644	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	61
PID 2128 wrote to memory of 644	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	61
PID 2128 wrote to memory of 276	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	62
PID 2128 wrote to memory of 276	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	62
PID 2128 wrote to memory of 276	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	62
PID 2128 wrote to memory of 1900	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	63
PID 2128 wrote to memory of 1900	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	63
PID 2128 wrote to memory of 1900	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	63
PID 2128 wrote to memory of 1100	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	72
PID 2128 wrote to memory of 1100	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	72
PID 2128 wrote to memory of 1100	2128	2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe	72
PID 1100 wrote to memory of 2568	1100	winlogon.exe	78
PID 1100 wrote to memory of 2568	1100	winlogon.exe	78
PID 1100 wrote to memory of 2568	1100	winlogon.exe	78
PID 1100 wrote to memory of 688	1100	winlogon.exe	79
PID 1100 wrote to memory of 688	1100	winlogon.exe	79
PID 1100 wrote to memory of 688	1100	winlogon.exe	79
PID 2568 wrote to memory of 2280	2568	WScript.exe	80
PID 2568 wrote to memory of 2280	2568	WScript.exe	80
PID 2568 wrote to memory of 2280	2568	WScript.exe	80
PID 2280 wrote to memory of 1616	2280	winlogon.exe	81
PID 2280 wrote to memory of 1616	2280	winlogon.exe	81
PID 2280 wrote to memory of 1616	2280	winlogon.exe	81
PID 2280 wrote to memory of 2480	2280	winlogon.exe	82
PID 2280 wrote to memory of 2480	2280	winlogon.exe	82
PID 2280 wrote to memory of 2480	2280	winlogon.exe	82
PID 1616 wrote to memory of 2896	1616	WScript.exe	83
PID 1616 wrote to memory of 2896	1616	WScript.exe	83
PID 1616 wrote to memory of 2896	1616	WScript.exe	83
PID 2896 wrote to memory of 1900	2896	winlogon.exe	84
PID 2896 wrote to memory of 1900	2896	winlogon.exe	84
PID 2896 wrote to memory of 1900	2896	winlogon.exe	84
PID 2896 wrote to memory of 1860	2896	winlogon.exe	85
PID 2896 wrote to memory of 1860	2896	winlogon.exe	85
PID 2896 wrote to memory of 1860	2896	winlogon.exe	85
PID 1900 wrote to memory of 2152	1900	WScript.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe
"C:\Users\Admin\AppData\Local\Temp\2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe
  "C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3c7d874-8fa1-4a40-940e-e7ca6f6deab1.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe
      "C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2280
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38fc1fa2-1daf-409d-abae-f521d24bf0aa.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1616
      - C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27c3debd-728a-4a23-9507-df93402b95ec.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aff0acf0-287c-4374-ad6c-9fdb9917c7e9.vbs"
        9⤵
        
        PID:2724
        
        C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8dcde689-1451-4357-b76c-aa3c64047c67.vbs"
        11⤵
        
        PID:2980
        
        C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fe56640-e6f0-463d-b283-83733dd2c66f.vbs"
        13⤵
        
        PID:1512
        
        C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2efc7abc-1915-41e4-8f33-ca773ae325c9.vbs"
        15⤵
        
        PID:1616
        
        C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\255fbde3-b5fe-4f6f-82ca-ff43b01faa83.vbs"
        17⤵
        
        PID:2620
        
        C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02503f26-6861-4538-8c49-769fcd1f066a.vbs"
        19⤵
        
        PID:2140
        
        C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de503e17-b5bd-4807-b6d0-63ffc420738b.vbs"
        21⤵
        
        PID:2800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68940d40-9796-4af3-a0b7-1ab5359b7675.vbs"
        21⤵
        
        PID:888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69ba5e39-ac9e-4da7-b861-bb84bd53082d.vbs"
        19⤵
        
        PID:1640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e8a049b-db27-452a-91c8-de80a1c875c4.vbs"
        17⤵
        
        PID:2348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8696b172-8ad0-49bd-b6e7-b83413eb7b31.vbs"
        15⤵
        
        PID:264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91025c59-fba4-4ae8-9273-f1db3974f26c.vbs"
        13⤵
        
        PID:3028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\457ae2d6-3577-46b5-954a-f0c740895a63.vbs"
        11⤵
        
        PID:2196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\617cfef4-7f59-4eb3-b97c-af85091b0df5.vbs"
        9⤵
        
        PID:3012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ada6534-297b-4729-807f-eb45b8dbcdd9.vbs"
        7⤵
        
        PID:1860
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1257f07c-5a49-4911-8356-018df2dbb9d6.vbs"
        5⤵
        
        PID:2480
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87075e5b-136e-4b6b-9c15-35abde5b9cc7.vbs"
    3⤵
    PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Services\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Services\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c2" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c2" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\csrss.exe

Filesize
1.7MB

MD5
a3f60da69a6f3056fef496a48f232480

SHA1
87d4b8a59cae888e332bc66050933489e82c0784

SHA256
d67e6f5f24343580962d5d26946ecfb8d8d0863dd39df18f1e34875323f87e2c

SHA512
17b25480e08c9e25d26c2ec07576d6cf0d1173e3153711953573ef3dd5511a8209a04e56755af0901007797cb088936d6761a473f99de395b29418b601f38796

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe

Filesize
1.7MB

MD5
b2b9f784a9e98c98a8ddd644eb168fa6

SHA1
9e8c68675777a2718322ae626a5187d95e9d5210

SHA256
2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c

SHA512
d17d6ab45e162319bd30511019f7befa54e8aa245497d7bbc868043f851fbddbc5fb4aeb20f93aadc3e690c4a6b301ff763055513e5eed6e78f087610360f681

Download Submit
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\2a333680193e6b3f1847902f8de41cb85892e0bce4460a39cef5226ac89c4d1c.exe

Filesize
1.7MB

MD5
84d8b1b6c7d3c040c70b873bf3e6f37b

SHA1
908720c0f402e9c3df8814af5fec5ae3a711c784

SHA256
98144ce7eb69998e14a7eecb57e34e106760af271db7ac81d9aa0892c90d1bb4

SHA512
7851e20b143fd91382ec502e184ff777f866bc3102574b5fe2d4d2d5f5a2dc9685c403fb6d189817a9fbee10ce6e710529c0f067fa8413f98cf78ad5f0fd748e

Download Submit
C:\Users\Admin\AppData\Local\Temp\02503f26-6861-4538-8c49-769fcd1f066a.vbs

Filesize
735B

MD5
0a0f721069b51a1eb63991ef1b4f91ef

SHA1
7cf96f585598c1ed39875e8f6ea6bc920177f746

SHA256
2bba954692baa1a4fface349e07fcbe5b6ba40f79296229ca772bd38aa9b6d5d

SHA512
0a529ce51118fc7eaf3d38ba18add4e4b8cb04783545ead7c9ab2642ea0d9a3809a88188847a9b49f593d928b7a83b5f9636cbe15471cbf35841ebae4df86681

Download Submit
C:\Users\Admin\AppData\Local\Temp\255fbde3-b5fe-4f6f-82ca-ff43b01faa83.vbs

Filesize
734B

MD5
874aa67cc1450de16608e5516c0e0904

SHA1
406664febdb8d3919e5f49b0a8440a95080c868d

SHA256
4eda31bbe7bfea5b6522d8c5d6228ef8b2e1f5e2f6f8a73b2c5ab2938ef94a72

SHA512
b032564bdfede8d6c74e5e4c0673622c0e716685636fb3504dd4418d58a7060f809c80e152fd9f0b23a025968bfadaea35882345da2637b0f17f33f0f12b5d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\27c3debd-728a-4a23-9507-df93402b95ec.vbs

Filesize
735B

MD5
79289b9eff3ccde025781434396d2253

SHA1
554dd6dda18f1beddfa10e5dbf285195ee48fcae

SHA256
dbcca01f08238bac8b67e7b15be411f499591bf7dcecad20197b3c0c277503f2

SHA512
d1af0832f12eeb69e667c92a52ece75f4823ef4f284b2770ab6000e4912d67f7bf87f611568eb91270e3b13d811b458a9f8e12aace9a8131d8b971287010b8aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\2efc7abc-1915-41e4-8f33-ca773ae325c9.vbs

Filesize
734B

MD5
7737a05f98638e1c77a12777149c1609

SHA1
763c74507a5f234b9b7c83e95c0629fa1152d3c7

SHA256
a6fa013ecb5a69d8e5856a54b38d0a613822d277bdb49fb6c69b57f35695befc

SHA512
54dbad53fef1a560192c145d8e14166be9cbfcf53a7b607347027a7ef9c1cc67512ac27c456f2b8cb6bf5c659c00071083ebd5335a95d5deb10a7b2068eef1f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\38fc1fa2-1daf-409d-abae-f521d24bf0aa.vbs

Filesize
735B

MD5
0d5e3b2aa95f3e8305fc9b2c721c9b47

SHA1
cf8adfcf36b0a825165bd10dbbbf14f46632348b

SHA256
bdbef2881f67678d862de94814f46718d15b70904d58809d752a3f3922e9be10

SHA512
c32af92bf908a92abb1a578f0534077f16487f67a454e733d519b875d8bf8fc8b083fa0cf9a13a13bedf1a0def82f0e87f8c03b4151aed3a961b4855c05f98b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\87075e5b-136e-4b6b-9c15-35abde5b9cc7.vbs

Filesize
511B

MD5
49e6c861b70381c38c8c68769a3062d0

SHA1
4ddef12e7540852864d5a5b6259cb621d01e9ce6

SHA256
756efacb345b07d33039f880c90fbce603ca0c94341580472453bf0821ac7b1e

SHA512
a1e503264405205b25392c664d907a3d5e15f1cea62bbfb0a960c39ff3e4851280a5f07a3d1912797811e3d83094bf54f60616d93e0b20dc0df82e6ddc678f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8dcde689-1451-4357-b76c-aa3c64047c67.vbs

Filesize
735B

MD5
8647bda9de18b20072c70ecdd86c20aa

SHA1
c4ddbd77c0ca081fea06ab1a5792f1c3bf44ce27

SHA256
b23f8d38710536b065d5610624c03c00e75560e61e39689b1d92f9db2eb801df

SHA512
3327dafdbb16eea343bf5654d2689e2d84b11e8da4230ae4959753996839fbeff5509e114df8e2d7fd84b87e4b8fb2c675fc318afc6318d3b01632a6049ab1b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8fe56640-e6f0-463d-b283-83733dd2c66f.vbs

Filesize
735B

MD5
c05c11d7385a4b70653de1ba8682853a

SHA1
83b099e83876187f40f5ccb716a34a410e0b85fc

SHA256
7ae1f1121c861bd77b3468ffc8a8b56de8754e3cd24e30a2f45e9292d955da2c

SHA512
80d836d40bf340c9cbb3c230b05e6258a9713e79b6a799cafdd6e492aec9f5615eee040444c7e9805687af5280087d57c095e9a9cb5d54951aa83225378f9172

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3c7d874-8fa1-4a40-940e-e7ca6f6deab1.vbs

Filesize
735B

MD5
79e05c3ef34d2284332e0773117856dc

SHA1
37b9d10d6ae879f774f832ebdb2049c39281481d

SHA256
0d9ddcd7ce903ec59d1f19b7f79d532e8353faca824032195d70ba4e84889a99

SHA512
7d0df756e7bd23153c5ca0b7dc78473c0b56c2688339d12569b87b69dc8a27daf2299b4c3e68c36e33537a9478feebee191b8b50977df9a6882f784b3b9298d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\aff0acf0-287c-4374-ad6c-9fdb9917c7e9.vbs

Filesize
735B

MD5
fec47bc4840f3c1311a412b25e00840b

SHA1
8f7427e2cb68b09a86aa77946d81563d9479a902

SHA256
f8dd7ec054270bd7b7f51773e794da1134ed55d29cdc9ecd70e0e3350ce8a832

SHA512
ef2b6413cedeae21cc9e90590c3bfc126ed97502de7b5bfbf9a4f037554033f9f6f4e5123f986a2e430af2ef307cab4b48c90019ffac6920e62a47ae9363d5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\de503e17-b5bd-4807-b6d0-63ffc420738b.vbs

Filesize
735B

MD5
db47835eedadad8444538d8437a08903

SHA1
1a35132d1a5b776eadabffd6205c69569563e0ef

SHA256
19bdcf52ceb6b0f10a83793e382c6c217c8b02eade3d26c0b5d0eb8fe70a7fec

SHA512
2f8c09be3f5393eec734ac43e1cbf682d50c71f21603478115cf3c92b9479e97da0e88c93782aebf87adbb1b2f309d40e1ce6fdb479c37eab038d9f0c707713b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1f55c007fce9aa1dc59c12f9ebe3bea6

SHA1
5d453f41a0ff950a7137a40ae7c6ac99c5527540

SHA256
e0f1b4e5288fb9a5127386435b4e7eb0838eb5b5092dd8499d0c90c446c7a8e0

SHA512
fdb38448219783a7acf01c154de78a5ff5f373f66fb7dffe33220bb02c35d681ffbd6c2fc09e6d48e6940bf32339ad1e485c75cb89fddb8c030973ed25897dc3

Download Submit
memory/316-261-0x0000000000140000-0x0000000000300000-memory.dmp

Filesize
1.8MB

Download
memory/848-273-0x0000000000CB0000-0x0000000000E70000-memory.dmp

Filesize
1.8MB

Download
memory/1100-138-0x0000000000DC0000-0x0000000000F80000-memory.dmp

Filesize
1.8MB

Download
memory/1100-190-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1144-150-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/1144-148-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/1356-297-0x00000000013C0000-0x0000000001580000-memory.dmp

Filesize
1.8MB

Download
memory/1380-249-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/1380-248-0x0000000000A90000-0x0000000000C50000-memory.dmp

Filesize
1.8MB

Download
memory/2128-9-0x0000000000460000-0x0000000000468000-memory.dmp

Filesize
32KB

Download
memory/2128-8-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2128-16-0x0000000000DD0000-0x0000000000DDC000-memory.dmp

Filesize
48KB

Download
memory/2128-13-0x0000000000A50000-0x0000000000A5A000-memory.dmp

Filesize
40KB

Download
memory/2128-14-0x0000000000A60000-0x0000000000A6E000-memory.dmp

Filesize
56KB

Download
memory/2128-1-0x0000000000E80000-0x0000000001040000-memory.dmp

Filesize
1.8MB

Download
memory/2128-12-0x0000000000A40000-0x0000000000A4C000-memory.dmp

Filesize
48KB

Download
memory/2128-11-0x0000000000A10000-0x0000000000A22000-memory.dmp

Filesize
72KB

Download
memory/2128-20-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

Filesize
9.9MB

Download
memory/2128-17-0x0000000000DE0000-0x0000000000DEC000-memory.dmp

Filesize
48KB

Download
memory/2128-2-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

Filesize
9.9MB

Download
memory/2128-0-0x000007FEF4FD3000-0x000007FEF4FD4000-memory.dmp

Filesize
4KB

Download
memory/2128-15-0x0000000000B60000-0x0000000000B68000-memory.dmp

Filesize
32KB

Download
memory/2128-126-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp

Filesize
9.9MB

Download
memory/2128-7-0x0000000000440000-0x0000000000450000-memory.dmp

Filesize
64KB

Download
memory/2128-6-0x0000000000420000-0x0000000000436000-memory.dmp

Filesize
88KB

Download
memory/2128-5-0x0000000000290000-0x00000000002A0000-memory.dmp

Filesize
64KB

Download
memory/2128-4-0x0000000000280000-0x0000000000288000-memory.dmp

Filesize
32KB

Download
memory/2128-3-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/2280-201-0x0000000001210000-0x00000000013D0000-memory.dmp

Filesize
1.8MB

Download
memory/2420-285-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/3056-236-0x00000000021D0000-0x00000000021E2000-memory.dmp

Filesize
72KB

Download
memory/3056-235-0x00000000000C0000-0x0000000000280000-memory.dmp

Filesize
1.8MB

Download