dcrat | 94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
Size

1.7MB
MD5

64f23bf509820aaebdd17acf6ee2215f
SHA1

98a5be357387e3951149c993b0fc3e8753a57709
SHA256

94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1
SHA512

cd068260c8ba60ef50f461677141872f79e3f13c14977bba519a57848f3ec96af4823955f28c7cf0d1ce362f145d59284e6e2a71f33897f7f818eb44c7564f29
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:OTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2824	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2824	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2824	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2824	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2824	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2824	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2824	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2824	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2824	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2824	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2824	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2824	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2824	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2824	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2824	schtasks.exe	28

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1672-1-0x0000000000E20000-0x0000000000FE0000-memory.dmp	dcrat
behavioral1/files/0x0006000000016cf6-27.dat	dcrat
behavioral1/files/0x0037000000014504-76.dat	dcrat
behavioral1/memory/2668-161-0x0000000000B90000-0x0000000000D50000-memory.dmp	dcrat
behavioral1/memory/1728-217-0x0000000000F60000-0x0000000001120000-memory.dmp	dcrat
behavioral1/memory/1264-229-0x00000000010C0000-0x0000000001280000-memory.dmp	dcrat
behavioral1/memory/1096-241-0x0000000001180000-0x0000000001340000-memory.dmp	dcrat
behavioral1/memory/2776-254-0x0000000000320000-0x00000000004E0000-memory.dmp	dcrat
behavioral1/memory/2892-267-0x0000000001050000-0x0000000001210000-memory.dmp	dcrat
behavioral1/memory/1360-279-0x0000000001100000-0x00000000012C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2068	powershell.exe
2940	powershell.exe
2096	powershell.exe
2596	powershell.exe
2156	powershell.exe
2392	powershell.exe
2012	powershell.exe
2008	powershell.exe
1992	powershell.exe
1428	powershell.exe
2136	powershell.exe
1920	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe

Executes dropped EXE 11 IoCs

pid	Process
2668	csrss.exe
2044	csrss.exe
1604	csrss.exe
2512	csrss.exe
2688	csrss.exe
1728	csrss.exe
1264	csrss.exe
1096	csrss.exe
2776	csrss.exe
2892	csrss.exe
1360	csrss.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Vss\Writers\Application\lsm.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Windows\addins\RCX6967.tmp	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Windows\addins\Idle.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File created	C:\Windows\Vss\Writers\Application\101b941d020240	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Windows\Vss\Writers\Application\RCX6203.tmp	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File created	C:\Windows\addins\6ccacd8608530f	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Windows\Vss\Writers\Application\RCX6202.tmp	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Windows\addins\RCX6968.tmp	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File created	C:\Windows\Vss\Writers\Application\lsm.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File created	C:\Windows\addins\Idle.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2668	schtasks.exe
604	schtasks.exe
1156	schtasks.exe
1708	schtasks.exe
580	schtasks.exe
2852	schtasks.exe
3068	schtasks.exe
2548	schtasks.exe
1816	schtasks.exe
1480	schtasks.exe
1864	schtasks.exe
2892	schtasks.exe
2736	schtasks.exe
2512	schtasks.exe
2564	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
1992	powershell.exe
2596	powershell.exe
2012	powershell.exe
2136	powershell.exe
2156	powershell.exe
1428	powershell.exe
2392	powershell.exe
1920	powershell.exe
2068	powershell.exe
2096	powershell.exe
2940	powershell.exe
2008	powershell.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe
2668	csrss.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	2668	csrss.exe
Token: SeDebugPrivilege	2044	csrss.exe
Token: SeDebugPrivilege	1604	csrss.exe
Token: SeDebugPrivilege	2512	csrss.exe
Token: SeDebugPrivilege	2688	csrss.exe
Token: SeDebugPrivilege	1728	csrss.exe
Token: SeDebugPrivilege	1264	csrss.exe
Token: SeDebugPrivilege	1096	csrss.exe
Token: SeDebugPrivilege	2776	csrss.exe
Token: SeDebugPrivilege	2892	csrss.exe
Token: SeDebugPrivilege	1360	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1428	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	44
PID 1672 wrote to memory of 1428	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	44
PID 1672 wrote to memory of 1428	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	44
PID 1672 wrote to memory of 1992	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	45
PID 1672 wrote to memory of 1992	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	45
PID 1672 wrote to memory of 1992	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	45
PID 1672 wrote to memory of 2596	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	46
PID 1672 wrote to memory of 2596	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	46
PID 1672 wrote to memory of 2596	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	46
PID 1672 wrote to memory of 2008	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	48
PID 1672 wrote to memory of 2008	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	48
PID 1672 wrote to memory of 2008	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	48
PID 1672 wrote to memory of 2012	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	52
PID 1672 wrote to memory of 2012	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	52
PID 1672 wrote to memory of 2012	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	52
PID 1672 wrote to memory of 2096	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	53
PID 1672 wrote to memory of 2096	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	53
PID 1672 wrote to memory of 2096	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	53
PID 1672 wrote to memory of 1920	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	54
PID 1672 wrote to memory of 1920	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	54
PID 1672 wrote to memory of 1920	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	54
PID 1672 wrote to memory of 2156	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	55
PID 1672 wrote to memory of 2156	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	55
PID 1672 wrote to memory of 2156	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	55
PID 1672 wrote to memory of 2136	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	56
PID 1672 wrote to memory of 2136	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	56
PID 1672 wrote to memory of 2136	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	56
PID 1672 wrote to memory of 2392	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	57
PID 1672 wrote to memory of 2392	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	57
PID 1672 wrote to memory of 2392	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	57
PID 1672 wrote to memory of 2940	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	58
PID 1672 wrote to memory of 2940	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	58
PID 1672 wrote to memory of 2940	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	58
PID 1672 wrote to memory of 2068	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	59
PID 1672 wrote to memory of 2068	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	59
PID 1672 wrote to memory of 2068	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	59
PID 1672 wrote to memory of 344	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	68
PID 1672 wrote to memory of 344	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	68
PID 1672 wrote to memory of 344	1672	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	68
PID 344 wrote to memory of 2812	344	cmd.exe	70
PID 344 wrote to memory of 2812	344	cmd.exe	70
PID 344 wrote to memory of 2812	344	cmd.exe	70
PID 344 wrote to memory of 2668	344	cmd.exe	71
PID 344 wrote to memory of 2668	344	cmd.exe	71
PID 344 wrote to memory of 2668	344	cmd.exe	71
PID 2668 wrote to memory of 1440	2668	csrss.exe	72
PID 2668 wrote to memory of 1440	2668	csrss.exe	72
PID 2668 wrote to memory of 1440	2668	csrss.exe	72
PID 2668 wrote to memory of 2752	2668	csrss.exe	73
PID 2668 wrote to memory of 2752	2668	csrss.exe	73
PID 2668 wrote to memory of 2752	2668	csrss.exe	73
PID 1440 wrote to memory of 2044	1440	WScript.exe	74
PID 1440 wrote to memory of 2044	1440	WScript.exe	74
PID 1440 wrote to memory of 2044	1440	WScript.exe	74
PID 2044 wrote to memory of 2004	2044	csrss.exe	77
PID 2044 wrote to memory of 2004	2044	csrss.exe	77
PID 2044 wrote to memory of 2004	2044	csrss.exe	77
PID 2044 wrote to memory of 1040	2044	csrss.exe	78
PID 2044 wrote to memory of 1040	2044	csrss.exe	78
PID 2044 wrote to memory of 1040	2044	csrss.exe	78
PID 2004 wrote to memory of 1604	2004	WScript.exe	79
PID 2004 wrote to memory of 1604	2004	WScript.exe	79
PID 2004 wrote to memory of 1604	2004	WScript.exe	79
PID 1604 wrote to memory of 1536	1604	csrss.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
"C:\Users\Admin\AppData\Local\Temp\94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1thxOZSXrp.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:344
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2812
- - C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe
    "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbe334fd-6710-4f5c-924d-e9d72fbe6072.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1440
    - - C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2044
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4d2dbae-7e40-403f-bde4-392e1d9eb4cc.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\321d26f4-823d-4186-a76a-525eec3e1cd9.vbs"
        8⤵
        
        PID:1536
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a79bac80-6819-473b-b3ae-f527c827b8a7.vbs"
        10⤵
        
        PID:2596
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49a1d180-df1a-4045-a991-bf10936ee1b5.vbs"
        12⤵
        
        PID:2888
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd3a2324-4566-4051-a4a1-1d50da487c20.vbs"
        14⤵
        
        PID:2924
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a880415-a102-405b-a1ad-cb76c5991493.vbs"
        16⤵
        
        PID:2320
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d5d87cc-ead2-498e-9681-bb0b3525d1bd.vbs"
        18⤵
        
        PID:2876
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8f2421e-49c5-4be2-b1fe-3977daf92f5f.vbs"
        20⤵
        
        PID:2276
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73e6aae6-5187-4222-ab4a-54b2264bb1a9.vbs"
        22⤵
        
        PID:2348
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\181ff749-8102-4c30-ac36-61825f1230a7.vbs"
        24⤵
        
        PID:2728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98fe2e09-210c-40ca-8957-ce0b31d0b89e.vbs"
        24⤵
        
        PID:672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60ed1de5-abbf-40f0-8ae9-7b7012d2d6e3.vbs"
        22⤵
        
        PID:2888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2af7a78a-4a34-4361-92f1-b47bb9a3f58b.vbs"
        20⤵
        
        PID:2920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28884553-ce9d-4740-af85-8b82df7f08c3.vbs"
        18⤵
        
        PID:2476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a890215b-9919-4eea-bf84-1264a9f90605.vbs"
        16⤵
        
        PID:2772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ec83d6b-d939-4b24-b2a7-cbbac406cfcf.vbs"
        14⤵
        
        PID:1244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a59c2b4d-f794-489d-961c-87dfaea37583.vbs"
        12⤵
        
        PID:2560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f45c3ee6-4543-455c-95b8-93ba2f8a55b6.vbs"
        10⤵
        
        PID:2292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a073705-61c4-41cc-ba53-d5aa79adeefb.vbs"
        8⤵
        
        PID:2636
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99390eed-162c-4e49-9dfb-0a961cdb5609.vbs"
        6⤵
        
        PID:1040
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90b8f49c-6371-42cd-9a79-f4e8cd8cd54a.vbs"
      4⤵
      PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\Vss\Writers\Application\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\Vss\Writers\Application\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Start Menu\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Start Menu\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\winlogon.exe

Filesize
1.7MB

MD5
9501d3d099a34b274ba5f88f31b522ce

SHA1
15e986be7a56cfd4614e68d630b1caa0b9f81d33

SHA256
dd95035685c80ab94164391eeff89bffd01db1d07268407d92070797a621b71a

SHA512
56051ee723364659dbd31f6aaf88aab4d7e6aff8ba5e8f2f37a6bad62b19fa50f6616d514cbff186d98286b285cb382f1b580254ee84e40c64a2acf006c3cc72

Download Submit
C:\Users\Admin\AppData\Local\Temp\181ff749-8102-4c30-ac36-61825f1230a7.vbs

Filesize
748B

MD5
719fd8f8afb373dbc3d4f18630d3ee05

SHA1
ba136c8194da3a0d57a7c875f97cfdc1599a31fc

SHA256
7a986af811b4934b199bf7b68b8e2da88a4f10ee90a082a5dc67cfeb84d8dad1

SHA512
e92c6fa4be085e438657432a56dcb9e4786084f97391adf56db57102c7efd2ea9cae05922e19644de44370418cd644b98d34b51070d6ee04993151c44e7c060f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1thxOZSXrp.bat

Filesize
237B

MD5
9a26f6ec5d99b95df7542caceeb35f8a

SHA1
5555e3dbcb4f28b3f244f76c956d45663be45d9f

SHA256
bcf2fa30bb642290fcc8979ef2e8f3a5119648f375f0f64608faafdbb344086a

SHA512
0d3b5c3a122a7ae2a14ba6887d807ce9b80cb978463a1a44814053d4d7d08f40f243ec63dde2a05f2cf5a03179d10c130587f59ecc2d3e97b479bee4e8a96b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\321d26f4-823d-4186-a76a-525eec3e1cd9.vbs

Filesize
748B

MD5
448ad3666b094ddf22f654a78309dce6

SHA1
bc8fb244b675918865e5a2147a9f89af52b63da8

SHA256
a05bbe585bbaf675127332ae08c9a11ae7b0ddb18d0d29113987348bd547883e

SHA512
b67f450c0adf24c1b145e58dedc6462e39ad57df6c143ae1ab10110c028248aefdca3273fdb2b54208af2330650db466ab626af6c0888f7da8a6b65a8a94ec61

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d5d87cc-ead2-498e-9681-bb0b3525d1bd.vbs

Filesize
748B

MD5
de56c98931031285432db594782d22a8

SHA1
41d59e15f070203ae6bc719dc42be8cf6ca569ea

SHA256
d1f7ea394f7b29b97c4faf0cb2e3cbcec2aca2f1bbf9c1e2a3c83570adc414c8

SHA512
407ee331a5534d3266babbd0d91f1793207e72131a62e8a9575849898052d295e5f7d1cba8aaba2901f382594fc3977564ba4a89494ad6e3543515d1de17ee69

Download Submit
C:\Users\Admin\AppData\Local\Temp\49a1d180-df1a-4045-a991-bf10936ee1b5.vbs

Filesize
748B

MD5
46d736f043c3fe7226da0660c9e416bd

SHA1
aaec9ef434d7665274ff82b777260ad7679b392d

SHA256
81a6799c1072d0797fd06d46627a74bcd89ea8a7a62dc07fd0f139dc83eb1d38

SHA512
6d2e6ca8197bae9b5b0d855d5e8cbd1655c3113e9964ec671395d47ad8d4e1436af7c2a4f3fd1b00bf3d7a70c254e77a4a07087751d90b16dbc894cde9bfc99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a880415-a102-405b-a1ad-cb76c5991493.vbs

Filesize
748B

MD5
0c4c942be6671ae40be12aee7092177b

SHA1
f2963a0373d4a1ccc23d7ceee611b0ce4c411db8

SHA256
2ebf6d53691f7890baf3242d290e768c3d77ca57c35fafced22491817a5e19f9

SHA512
a306d9cb62dc2d8db3048f78f652f4830716c05484ea6263f145bbdc3bfe2ede499a6ab60edcbc05c24d09b1575487b2fdd5b28ac59ff96a6b8e0d33d5eff83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\73e6aae6-5187-4222-ab4a-54b2264bb1a9.vbs

Filesize
748B

MD5
e2a4827f5795ce6011d91ac716105d79

SHA1
acc6103a59c9bcfa1485ddb083dc1b8b34d48056

SHA256
9c91299adb6205846fcd28f2e7d9007f0f7572c2daa34d2afe82763eaa1e5df5

SHA512
a17a72366c0e57d5c8cf0500dc834446c62762ec7d0df385d0cafcc6c9941af5ac9e7f9bb44481b063044b90879382f351fede3887d15425bc0dccee32030a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\90b8f49c-6371-42cd-9a79-f4e8cd8cd54a.vbs

Filesize
524B

MD5
4f64744f9c2b2baf364deda638925a43

SHA1
e977770e5f94a2e73a5bc374c9a3ea6ae83cb833

SHA256
0fe90f4c5e90c6dc87d18742fdcb96f29a11fad6885408a5922885c5871971bc

SHA512
5dfc808abfb896d1af3921489560270c6c4c93098b876b630a9d9b12ddcaa6d370a0e8b70c0a1aaeaeecfef72b74ffcf664d8073410503935051857ac58b6388

Download Submit
C:\Users\Admin\AppData\Local\Temp\a79bac80-6819-473b-b3ae-f527c827b8a7.vbs

Filesize
748B

MD5
22cebe505226dd6b0bae0ea98d6df171

SHA1
0fc8c3998812dcd645dd6f2a14741096c688ef5d

SHA256
fbde2cd9ac09cc4039b213a48f848e2e22f3edc8ae70a11089cfe3d36aa96759

SHA512
6615a52f92f89f1040e02d71d0959d4859820084f3e8aa9bd3c4386b8acee25770a12794c31273ae32b2ff1a07318fd92bae54c1bf64ef2b3f5c26593c9e5083

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4d2dbae-7e40-403f-bde4-392e1d9eb4cc.vbs

Filesize
748B

MD5
02aa82cc0373f19ede62e5ef8f9ed723

SHA1
e0e1501686d5144f90196314a89267e1f21687e7

SHA256
d49b4324395bce18effaea735501a003ee4ac748f70bc9ff78f85dc5e666bfc3

SHA512
1f0910959ec901b9c17d97246030b8bbc47103221983db995a0ba719a2366ec5cd0c7e683c019a8dab0d5148c08213d6a84b52a2e35750e2fd924fb5a29b48b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dbe334fd-6710-4f5c-924d-e9d72fbe6072.vbs

Filesize
748B

MD5
d9326d3d68508a10357091e4aa480d02

SHA1
12261911fd6212ab165c6ea6b2d9311971fa358a

SHA256
44154f8ed524ab7a670ff9bd191f6d2012675eda1a6afd080dd215c57b397b5e

SHA512
e2274c719d3864fe382a6a60a5c65adf3e40e9f14adf45f12566afa081aa52f22d7036c63b1f888ef558657ecbfcc575db28bf1e69097ab8ae90511d24fe408f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd3a2324-4566-4051-a4a1-1d50da487c20.vbs

Filesize
748B

MD5
5b6686a3e14da6a2b112593fd542626a

SHA1
da439d2c76e5ae44635d987326df03199d7d950a

SHA256
4b759c4370e0dc8126fa575fea47fd4b868280e85c307ef8968122a3c098faaa

SHA512
010599da1ef3ab1ddde31dcc13c6b4024222a659c9487f571791cbd9a2149f11a8f08dc658f24312b7b6068944a8735de6a4b9cd78c81825dbd762cca453e05e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8f2421e-49c5-4be2-b1fe-3977daf92f5f.vbs

Filesize
748B

MD5
58b7c777dbbec82dd8bff106d27a4b90

SHA1
bd1f14b6d5431376e88afbf64eb9e6ba4fef6055

SHA256
7684d938929f9d9156830507563f965b42d1e35bc481536450e963b3fb9d40ef

SHA512
1d1999d3568945bb8d35f4e19f29f9ea57e8ea32ce8dda6234b2110c5d4656ea26adcb4fbf45e1c4fe3d8a41da8019919af31463e8ac9a8eb6db8328f77e859e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
58d9288974a549ae2f5384f68fe4adf0

SHA1
175c60eb607a82afa20e14bab57b007fe606f79e

SHA256
4fd9d58fcaba517742470c5c54acabd0ba38ae6958f528bcafc88174a83811d3

SHA512
56b92455cb37387cec13730f20bf85ef5b5e4b77cece59e0b9568c61a0f5ad6a91014a95d68335d6f3a2d37bd1f713fd4b1ffca7878d6eceede726601a4d0f95

Download Submit
C:\Windows\addins\Idle.exe

Filesize
1.7MB

MD5
64f23bf509820aaebdd17acf6ee2215f

SHA1
98a5be357387e3951149c993b0fc3e8753a57709

SHA256
94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1

SHA512
cd068260c8ba60ef50f461677141872f79e3f13c14977bba519a57848f3ec96af4823955f28c7cf0d1ce362f145d59284e6e2a71f33897f7f818eb44c7564f29

Download Submit
memory/1096-241-0x0000000001180000-0x0000000001340000-memory.dmp

Filesize
1.8MB

Download
memory/1096-242-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/1264-229-0x00000000010C0000-0x0000000001280000-memory.dmp

Filesize
1.8MB

Download
memory/1360-279-0x0000000001100000-0x00000000012C0000-memory.dmp

Filesize
1.8MB

Download
memory/1672-12-0x0000000000B10000-0x0000000000B1C000-memory.dmp

Filesize
48KB

Download
memory/1672-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1672-20-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1672-1-0x0000000000E20000-0x0000000000FE0000-memory.dmp

Filesize
1.8MB

Download
memory/1672-105-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1672-2-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1672-3-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/1672-17-0x0000000000D10000-0x0000000000D1C000-memory.dmp

Filesize
48KB

Download
memory/1672-16-0x0000000000D00000-0x0000000000D0C000-memory.dmp

Filesize
48KB

Download
memory/1672-15-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download
memory/1672-14-0x0000000000CE0000-0x0000000000CEE000-memory.dmp

Filesize
56KB

Download
memory/1672-13-0x0000000000CD0000-0x0000000000CDA000-memory.dmp

Filesize
40KB

Download
memory/1672-0-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

Filesize
4KB

Download
memory/1672-4-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/1672-9-0x0000000000A70000-0x0000000000A78000-memory.dmp

Filesize
32KB

Download
memory/1672-11-0x0000000000A80000-0x0000000000A92000-memory.dmp

Filesize
72KB

Download
memory/1672-8-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/1672-7-0x0000000000410000-0x0000000000420000-memory.dmp

Filesize
64KB

Download
memory/1672-6-0x0000000000A50000-0x0000000000A66000-memory.dmp

Filesize
88KB

Download
memory/1728-217-0x0000000000F60000-0x0000000001120000-memory.dmp

Filesize
1.8MB

Download
memory/1992-123-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/1992-110-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/2668-162-0x0000000000690000-0x00000000006A2000-memory.dmp

Filesize
72KB

Download
memory/2668-161-0x0000000000B90000-0x0000000000D50000-memory.dmp

Filesize
1.8MB

Download
memory/2776-254-0x0000000000320000-0x00000000004E0000-memory.dmp

Filesize
1.8MB

Download
memory/2776-255-0x0000000000630000-0x0000000000642000-memory.dmp

Filesize
72KB

Download
memory/2892-267-0x0000000001050000-0x0000000001210000-memory.dmp

Filesize
1.8MB

Download