dcrat | daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
Size

1.7MB
MD5

9c9f667755228a71dfa3a01557768ec8
SHA1

c6e0a94e9aff6428a253b20ebc888b8337baadf2
SHA256

daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d
SHA512

744754a61e279983e9186924c3ff02ec345e2d87e53bf63bc10b042f54ba18f4a23124a6a67b9bb5c3c40af431ad53160d766426311e217e6f523293bae3732a
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:OTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2788	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2788	schtasks.exe	31

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2608-1-0x0000000000B00000-0x0000000000CC0000-memory.dmp	dcrat
behavioral1/files/0x000500000001a495-27.dat	dcrat
behavioral1/files/0x000700000001a4e7-60.dat	dcrat
behavioral1/memory/1572-144-0x0000000000DD0000-0x0000000000F90000-memory.dmp	dcrat
behavioral1/memory/864-213-0x00000000001C0000-0x0000000000380000-memory.dmp	dcrat
behavioral1/memory/676-225-0x0000000001300000-0x00000000014C0000-memory.dmp	dcrat
behavioral1/memory/2088-248-0x00000000000D0000-0x0000000000290000-memory.dmp	dcrat
behavioral1/memory/2872-261-0x0000000000B70000-0x0000000000D30000-memory.dmp	dcrat
behavioral1/memory/2444-274-0x0000000000E50000-0x0000000001010000-memory.dmp	dcrat
behavioral1/memory/980-299-0x0000000000260000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/2072-311-0x0000000000270000-0x0000000000430000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1252	powershell.exe
524	powershell.exe
316	powershell.exe
2436	powershell.exe
2440	powershell.exe
2624	powershell.exe
1476	powershell.exe
1628	powershell.exe
2520	powershell.exe
1612	powershell.exe
2260	powershell.exe
2372	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe

Executes dropped EXE 10 IoCs

pid	Process
1572	System.exe
864	System.exe
676	System.exe
324	System.exe
2088	System.exe
2872	System.exe
2444	System.exe
752	System.exe
980	System.exe
2072	System.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\spoolsv.exe	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXDFF8.tmp	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\spoolsv.exe	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCXE981.tmp	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCXE9EF.tmp	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\lsm.exe	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\RCXEDF9.tmp	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\f3b6ecef712a24	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\lsm.exe	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\101b941d020240	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\27d1bcfc3c54e0	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXDF6B.tmp	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\RCXEDF8.tmp	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2744	schtasks.exe
2668	schtasks.exe
2952	schtasks.exe
836	schtasks.exe
2528	schtasks.exe
1368	schtasks.exe
2928	schtasks.exe
2916	schtasks.exe
2216	schtasks.exe
1356	schtasks.exe
1872	schtasks.exe
2380	schtasks.exe
2768	schtasks.exe
2664	schtasks.exe
2112	schtasks.exe
1840	schtasks.exe
1176	schtasks.exe
1200	schtasks.exe
2312	schtasks.exe
1656	schtasks.exe
1204	schtasks.exe
2868	schtasks.exe
2760	schtasks.exe
2812	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
1252	powershell.exe
524	powershell.exe
2260	powershell.exe
2520	powershell.exe
1476	powershell.exe
2372	powershell.exe
1612	powershell.exe
2436	powershell.exe
2624	powershell.exe
2440	powershell.exe
1628	powershell.exe
316	powershell.exe
1572	System.exe
1572	System.exe
1572	System.exe
1572	System.exe
1572	System.exe
1572	System.exe
1572	System.exe
1572	System.exe
1572	System.exe
1572	System.exe
1572	System.exe
1572	System.exe
1572	System.exe
1572	System.exe
1572	System.exe
1572	System.exe
1572	System.exe
1572	System.exe
1572	System.exe
1572	System.exe
1572	System.exe
1572	System.exe
1572	System.exe
1572	System.exe
1572	System.exe
1572	System.exe
1572	System.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	1572	System.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	864	System.exe
Token: SeDebugPrivilege	676	System.exe
Token: SeDebugPrivilege	324	System.exe
Token: SeDebugPrivilege	2088	System.exe
Token: SeDebugPrivilege	2872	System.exe
Token: SeDebugPrivilege	2444	System.exe
Token: SeDebugPrivilege	752	System.exe
Token: SeDebugPrivilege	980	System.exe
Token: SeDebugPrivilege	2072	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 1252	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	56
PID 2608 wrote to memory of 1252	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	56
PID 2608 wrote to memory of 1252	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	56
PID 2608 wrote to memory of 524	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	57
PID 2608 wrote to memory of 524	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	57
PID 2608 wrote to memory of 524	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	57
PID 2608 wrote to memory of 2624	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	58
PID 2608 wrote to memory of 2624	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	58
PID 2608 wrote to memory of 2624	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	58
PID 2608 wrote to memory of 1476	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	60
PID 2608 wrote to memory of 1476	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	60
PID 2608 wrote to memory of 1476	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	60
PID 2608 wrote to memory of 2440	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	62
PID 2608 wrote to memory of 2440	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	62
PID 2608 wrote to memory of 2440	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	62
PID 2608 wrote to memory of 2372	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	63
PID 2608 wrote to memory of 2372	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	63
PID 2608 wrote to memory of 2372	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	63
PID 2608 wrote to memory of 2260	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	64
PID 2608 wrote to memory of 2260	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	64
PID 2608 wrote to memory of 2260	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	64
PID 2608 wrote to memory of 2436	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	65
PID 2608 wrote to memory of 2436	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	65
PID 2608 wrote to memory of 2436	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	65
PID 2608 wrote to memory of 1612	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	66
PID 2608 wrote to memory of 1612	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	66
PID 2608 wrote to memory of 1612	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	66
PID 2608 wrote to memory of 2520	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	67
PID 2608 wrote to memory of 2520	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	67
PID 2608 wrote to memory of 2520	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	67
PID 2608 wrote to memory of 1628	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	68
PID 2608 wrote to memory of 1628	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	68
PID 2608 wrote to memory of 1628	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	68
PID 2608 wrote to memory of 316	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	69
PID 2608 wrote to memory of 316	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	69
PID 2608 wrote to memory of 316	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	69
PID 2608 wrote to memory of 1572	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	79
PID 2608 wrote to memory of 1572	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	79
PID 2608 wrote to memory of 1572	2608	daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe	79
PID 1572 wrote to memory of 300	1572	System.exe	81
PID 1572 wrote to memory of 300	1572	System.exe	81
PID 1572 wrote to memory of 300	1572	System.exe	81
PID 1572 wrote to memory of 1468	1572	System.exe	82
PID 1572 wrote to memory of 1468	1572	System.exe	82
PID 1572 wrote to memory of 1468	1572	System.exe	82
PID 300 wrote to memory of 864	300	WScript.exe	83
PID 300 wrote to memory of 864	300	WScript.exe	83
PID 300 wrote to memory of 864	300	WScript.exe	83
PID 864 wrote to memory of 2848	864	System.exe	84
PID 864 wrote to memory of 2848	864	System.exe	84
PID 864 wrote to memory of 2848	864	System.exe	84
PID 864 wrote to memory of 1368	864	System.exe	85
PID 864 wrote to memory of 1368	864	System.exe	85
PID 864 wrote to memory of 1368	864	System.exe	85
PID 2848 wrote to memory of 676	2848	WScript.exe	86
PID 2848 wrote to memory of 676	2848	WScript.exe	86
PID 2848 wrote to memory of 676	2848	WScript.exe	86
PID 676 wrote to memory of 2740	676	System.exe	87
PID 676 wrote to memory of 2740	676	System.exe	87
PID 676 wrote to memory of 2740	676	System.exe	87
PID 676 wrote to memory of 2772	676	System.exe	88
PID 676 wrote to memory of 2772	676	System.exe	88
PID 676 wrote to memory of 2772	676	System.exe	88
PID 2740 wrote to memory of 324	2740	WScript.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe
"C:\Users\Admin\AppData\Local\Temp\daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:316
- C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe
  "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f625e8e5-1b3b-4dfc-b407-513533362697.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:300
  - - C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe
      "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:864
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f56a01c-7e9c-4727-afad-49e86c2902a9.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2848
      - C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\689bc9ab-ae85-42cb-a8e6-be4c9212cb55.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\175d439e-b452-45f4-a9bc-cfcd0d075c96.vbs"
        9⤵
        
        PID:2652
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91be6464-7ceb-48f3-badb-14ca84082d27.vbs"
        11⤵
        
        PID:2296
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3003179b-a7b1-42ff-96e3-3d691396aa92.vbs"
        13⤵
        
        PID:2720
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c25ba464-6c2a-4fb6-899b-ad8f3543f72b.vbs"
        15⤵
        
        PID:1176
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04cc8942-a356-40b6-9e0f-6f9a6cc08166.vbs"
        17⤵
        
        PID:872
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b3af76d-26b8-4d59-9607-203b988736a5.vbs"
        19⤵
        
        PID:1464
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09bb6e8f-6bb3-47a1-a26e-a0a5f63ce8fb.vbs"
        21⤵
        
        PID:2836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4b676c4-5f81-41c9-a6f0-092bbb9b6929.vbs"
        21⤵
        
        PID:2900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\554f2cdf-fad8-45f6-8b66-663473c478f3.vbs"
        19⤵
        
        PID:1820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5c26410-a3c1-497e-8f90-95c5d8a25fe4.vbs"
        17⤵
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\462703b3-04c1-43fc-8f26-5b41160c3bed.vbs"
        15⤵
        
        PID:2820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\504d8c59-1307-4a8e-a5e7-cbaca8d6e007.vbs"
        13⤵
        
        PID:2692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0ef2196-8872-4932-b0f6-5172dad26411.vbs"
        11⤵
        
        PID:2164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\269d8136-268a-44a8-8c32-9a2d7de1f8da.vbs"
        9⤵
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d6fc7f5-8e7c-4fab-8230-eb52d3f26ad1.vbs"
        7⤵
        
        PID:2772
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b31f641e-7140-4e3c-9160-0452246bab36.vbs"
        5⤵
        
        PID:1368
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbe609ce-2491-4aba-87dc-6fad36cf95ed.vbs"
    3⤵
    PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Templates\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Templates\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Templates\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe

Filesize
1.7MB

MD5
9c9f667755228a71dfa3a01557768ec8

SHA1
c6e0a94e9aff6428a253b20ebc888b8337baadf2

SHA256
daae029f704f13f126825905d48ec0faa6a6b006219bb75925f486a6e6af0d6d

SHA512
744754a61e279983e9186924c3ff02ec345e2d87e53bf63bc10b042f54ba18f4a23124a6a67b9bb5c3c40af431ad53160d766426311e217e6f523293bae3732a

Download Submit
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\spoolsv.exe

Filesize
1.7MB

MD5
0d641cd3437ce0eb1631562e69726ee0

SHA1
302277586aaec3f50fd846d7a080af0d54f54aea

SHA256
63ebbb4de7a370c26dcb9218b3a907eaf9af58c1abb0cecd3734d9cf0d2649eb

SHA512
8040aa59865980f64e8201facb421d6e7636499dbd5544795dd37396d78b4d66ca08b7fe8e86f1c6009453659134900ee6595ad8c3b0371310ae97f8e4b48307

Download Submit
C:\Users\Admin\AppData\Local\Temp\04cc8942-a356-40b6-9e0f-6f9a6cc08166.vbs

Filesize
746B

MD5
5bbeab1c20bf440ebfc5f2f73756a430

SHA1
0002d6873fae1003830211a51d2eefd6b5c610b5

SHA256
88fc9ffab7f60c09b11dac23ded48b019562769c9c04f319b7d3593fdc5b0161

SHA512
901afec962fdd633811b019e00e721edcee68ac37a18bc006533ebe4a9ca06c4b0a5ca711093375a065521ee37b6d9f9d58e3b99f25b367cef0120bb18760eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\09bb6e8f-6bb3-47a1-a26e-a0a5f63ce8fb.vbs

Filesize
747B

MD5
18b71c9f6157890812fff1cc295030b7

SHA1
a0b3099d891b39e612e06633dfec37d22cd1389e

SHA256
30860878f6bf54e8f185bfc43c84ab6b5c012f5339f2cf7d603bf7553929147c

SHA512
69805022a4f8141d42e696e90ec57e1582afbb950de0f688c555ccb3397927a62680a0ab5bc9008b0842fdfc6cb02316903246bc87132412f0f6834cf363cd4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\175d439e-b452-45f4-a9bc-cfcd0d075c96.vbs

Filesize
746B

MD5
38904968193e3ed5ea220a349488b593

SHA1
57144727a22d235dcfb02238a97764253f8ea4bc

SHA256
50f2c29b9c1ffe9e8c8db8a2c654b60bc11e4a39292cde31c2e42b9dff296d4a

SHA512
a57a5bd2d5344d2b64e6c8688ecda241543dbfacbbd69b29d7792e0636bfd74ee5c4816002dd99b070243dce9cec32dabfb6331ad1186b1ca397dd6e96e3b7f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1b3af76d-26b8-4d59-9607-203b988736a5.vbs

Filesize
746B

MD5
dae093881cd4ef17310189a71a27537e

SHA1
8bc92d9934041ba7ae6252ff4e3427d3e35dd857

SHA256
31b47a24ca248e8ec3c5b91af8b89f03c43b2819b98e0eae89c1d98120ccc10a

SHA512
8c0f93e98e863535a45ed864dab32d6279c811aabc3bab3f500a2ec70a20f30a6cd90bbcc318a09c83a03d6e53ff641a16e108cb6bbed6079d236a43b49e6ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3003179b-a7b1-42ff-96e3-3d691396aa92.vbs

Filesize
747B

MD5
f5725972bc2a511f853699a12b2dad04

SHA1
06827e7f981a087c2b6dc5c775e718c65e3bd403

SHA256
e4b26b20741a6a18e3be7bb0d815194303b1440fb6863470bb6af4a8b30f7455

SHA512
bf02efebbce1f3c099689be2431a109c28f6f558e0e3c6647a2979b7e900775adab655e36fd1714ceafd344bb5d382c65921b5d46398db0fd03639027b3aab36

Download Submit
C:\Users\Admin\AppData\Local\Temp\689bc9ab-ae85-42cb-a8e6-be4c9212cb55.vbs

Filesize
746B

MD5
e154fda8fe3158dc41c540245e4871ef

SHA1
3de81d660df5b17631a786362a8c615d5b114dd1

SHA256
668309eb72a50c27c54209b995c7083351e4fcc27a06625797839a622994b513

SHA512
e95728762f1c61f054ed653e82f98050e4897c28d1406319bf55926c3390df8241f883fd5ee797752c0b9321ebd9b2958aecd27a3393a176daa045d3d03e4cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f56a01c-7e9c-4727-afad-49e86c2902a9.vbs

Filesize
746B

MD5
1d040522a8dd84e38f537646529c757a

SHA1
fa9ea5eac815a26dba83674e25006a6ba8e05729

SHA256
574fc1e3125cce08314cd5b283cf11044612e8db5750f5c85f22f9fdb5052450

SHA512
93640c7f2801a63b8b25a3cf4ac28f4114b47185b1fdd9a2c5aa9e6e6e55fbbc1db37fd7e504527286a43da40808f2337559656aaa17beca27cd49eb99ea9995

Download Submit
C:\Users\Admin\AppData\Local\Temp\91be6464-7ceb-48f3-badb-14ca84082d27.vbs

Filesize
747B

MD5
f94ed3143185605f24d0cf95ef5557dc

SHA1
0af7c14d7ffa44c25f49f63af5e137a2883a0933

SHA256
9a9db09fb5e7b19875e0c627cc143053728e729939ed73373e6599d2a50c4d41

SHA512
f305adc62022551b90aa135f55def7415ebf56fbc86c17580634066b01cc16f2ea88685f7c778223942d80bd1782a13936303684ecf7ad57dfcea56bd274911e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbe609ce-2491-4aba-87dc-6fad36cf95ed.vbs

Filesize
523B

MD5
91c9cd51cb4fdfc28b11b12767579869

SHA1
c2251515ade4dbda6e08f6cbde1e0ec9141cfb54

SHA256
6ef5da3ced4311e5e701509efef9340bbe6a400604004a53f1976bfb122a52b2

SHA512
d89ce06d07b3247629254919f07fb394c16f7655e1921016ceda85bbc4fb3bd0ba9fd39b13d1974e6b9611de67b04765c58acb0d459a8e13790608fb9398b4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\c25ba464-6c2a-4fb6-899b-ad8f3543f72b.vbs

Filesize
747B

MD5
dd4c27965b1d477e25f246b506643f1c

SHA1
442edd7eb6b3fa7c6b8206e36422fff9b643f8f9

SHA256
691bdfd3d416c52026b3b24e2432a80c2e078d42beab3b491855424cb2acc636

SHA512
2a368197ab3604cf182c8f3c162dc82a98f2d7de2e171d41dbbfca39a1b691bfc61e6c572dcc888995b6a2f7739e29ae80c80c4f9bee4efe2862683ec72fdcce

Download Submit
C:\Users\Admin\AppData\Local\Temp\f625e8e5-1b3b-4dfc-b407-513533362697.vbs

Filesize
747B

MD5
a072a1978e620b58e8cd1f2f6be688dc

SHA1
6595f7a3ba119bdde3d7ee855c746032775f1e1c

SHA256
63c6af6f91235014470a144bfcd56e5e91e3fdca94237e7f6cceb0586571d762

SHA512
efa247637e83ffa9f0434703df46460f27e727d402c0f513ac839a60b5df446d58c420143f3e2687d54ea6c318b000be5131341613ece4b140d240466814770f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
16acf88c1ae36739be7a2a9a56c8aef2

SHA1
df32312b0fa8ad8e73f907413c44b2ed288e99d4

SHA256
36f0f6b354238c09787a9dc280c2e819bd8a6fe3689f15f1ef574f121fbeb245

SHA512
70f4ce71cbcff6eee7a46845250d52955704161d878efaa089d3568322347fad3f44a8dbd5015a20f1a3611686e5a0b2742006079a38b781ddc6529cedca0d97

Download Submit
memory/676-225-0x0000000001300000-0x00000000014C0000-memory.dmp

Filesize
1.8MB

Download
memory/752-287-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/864-213-0x00000000001C0000-0x0000000000380000-memory.dmp

Filesize
1.8MB

Download
memory/980-299-0x0000000000260000-0x0000000000420000-memory.dmp

Filesize
1.8MB

Download
memory/1252-154-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/1252-155-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/1572-144-0x0000000000DD0000-0x0000000000F90000-memory.dmp

Filesize
1.8MB

Download
memory/1572-202-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/2072-311-0x0000000000270000-0x0000000000430000-memory.dmp

Filesize
1.8MB

Download
memory/2072-312-0x0000000000730000-0x0000000000742000-memory.dmp

Filesize
72KB

Download
memory/2088-248-0x00000000000D0000-0x0000000000290000-memory.dmp

Filesize
1.8MB

Download
memory/2088-249-0x0000000001FD0000-0x0000000001FE2000-memory.dmp

Filesize
72KB

Download
memory/2444-274-0x0000000000E50000-0x0000000001010000-memory.dmp

Filesize
1.8MB

Download
memory/2444-275-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/2608-162-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

Filesize
9.9MB

Download
memory/2608-11-0x0000000002220000-0x0000000002232000-memory.dmp

Filesize
72KB

Download
memory/2608-18-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

Filesize
9.9MB

Download
memory/2608-17-0x000000001A830000-0x000000001A83C000-memory.dmp

Filesize
48KB

Download
memory/2608-14-0x0000000002260000-0x000000000226E000-memory.dmp

Filesize
56KB

Download
memory/2608-15-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2608-16-0x0000000002420000-0x000000000242C000-memory.dmp

Filesize
48KB

Download
memory/2608-13-0x0000000002400000-0x000000000240A000-memory.dmp

Filesize
40KB

Download
memory/2608-1-0x0000000000B00000-0x0000000000CC0000-memory.dmp

Filesize
1.8MB

Download
memory/2608-2-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

Filesize
9.9MB

Download
memory/2608-12-0x0000000002250000-0x000000000225C000-memory.dmp

Filesize
48KB

Download
memory/2608-0-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp

Filesize
4KB

Download
memory/2608-9-0x0000000002210000-0x0000000002218000-memory.dmp

Filesize
32KB

Download
memory/2608-8-0x0000000002100000-0x000000000210C000-memory.dmp

Filesize
48KB

Download
memory/2608-7-0x00000000020F0000-0x0000000002100000-memory.dmp

Filesize
64KB

Download
memory/2608-6-0x00000000020D0000-0x00000000020E6000-memory.dmp

Filesize
88KB

Download
memory/2608-5-0x00000000020C0000-0x00000000020D0000-memory.dmp

Filesize
64KB

Download
memory/2608-4-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/2608-3-0x0000000000550000-0x000000000056C000-memory.dmp

Filesize
112KB

Download
memory/2872-262-0x0000000000A80000-0x0000000000A92000-memory.dmp

Filesize
72KB

Download
memory/2872-261-0x0000000000B70000-0x0000000000D30000-memory.dmp

Filesize
1.8MB

Download