dcrat | 397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7

Analysis

max time kernel
26s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
Size

1.7MB
MD5

a2dbf84e232d624efdbe3d587b42c9df
SHA1

c1938ad90a6403a6310560039dc8437f7664bcdb
SHA256

397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7
SHA512

4082b89dce58e274cbb157af86d7d7670783a215d7c2f4871c8e5eb8bbf5002457b8b3bcd4b0bbf9aa30e333d390edb148e9e4d7b565ca69a571141721f8255d
SSDEEP

24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJc:NgwuuEpdDLNwVMeXDL0fdSzAG9

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2600	schtasks.exe	30

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2888-1-0x0000000000920000-0x0000000000AD6000-memory.dmp	dcrat
behavioral1/files/0x0005000000019228-27.dat	dcrat
behavioral1/files/0x000500000001a41e-62.dat	dcrat
behavioral1/files/0x000a000000015e25-96.dat	dcrat
behavioral1/files/0x000c000000016d46-107.dat	dcrat
behavioral1/files/0x0009000000019228-130.dat	dcrat
behavioral1/files/0x00060000000194ea-187.dat	dcrat
behavioral1/files/0x00070000000194f6-196.dat	dcrat
behavioral1/memory/2760-295-0x0000000000800000-0x00000000009B6000-memory.dmp	dcrat
behavioral1/memory/1352-308-0x0000000000370000-0x0000000000526000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2864	powershell.exe
2196	powershell.exe
1540	powershell.exe
2780	powershell.exe
1816	powershell.exe
288	powershell.exe
2004	powershell.exe
1060	powershell.exe
2912	powershell.exe
1388	powershell.exe
1568	powershell.exe
2296	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe

Executes dropped EXE 2 IoCs

pid	Process
2760	dwm.exe
1352	dwm.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\lsass.exe	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
File created	C:\Program Files (x86)\Microsoft.NET\6203df4a6bafc7	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCX8995.tmp	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCX8A03.tmp	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\lsass.exe	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Resources\Ease of Access Themes\sppsvc.exe	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
File opened for modification	C:\Windows\Setup\State\RCX6D95.tmp	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\RCX722A.tmp	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\RCX722B.tmp	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
File created	C:\Windows\CSC\v2.0.6\services.exe	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
File created	C:\Windows\Setup\State\24dbde2999530e	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
File created	C:\Windows\Resources\Ease of Access Themes\0a1fd5f707cd16	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
File opened for modification	C:\Windows\Setup\State\RCX6D17.tmp	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\sppsvc.exe	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
File created	C:\Windows\Setup\State\WmiPrvSE.exe	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
File opened for modification	C:\Windows\Setup\State\WmiPrvSE.exe	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
960	schtasks.exe
1308	schtasks.exe
1668	schtasks.exe
804	schtasks.exe
3008	schtasks.exe
1108	schtasks.exe
1076	schtasks.exe
1080	schtasks.exe
2368	schtasks.exe
3000	schtasks.exe
2976	schtasks.exe
2104	schtasks.exe
2256	schtasks.exe
800	schtasks.exe
2940	schtasks.exe
1992	schtasks.exe
2320	schtasks.exe
1376	schtasks.exe
2144	schtasks.exe
316	schtasks.exe
2344	schtasks.exe
2928	schtasks.exe
2260	schtasks.exe
2264	schtasks.exe
2356	schtasks.exe
2960	schtasks.exe
1424	schtasks.exe
1612	schtasks.exe
2212	schtasks.exe
1672	schtasks.exe
2084	schtasks.exe
2360	schtasks.exe
1968	schtasks.exe
2204	schtasks.exe
1712	schtasks.exe
2384	schtasks.exe
2428	schtasks.exe
2952	schtasks.exe
2944	schtasks.exe
2908	schtasks.exe
1820	schtasks.exe
580	schtasks.exe
2016	schtasks.exe
704	schtasks.exe
1812	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2912	powershell.exe
1540	powershell.exe
1568	powershell.exe
2780	powershell.exe
2296	powershell.exe
2196	powershell.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
2864	powershell.exe
1060	powershell.exe
288	powershell.exe
2004	powershell.exe
1816	powershell.exe
1388	powershell.exe
2760	dwm.exe
2760	dwm.exe
2760	dwm.exe
2760	dwm.exe
2760	dwm.exe
2760	dwm.exe
2760	dwm.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	288	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	2760	dwm.exe
Token: SeDebugPrivilege	1352	dwm.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 1060	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	77
PID 2888 wrote to memory of 1060	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	77
PID 2888 wrote to memory of 1060	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	77
PID 2888 wrote to memory of 1568	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	78
PID 2888 wrote to memory of 1568	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	78
PID 2888 wrote to memory of 1568	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	78
PID 2888 wrote to memory of 2004	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	79
PID 2888 wrote to memory of 2004	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	79
PID 2888 wrote to memory of 2004	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	79
PID 2888 wrote to memory of 288	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	81
PID 2888 wrote to memory of 288	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	81
PID 2888 wrote to memory of 288	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	81
PID 2888 wrote to memory of 1816	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	83
PID 2888 wrote to memory of 1816	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	83
PID 2888 wrote to memory of 1816	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	83
PID 2888 wrote to memory of 2780	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	84
PID 2888 wrote to memory of 2780	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	84
PID 2888 wrote to memory of 2780	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	84
PID 2888 wrote to memory of 1388	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	85
PID 2888 wrote to memory of 1388	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	85
PID 2888 wrote to memory of 1388	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	85
PID 2888 wrote to memory of 1540	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	86
PID 2888 wrote to memory of 1540	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	86
PID 2888 wrote to memory of 1540	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	86
PID 2888 wrote to memory of 2912	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	87
PID 2888 wrote to memory of 2912	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	87
PID 2888 wrote to memory of 2912	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	87
PID 2888 wrote to memory of 2864	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	88
PID 2888 wrote to memory of 2864	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	88
PID 2888 wrote to memory of 2864	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	88
PID 2888 wrote to memory of 2296	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	89
PID 2888 wrote to memory of 2296	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	89
PID 2888 wrote to memory of 2296	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	89
PID 2888 wrote to memory of 2196	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	90
PID 2888 wrote to memory of 2196	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	90
PID 2888 wrote to memory of 2196	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	90
PID 2888 wrote to memory of 2760	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	101
PID 2888 wrote to memory of 2760	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	101
PID 2888 wrote to memory of 2760	2888	397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe	101
PID 2760 wrote to memory of 1628	2760	dwm.exe	102
PID 2760 wrote to memory of 1628	2760	dwm.exe	102
PID 2760 wrote to memory of 1628	2760	dwm.exe	102
PID 2760 wrote to memory of 2908	2760	dwm.exe	103
PID 2760 wrote to memory of 2908	2760	dwm.exe	103
PID 2760 wrote to memory of 2908	2760	dwm.exe	103
PID 1628 wrote to memory of 1352	1628	WScript.exe	104
PID 1628 wrote to memory of 1352	1628	WScript.exe	104
PID 1628 wrote to memory of 1352	1628	WScript.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe
"C:\Users\Admin\AppData\Local\Temp\397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe
  "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39ccac19-eed1-4430-8888-266d0f77dcc1.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe
      "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1352
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\289f66b8-9a46-446b-a720-25b46355c4e6.vbs"
    3⤵
    PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\Setup\State\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Setup\State\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\Setup\State\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\Sample Videos\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\Ease of Access Themes\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\Ease of Access Themes\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Start Menu\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Start Menu\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Desktop\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Desktop\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe

Filesize
1.7MB

MD5
fa54b70d0acfbaa78d3566190fe604e7

SHA1
e75f767b6ce9165dea44fd6dd4afb59d900bf99f

SHA256
392f5e67bbd8cd3aa372e1de4b24bcd6a9d2b6a47edcaf51907debf6965b25d7

SHA512
75028ba8f54689d9d334fb6a5891c44e9b06c9c4e81b5d3a4b4543625ef13c14081031165cdaed78db1cae9e51c525d16944977b334841047c3cda43024c1ae3

Download Submit
C:\Program Files (x86)\Microsoft.NET\lsass.exe

Filesize
1.7MB

MD5
8c95180bc067f1df580822ed0235795c

SHA1
0418f606696afe91fae9f22b9a80a47ebf5a683b

SHA256
229762bb845cb7b7062869e92bb32941f42517f5ef2880a65286f6dc1b72d9e9

SHA512
9f2e1bbd6949d1e43e23d4e67f6320e01ee9a29a5f85ff3e6dfa71ba04702440f6c04d59e452f13edca40eb9347da1ecc2ebfca7d27451c474b7f67afe3b36d0

Download Submit
C:\ProgramData\System.exe

Filesize
1.7MB

MD5
a2dbf84e232d624efdbe3d587b42c9df

SHA1
c1938ad90a6403a6310560039dc8437f7664bcdb

SHA256
397de25eb509188dacf565de5903bcb4a29570d9d8af9069a56fb82d951798a7

SHA512
4082b89dce58e274cbb157af86d7d7670783a215d7c2f4871c8e5eb8bbf5002457b8b3bcd4b0bbf9aa30e333d390edb148e9e4d7b565ca69a571141721f8255d

Download Submit
C:\ProgramData\System.exe

Filesize
1.7MB

MD5
9b05d448cc52311fdda4d82a8ca0c7fd

SHA1
b07c9342b76215e1af65287798dcfc0a396cdcdf

SHA256
6b3a8dbb76f2276fc6f770f5643ed3e0774fad4e8c4dee70844974ad8b1aa7e3

SHA512
546291d2ba4f3be4681da385286c7cfc2a19e808ea8a1fceb5fdd8ea5fea01edf7a976463922d0228c83a946121f85e6d52370aa15f4a6c55b9f9fbfcfaa1c2e

Download Submit
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe

Filesize
1.7MB

MD5
014657a6d0d8eade3bf88b7f89a0c542

SHA1
6f4149ba6d749eefb430b26d3a9a50f27eb5c9c3

SHA256
6c7d768e9ca77b65d97294e06887d98772b2c463ef1be171c48904255ad32fd8

SHA512
f4cd28bf694535ab7a6e51b7186817eb1c7fc421bdf054eb0a6ce69a2cc6fb4a4aabd968a9873b4d0c69bcc9545d05a5e62ec44f0c9345a0cd6b666bbd56408b

Download Submit
C:\Users\Admin\AppData\Local\Temp\289f66b8-9a46-446b-a720-25b46355c4e6.vbs

Filesize
522B

MD5
e8e752e68ebe0112bae7598f6f3c8ecf

SHA1
e7aa68f7b704dc1b5216e928e4e1b1dbd2943607

SHA256
4af7fa19ddbabce64e7c315026c0aad84972b2b409ff43326b643849703023c4

SHA512
85b3cc52c64ba96ea2b037982fcefca0575be4e437d75243ab93a5be5c6d41442fe42d1445e73ca258136526115e92d436cb539cc585e026c1555bd7abcbe3a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\39ccac19-eed1-4430-8888-266d0f77dcc1.vbs

Filesize
746B

MD5
8cc26ad9c8682f07232ea178e59a69b8

SHA1
8be51b367a7d9e48696c352c2ed5740e00504bf3

SHA256
50593e5cc24ceb01803cf683016c912e767662f466b6b8380d04fc1f35cc6536

SHA512
7f73dd548902ddeb648bf04b68d8545a4b67e9368e13ea4f26ce7ad1d1624b4994228d98e35dd99ee6a7889be6c063d5b4d88f75e59e5aed298cc2bd0537d087

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d4420dbd7a305ee33eed503b2d7a6a54

SHA1
37c4437d6be61ee9252edd56369b397b1b37ba53

SHA256
c03b47ec7ee2fd2b7dd3e68d3522ffe025b6a8631f7038ff0df75a618b1c6b67

SHA512
b78cb947e40f9374abd6531e2f15ff5cc1cbfa49edae39cc483c24df2157ccaec3f50f2784fc058571db950ce827d0499a192a3e56ad29846892bea0b61a0983

Download Submit
C:\Users\Default\audiodg.exe

Filesize
1.7MB

MD5
305d175f3a0e8c69ced260cf53ce24d2

SHA1
553d598f5167c9847f0f3f5f961c52660a98ca70

SHA256
7ba5fc9a79bdbf1ef6280cdc680e2270047587725362c7bacd65988927092bff

SHA512
f109f77f540efdf947355c4901f1c1d346a24961bbd422871c8e8b70b80272c7b3ba2c22b0647b0447bb6af3d84bbac51b8d48ea12a5aa1646383d7b7257a379

Download Submit
C:\Windows\Setup\State\WmiPrvSE.exe

Filesize
1.7MB

MD5
2985885ce6a99a072678a7030ad79efe

SHA1
2aeaa9906be0e0da0b6a5441874dc7b51e56a4e5

SHA256
e29a5b66d5e45182388b9ce81b5764155edfd4740efe4eda765aac4c69367bda

SHA512
49070a067abfc25545e865dd216d8c42f636ef741ca1900f4b573bcb5bd4df6f8121b621ce5f0aca8a13831d0e99630d2997ce459384749e71a7fb687b196cb6

Download Submit
memory/1352-308-0x0000000000370000-0x0000000000526000-memory.dmp

Filesize
1.7MB

Download
memory/1352-309-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/1568-286-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2760-295-0x0000000000800000-0x00000000009B6000-memory.dmp

Filesize
1.7MB

Download
memory/2760-297-0x0000000000520000-0x0000000000532000-memory.dmp

Filesize
72KB

Download
memory/2888-9-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/2888-201-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2888-20-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2888-16-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/2888-15-0x0000000000590000-0x0000000000598000-memory.dmp

Filesize
32KB

Download
memory/2888-14-0x0000000000580000-0x000000000058A000-memory.dmp

Filesize
40KB

Download
memory/2888-13-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2888-12-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2888-184-0x000007FEF5793000-0x000007FEF5794000-memory.dmp

Filesize
4KB

Download
memory/2888-10-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/2888-0-0x000007FEF5793000-0x000007FEF5794000-memory.dmp

Filesize
4KB

Download
memory/2888-17-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/2888-226-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2888-8-0x0000000000550000-0x0000000000560000-memory.dmp

Filesize
64KB

Download
memory/2888-1-0x0000000000920000-0x0000000000AD6000-memory.dmp

Filesize
1.7MB

Download
memory/2888-7-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2888-6-0x0000000000490000-0x00000000004A6000-memory.dmp

Filesize
88KB

Download
memory/2888-296-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2888-5-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2888-4-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/2888-3-0x0000000000240000-0x000000000025C000-memory.dmp

Filesize
112KB

Download
memory/2888-2-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2912-292-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download