dcrat | ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
Size

1.7MB
MD5

60b616116be77dbf109954260772aa40
SHA1

3d6df410f548e1936313e1835d0b2f893f827689
SHA256

ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e
SHA512

89efc0c5f3279870127d2c847aa1dc02d29d0e4d3ae1f31c02ff5ae4c556a04ed57abda424f6fa04c3c2b3cf889bf08d7df53858f5bccf16b433d3c530c37363
SSDEEP

24576:j3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJN:jgwuuEpdDLNwVMeXDL0fdSzAGM

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2732	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2732	schtasks.exe	30

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1920-1-0x0000000000980000-0x0000000000B36000-memory.dmp	dcrat
behavioral1/files/0x000500000001920f-27.dat	dcrat
behavioral1/files/0x000f00000001225a-101.dat	dcrat
behavioral1/files/0x000800000001920f-123.dat	dcrat
behavioral1/files/0x00090000000192f0-158.dat	dcrat
behavioral1/memory/1524-242-0x0000000000BB0000-0x0000000000D66000-memory.dmp	dcrat
behavioral1/memory/2188-254-0x0000000000C70000-0x0000000000E26000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2788	powershell.exe
2620	powershell.exe
2728	powershell.exe
2868	powershell.exe
1292	powershell.exe
2776	powershell.exe
320	powershell.exe
2768	powershell.exe
2704	powershell.exe
2352	powershell.exe
1536	powershell.exe
2680	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe

Executes dropped EXE 2 IoCs

pid	Process
1524	services.exe
2188	services.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXC28C.tmp	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\RCXC491.tmp	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\RCXC4FF.tmp	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
File created	C:\Program Files (x86)\Common Files\OSPPSVC.exe	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
File created	C:\Program Files (x86)\Common Files\1610b97d3ab4a7	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
File created	C:\Program Files\VideoLAN\WmiPrvSE.exe	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
File opened for modification	C:\Program Files (x86)\Common Files\OSPPSVC.exe	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
File opened for modification	C:\Program Files\VideoLAN\RCXD05F.tmp	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
File created	C:\Program Files\Internet Explorer\it-IT\42af1c969fbb7b	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
File created	C:\Program Files\VideoLAN\24dbde2999530e	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\24dbde2999530e	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\RCXD263.tmp	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\RCXD264.tmp	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\WmiPrvSE.exe	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\c5b4cb5e9653cc	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\WmiPrvSE.exe	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXC28D.tmp	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\audiodg.exe	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
File opened for modification	C:\Program Files\VideoLAN\RCXCFF1.tmp	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
File opened for modification	C:\Program Files\VideoLAN\WmiPrvSE.exe	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
File created	C:\Program Files\Internet Explorer\it-IT\audiodg.exe	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
File opened for modification	C:\Program Files (x86)\Common Files\RCXBE83.tmp	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
File opened for modification	C:\Program Files (x86)\Common Files\RCXBE84.tmp	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\IME\en-US\ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
File created	C:\Windows\IME\en-US\98d9a63c308a18	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
File opened for modification	C:\Windows\IME\en-US\RCXC087.tmp	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
File opened for modification	C:\Windows\IME\en-US\RCXC088.tmp	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
File opened for modification	C:\Windows\IME\en-US\ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2900	schtasks.exe
2960	schtasks.exe
1144	schtasks.exe
2752	schtasks.exe
452	schtasks.exe
2148	schtasks.exe
3016	schtasks.exe
2964	schtasks.exe
2868	schtasks.exe
1868	schtasks.exe
2340	schtasks.exe
1160	schtasks.exe
2240	schtasks.exe
1800	schtasks.exe
2428	schtasks.exe
676	schtasks.exe
568	schtasks.exe
2860	schtasks.exe
2704	schtasks.exe
2772	schtasks.exe
640	schtasks.exe
2456	schtasks.exe
2984	schtasks.exe
1636	schtasks.exe
1788	schtasks.exe
2012	schtasks.exe
2288	schtasks.exe
2232	schtasks.exe
2604	schtasks.exe
2624	schtasks.exe
2916	schtasks.exe
3024	schtasks.exe
2956	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
2788	powershell.exe
2728	powershell.exe
320	powershell.exe
2868	powershell.exe
2680	powershell.exe
2768	powershell.exe
2620	powershell.exe
2704	powershell.exe
1292	powershell.exe
2352	powershell.exe
2776	powershell.exe
1536	powershell.exe
1524	services.exe
1524	services.exe
1524	services.exe
1524	services.exe
1524	services.exe
1524	services.exe
1524	services.exe
1524	services.exe
1524	services.exe
1524	services.exe
1524	services.exe
1524	services.exe
1524	services.exe
1524	services.exe
1524	services.exe
1524	services.exe
1524	services.exe
2188	services.exe
2188	services.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1524	services.exe
Token: SeDebugPrivilege	2188	services.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 320	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	66
PID 1920 wrote to memory of 320	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	66
PID 1920 wrote to memory of 320	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	66
PID 1920 wrote to memory of 1536	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	67
PID 1920 wrote to memory of 1536	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	67
PID 1920 wrote to memory of 1536	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	67
PID 1920 wrote to memory of 2768	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	68
PID 1920 wrote to memory of 2768	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	68
PID 1920 wrote to memory of 2768	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	68
PID 1920 wrote to memory of 2788	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	69
PID 1920 wrote to memory of 2788	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	69
PID 1920 wrote to memory of 2788	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	69
PID 1920 wrote to memory of 2620	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	70
PID 1920 wrote to memory of 2620	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	70
PID 1920 wrote to memory of 2620	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	70
PID 1920 wrote to memory of 2680	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	71
PID 1920 wrote to memory of 2680	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	71
PID 1920 wrote to memory of 2680	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	71
PID 1920 wrote to memory of 2728	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	72
PID 1920 wrote to memory of 2728	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	72
PID 1920 wrote to memory of 2728	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	72
PID 1920 wrote to memory of 2868	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	73
PID 1920 wrote to memory of 2868	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	73
PID 1920 wrote to memory of 2868	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	73
PID 1920 wrote to memory of 1292	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	74
PID 1920 wrote to memory of 1292	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	74
PID 1920 wrote to memory of 1292	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	74
PID 1920 wrote to memory of 2776	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	75
PID 1920 wrote to memory of 2776	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	75
PID 1920 wrote to memory of 2776	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	75
PID 1920 wrote to memory of 2704	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	76
PID 1920 wrote to memory of 2704	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	76
PID 1920 wrote to memory of 2704	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	76
PID 1920 wrote to memory of 2352	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	77
PID 1920 wrote to memory of 2352	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	77
PID 1920 wrote to memory of 2352	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	77
PID 1920 wrote to memory of 2668	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	90
PID 1920 wrote to memory of 2668	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	90
PID 1920 wrote to memory of 2668	1920	ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe	90
PID 2668 wrote to memory of 1304	2668	cmd.exe	92
PID 2668 wrote to memory of 1304	2668	cmd.exe	92
PID 2668 wrote to memory of 1304	2668	cmd.exe	92
PID 2668 wrote to memory of 1524	2668	cmd.exe	93
PID 2668 wrote to memory of 1524	2668	cmd.exe	93
PID 2668 wrote to memory of 1524	2668	cmd.exe	93
PID 1524 wrote to memory of 2612	1524	services.exe	94
PID 1524 wrote to memory of 2612	1524	services.exe	94
PID 1524 wrote to memory of 2612	1524	services.exe	94
PID 1524 wrote to memory of 2852	1524	services.exe	95
PID 1524 wrote to memory of 2852	1524	services.exe	95
PID 1524 wrote to memory of 2852	1524	services.exe	95
PID 2612 wrote to memory of 2188	2612	WScript.exe	96
PID 2612 wrote to memory of 2188	2612	WScript.exe	96
PID 2612 wrote to memory of 2188	2612	WScript.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe
"C:\Users\Admin\AppData\Local\Temp\ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3lVh7LEJNT.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1304
- - C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe
    "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62a22c1f-dd84-4e00-a1e5-5e4a099d5bf2.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64f69928-a6af-439d-a0e9-a6a6bf775b8b.vbs"
      4⤵
      PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06ee" /sc MINUTE /mo 10 /tr "'C:\Windows\IME\en-US\ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e" /sc ONLOGON /tr "'C:\Windows\IME\en-US\ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06ee" /sc MINUTE /mo 11 /tr "'C:\Windows\IME\en-US\ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\it-IT\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\it-IT\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Desktop\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Internet Explorer\it-IT\audiodg.exe

Filesize
1.7MB

MD5
60b616116be77dbf109954260772aa40

SHA1
3d6df410f548e1936313e1835d0b2f893f827689

SHA256
ec28f3527cbf73f5d284739eb21c9dccb40c432e377b17b550c67ce377bdf06e

SHA512
89efc0c5f3279870127d2c847aa1dc02d29d0e4d3ae1f31c02ff5ae4c556a04ed57abda424f6fa04c3c2b3cf889bf08d7df53858f5bccf16b433d3c530c37363

Download Submit
C:\Program Files\Internet Explorer\it-IT\audiodg.exe

Filesize
1.7MB

MD5
2a4f5ecb0e05569d33b459836e1b1aed

SHA1
c10d71d4913d2856f9481eb8e34c264706c66933

SHA256
47fe52296f80c866b0c577930f450e1c56b12140e762ff9ec2f8861e1ed6baf5

SHA512
cccd1456387ba6c76809c637c77af2188d93fd461eddbb5a375edc960e5a0dc4553b0ec98eb143ea29c92f4bf412944afaa335f8b2e9c48a7ab51154297a8871

Download Submit
C:\Program Files\VideoLAN\WmiPrvSE.exe

Filesize
1.7MB

MD5
d6fe5962cf61759a25c1f2b4b1648d0f

SHA1
da2d9699fa730656744d995469614e643051847a

SHA256
0539599a1f73579bc5b6fcdaada8c8893b4084f72dd1548a33beae2df6d51d95

SHA512
56e965077360089e39f477efa4a95edac6ba5107218e57f853f78dc1a48376c4f5d69d2a8d8f6b710d30a53f49e8c11ea73c6b7b21c432ba72b114a1addf3a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\3lVh7LEJNT.bat

Filesize
245B

MD5
c412472454e2acf2157d94fba8fb71f8

SHA1
cc2de3b1db1247f6fc4c67360ac151f1d7817e21

SHA256
1b6ea2258437668315b84a50ea7d91d7679641b9b547933c942a256892f36f0b

SHA512
3f7f4a1dd8fde10ebcf979aca7d7177274d84288609116a00c32499a3598fb8e8aeff6bca26978b3b1d475480672c951c808508caccb61e06f323ab40027abff

Download Submit
C:\Users\Admin\AppData\Local\Temp\62a22c1f-dd84-4e00-a1e5-5e4a099d5bf2.vbs

Filesize
756B

MD5
42b113173d03c604b42eda44a20e85c3

SHA1
33075242fc306c581184f9447ad70b1d77b4294f

SHA256
0934fd0758e7d2bec8f049c7de9bfc35715d1af6918cad87d454296db84f85ca

SHA512
1014a70f8488e328a8e368b94da5d98a8ad28434ccf36ae73ccaba3bb6ac174e517786e0ec74186eb7adcea1b206467de94eddd8c765b159ca83f9a7074e832b

Download Submit
C:\Users\Admin\AppData\Local\Temp\64f69928-a6af-439d-a0e9-a6a6bf775b8b.vbs

Filesize
532B

MD5
d1debfea602f3f645f87cfd1ea0c8e7c

SHA1
b4c10d5ff4cb03b27e3e6c9a080e166b9776f700

SHA256
234334c543ad938aab452f1c55e451267275ef7ab0bd3e6ed8e89a0ff9002447

SHA512
53069a48c9175f4ea8c7c2f4b810deb3d95f655ee3f8399ae51779d5afea8acfb3ec9ed8c7e1db39c1f03979c95ff294b4283ebd7ab16fe65eda8694eee977b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
34a3be5e84a156cb32a5db923ede2f48

SHA1
2af4b503c5eb3e0336f581809f93d8e731b3ab0b

SHA256
810e8bd4fb2aa143f68b260ab056332e377b2bef35206819fa3633a728effc7f

SHA512
383ddf09cc2b2642b0a18b87be7072962cc56064c7dedc8c0ce9ec5ac2b4a0855a879118054e9dc2d2df6ef7b5c66b369e912270cda980b557973cdda9a108f9

Download Submit
C:\Users\Public\Desktop\winlogon.exe

Filesize
1.7MB

MD5
3fef00a12ecac3a211e98d680a0fa9e2

SHA1
d48ce242df7a8430346e17ed0c3d962a76f47205

SHA256
c49376024dc788dcc3ccd9da7960f950aa50dfe557d5bc1322aa1e065e249683

SHA512
0abaa3040b5506e9d3b3148bbd594989a8132091a3ee333bf1a97981850391d14e696b566f271956a3d319b39eff9ed3e5661e297ea072393e751fd39e2c6ce2

Download Submit
memory/1524-243-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/1524-242-0x0000000000BB0000-0x0000000000D66000-memory.dmp

Filesize
1.7MB

Download
memory/1920-17-0x0000000002200000-0x000000000220C000-memory.dmp

Filesize
48KB

Download
memory/1920-7-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/1920-16-0x00000000021F0000-0x00000000021FC000-memory.dmp

Filesize
48KB

Download
memory/1920-15-0x00000000021E0000-0x00000000021E8000-memory.dmp

Filesize
32KB

Download
memory/1920-14-0x00000000021D0000-0x00000000021DA000-memory.dmp

Filesize
40KB

Download
memory/1920-13-0x0000000000970000-0x000000000097C000-memory.dmp

Filesize
48KB

Download
memory/1920-0-0x000007FEF5B43000-0x000007FEF5B44000-memory.dmp

Filesize
4KB

Download
memory/1920-20-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/1920-10-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/1920-9-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/1920-8-0x0000000000560000-0x0000000000570000-memory.dmp

Filesize
64KB

Download
memory/1920-12-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/1920-6-0x0000000000530000-0x0000000000546000-memory.dmp

Filesize
88KB

Download
memory/1920-1-0x0000000000980000-0x0000000000B36000-memory.dmp

Filesize
1.7MB

Download
memory/1920-2-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/1920-191-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/1920-4-0x00000000001C0000-0x00000000001C8000-memory.dmp

Filesize
32KB

Download
memory/1920-5-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/1920-3-0x0000000000380000-0x000000000039C000-memory.dmp

Filesize
112KB

Download
memory/2188-254-0x0000000000C70000-0x0000000000E26000-memory.dmp

Filesize
1.7MB

Download
memory/2188-255-0x00000000004A0000-0x00000000004B2000-memory.dmp

Filesize
72KB

Download
memory/2728-193-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2788-194-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download