dcrat | aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c

Analysis

max time kernel
150s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-01-2025 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
Size

1.7MB
MD5

707f4ad9209b26de91ddd3e1c7e652db
SHA1

53c2b889fff7f9b276262d4ef10d62bd5d738d52
SHA256

aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c
SHA512

e520f2354269d33d3cd37374a5e3304c5e62926d09590e1687ee408ce124ee6a1641a3ba4eb51875095a327c31e099b8e7cd8a24335f08c667b9a3db5ebebdfb
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:+THUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2872	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2872	schtasks.exe	31

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2688-1-0x0000000001360000-0x0000000001520000-memory.dmp	dcrat
behavioral1/files/0x0005000000019629-27.dat	dcrat
behavioral1/files/0x00090000000193cc-79.dat	dcrat
behavioral1/files/0x0009000000019621-102.dat	dcrat
behavioral1/memory/1476-173-0x0000000001110000-0x00000000012D0000-memory.dmp	dcrat
behavioral1/memory/1140-186-0x0000000001310000-0x00000000014D0000-memory.dmp	dcrat
behavioral1/memory/1904-221-0x0000000000140000-0x0000000000300000-memory.dmp	dcrat
behavioral1/memory/3040-233-0x0000000001220000-0x00000000013E0000-memory.dmp	dcrat
behavioral1/memory/2424-267-0x0000000000010000-0x00000000001D0000-memory.dmp	dcrat
behavioral1/memory/1568-280-0x00000000012F0000-0x00000000014B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1372	powershell.exe
1576	powershell.exe
948	powershell.exe
2588	powershell.exe
340	powershell.exe
1224	powershell.exe
1608	powershell.exe
2208	powershell.exe
2436	powershell.exe
1952	powershell.exe
860	powershell.exe
1192	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe

Executes dropped EXE 10 IoCs

pid	Process
1476	sppsvc.exe
1140	sppsvc.exe
2896	sppsvc.exe
2556	sppsvc.exe
1904	sppsvc.exe
3040	sppsvc.exe
560	sppsvc.exe
952	sppsvc.exe
2424	sppsvc.exe
1568	sppsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1312	schtasks.exe
1928	schtasks.exe
2644	schtasks.exe
2328	schtasks.exe
3000	schtasks.exe
2728	schtasks.exe
2948	schtasks.exe
2832	schtasks.exe
2028	schtasks.exe
2348	schtasks.exe
2732	schtasks.exe
2628	schtasks.exe
2660	schtasks.exe
1036	schtasks.exe
2708	schtasks.exe
2940	schtasks.exe
2820	schtasks.exe
2664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
948	powershell.exe
2588	powershell.exe
1608	powershell.exe
2436	powershell.exe
1576	powershell.exe
860	powershell.exe
2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
1192	powershell.exe
1224	powershell.exe
1952	powershell.exe
340	powershell.exe
2208	powershell.exe
2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
1372	powershell.exe
2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
1476	sppsvc.exe
1476	sppsvc.exe
1476	sppsvc.exe
1476	sppsvc.exe
1476	sppsvc.exe
1476	sppsvc.exe
1476	sppsvc.exe
1476	sppsvc.exe
1476	sppsvc.exe
1476	sppsvc.exe
1476	sppsvc.exe
1476	sppsvc.exe
1476	sppsvc.exe
1476	sppsvc.exe
1476	sppsvc.exe
1476	sppsvc.exe
1476	sppsvc.exe
1476	sppsvc.exe
1476	sppsvc.exe
1476	sppsvc.exe
1476	sppsvc.exe
1476	sppsvc.exe
1476	sppsvc.exe
1476	sppsvc.exe
1476	sppsvc.exe
1476	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	1476	sppsvc.exe
Token: SeDebugPrivilege	1140	sppsvc.exe
Token: SeDebugPrivilege	2896	sppsvc.exe
Token: SeDebugPrivilege	2556	sppsvc.exe
Token: SeDebugPrivilege	1904	sppsvc.exe
Token: SeDebugPrivilege	3040	sppsvc.exe
Token: SeDebugPrivilege	560	sppsvc.exe
Token: SeDebugPrivilege	952	sppsvc.exe
Token: SeDebugPrivilege	2424	sppsvc.exe
Token: SeDebugPrivilege	1568	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 1952	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	50
PID 2688 wrote to memory of 1952	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	50
PID 2688 wrote to memory of 1952	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	50
PID 2688 wrote to memory of 860	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	51
PID 2688 wrote to memory of 860	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	51
PID 2688 wrote to memory of 860	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	51
PID 2688 wrote to memory of 2588	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	52
PID 2688 wrote to memory of 2588	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	52
PID 2688 wrote to memory of 2588	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	52
PID 2688 wrote to memory of 340	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	55
PID 2688 wrote to memory of 340	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	55
PID 2688 wrote to memory of 340	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	55
PID 2688 wrote to memory of 1224	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	56
PID 2688 wrote to memory of 1224	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	56
PID 2688 wrote to memory of 1224	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	56
PID 2688 wrote to memory of 1576	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	57
PID 2688 wrote to memory of 1576	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	57
PID 2688 wrote to memory of 1576	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	57
PID 2688 wrote to memory of 1608	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	59
PID 2688 wrote to memory of 1608	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	59
PID 2688 wrote to memory of 1608	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	59
PID 2688 wrote to memory of 948	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	60
PID 2688 wrote to memory of 948	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	60
PID 2688 wrote to memory of 948	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	60
PID 2688 wrote to memory of 2208	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	61
PID 2688 wrote to memory of 2208	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	61
PID 2688 wrote to memory of 2208	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	61
PID 2688 wrote to memory of 1372	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	63
PID 2688 wrote to memory of 1372	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	63
PID 2688 wrote to memory of 1372	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	63
PID 2688 wrote to memory of 2436	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	64
PID 2688 wrote to memory of 2436	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	64
PID 2688 wrote to memory of 2436	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	64
PID 2688 wrote to memory of 1192	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	65
PID 2688 wrote to memory of 1192	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	65
PID 2688 wrote to memory of 1192	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	65
PID 2688 wrote to memory of 1476	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	74
PID 2688 wrote to memory of 1476	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	74
PID 2688 wrote to memory of 1476	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	74
PID 2688 wrote to memory of 1476	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	74
PID 2688 wrote to memory of 1476	2688	aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe	74
PID 1476 wrote to memory of 2288	1476	sppsvc.exe	75
PID 1476 wrote to memory of 2288	1476	sppsvc.exe	75
PID 1476 wrote to memory of 2288	1476	sppsvc.exe	75
PID 1476 wrote to memory of 2084	1476	sppsvc.exe	76
PID 1476 wrote to memory of 2084	1476	sppsvc.exe	76
PID 1476 wrote to memory of 2084	1476	sppsvc.exe	76
PID 2288 wrote to memory of 1140	2288	WScript.exe	77
PID 2288 wrote to memory of 1140	2288	WScript.exe	77
PID 2288 wrote to memory of 1140	2288	WScript.exe	77
PID 2288 wrote to memory of 1140	2288	WScript.exe	77
PID 2288 wrote to memory of 1140	2288	WScript.exe	77
PID 1140 wrote to memory of 3008	1140	sppsvc.exe	78
PID 1140 wrote to memory of 3008	1140	sppsvc.exe	78
PID 1140 wrote to memory of 3008	1140	sppsvc.exe	78
PID 1140 wrote to memory of 1204	1140	sppsvc.exe	79
PID 1140 wrote to memory of 1204	1140	sppsvc.exe	79
PID 1140 wrote to memory of 1204	1140	sppsvc.exe	79
PID 3008 wrote to memory of 2896	3008	WScript.exe	80
PID 3008 wrote to memory of 2896	3008	WScript.exe	80
PID 3008 wrote to memory of 2896	3008	WScript.exe	80
PID 3008 wrote to memory of 2896	3008	WScript.exe	80
PID 3008 wrote to memory of 2896	3008	WScript.exe	80
PID 2896 wrote to memory of 1488	2896	sppsvc.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe
"C:\Users\Admin\AppData\Local\Temp\aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe
  "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f0cac45-77ac-44da-8ca5-1ef0fc27956c.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe
      "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1140
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8044ee4a-9ed0-456b-86f5-6b1e5eb937cd.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3008
      - C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04c7c5cd-c1d5-414f-aad7-6e8f5d7f47fc.vbs"
        7⤵
        
        PID:1488
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f088c10b-1ad8-4ce4-9da2-0702912e4320.vbs"
        9⤵
        
        PID:1432
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ade2008-a857-43f0-9587-4263fcee0b73.vbs"
        11⤵
        
        PID:3036
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3b3ecbd-c1f7-44c0-bb31-b83282fe6c1b.vbs"
        13⤵
        
        PID:380
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c515c678-4b2e-4b82-b178-d3dc6b667d24.vbs"
        15⤵
        
        PID:608
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23cba3a2-1e3e-4622-98b3-d9deb141cb1a.vbs"
        17⤵
        
        PID:2220
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a736794f-0bfc-4474-a415-f33a5e1f31dc.vbs"
        19⤵
        
        PID:276
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\544db85f-b02a-4c30-ae5a-0f05a9316849.vbs"
        21⤵
        
        PID:1324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69859ff6-c966-4cee-90aa-266efb14d844.vbs"
        21⤵
        
        PID:3064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08c43b30-bf23-475a-85d2-ad9c5c412f80.vbs"
        19⤵
        
        PID:2236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eaeee71d-1a34-4d12-a91f-d794a5f5540d.vbs"
        17⤵
        
        PID:2852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f664a2e-eca6-44b1-aeb1-69c5f8f64cf1.vbs"
        15⤵
        
        PID:1932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5b5ce84-d6b1-4a39-bef0-d6fae7599d18.vbs"
        13⤵
        
        PID:2072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\241bf4af-1477-412c-8452-f81ebec9b457.vbs"
        11⤵
        
        PID:2156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a9b5465-c655-465c-920f-cb807b55c474.vbs"
        9⤵
        
        PID:2028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa18c70b-b1be-41f2-9ad3-2b80e39c7b7a.vbs"
        7⤵
        
        PID:2208
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8291053c-76d3-47b2-a6ba-82a2c5703d0c.vbs"
        5⤵
        
        PID:1204
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\791f30e8-ea9c-4da9-a511-d3618a9f6912.vbs"
    3⤵
    PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe

Filesize
1.7MB

MD5
f353006becdf7452f01e97183c501fd2

SHA1
a8d8b6bc1cb950be8cd64cfd97e2bab4f9161bcd

SHA256
2fa382ea232ff29e8a25f7d54fb4872ae408e59c734927b7a77d9e714d363a15

SHA512
aee6a6726d10c152f631026617a84f500d5e1c0b0941943d202e0fffbb49f7fc686893f6c92d0329efdad7b89b12dca1acde992fd3f0f4b14528daf8fa9bf8fa

Download Submit
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe

Filesize
1.7MB

MD5
707f4ad9209b26de91ddd3e1c7e652db

SHA1
53c2b889fff7f9b276262d4ef10d62bd5d738d52

SHA256
aa33b4e60f62c9af193617e8073b44c2bf09a6cec1b0eb461d80afe51267ff0c

SHA512
e520f2354269d33d3cd37374a5e3304c5e62926d09590e1687ee408ce124ee6a1641a3ba4eb51875095a327c31e099b8e7cd8a24335f08c667b9a3db5ebebdfb

Download Submit
C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe

Filesize
1.7MB

MD5
4f5bddd4b351754fe2373c04bce5125b

SHA1
5c0dde5052e482c95fdb40281e7de4d096cff8c0

SHA256
e9b183b70ba9b605c7fabdd61cd912c6bc5ec4f72ec8694cab3858729b5a9b4a

SHA512
1efa466b2cc08f1132741bb496ea5c0a2bbdcff376771993c51294a491fae421213ccbc4cadfc67a72fe16e43c12c3ed6444dd2f405bd3fcf7f6876811531d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\04c7c5cd-c1d5-414f-aad7-6e8f5d7f47fc.vbs

Filesize
749B

MD5
7e190e56b91780b4709e98271c40c186

SHA1
2d0933c54c4de59c46ec56f7e636df863cc4768d

SHA256
dee2d09a4357cf2b354f33c59cbdbd3b79c28f877b699efd6f54d54e437ae975

SHA512
ab8b41d25cdf721167ffafbd8192c28d6675290b7bd445a5d0bc6897a4c68c376bf0849ed6fd68ad45f98d14fc0776e28cbc5f63c9db1853cb5d9f52c80ad9ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ade2008-a857-43f0-9587-4263fcee0b73.vbs

Filesize
749B

MD5
905ef5e6a31dddd7a454418fceb488a2

SHA1
8a73b84d2f98c4d8ae8d7ce9689b85c8c9cda70b

SHA256
a8b9ad9bc2d5d20034bd825dafe7943667abc9b40aa0f63b990fcd23ed6cb11f

SHA512
488ed7b7e4995c813a4e89ca420e4148ad5bb0fbb021f8dd3e58fcb7784241ff8ee18b61febd0339ac6dec8145ab4d2d42e26e154465111686bcbd7f3d791752

Download Submit
C:\Users\Admin\AppData\Local\Temp\23cba3a2-1e3e-4622-98b3-d9deb141cb1a.vbs

Filesize
748B

MD5
90525ef50f15f03e1fac08e8d8c1eecf

SHA1
c54482cf27d5d92b9e16ed0ef05b7d051128a592

SHA256
caa6481bcc46a3b8e326ea3298f006732bb35b6a05ce1acc40e17a05b3f5f9a1

SHA512
bf7cfbceabc4ddb0f505493fd45ced97817e391afe3e8edb23a9c24208ac3f601322461cd753d61063e9269d91ddc1558f10e6337ae42fee63d31ac458401b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f0cac45-77ac-44da-8ca5-1ef0fc27956c.vbs

Filesize
749B

MD5
643bc7ab6a143c172169af4826548e24

SHA1
8b18e0b768c0daf5b900f2752c8655b68c6857da

SHA256
dc5b30be3fe353c0374a417e9f78f2c50ca061f1ea3db3538cc7cbce4a59f9ad

SHA512
35722fdfdc3d2c4cb75f7999d010eeb94ed5cd93dc4966307db1159f97648f7e28995a1630375c0dfa7eab1f837ce76b43167754e951a508ffb403de3667a079

Download Submit
C:\Users\Admin\AppData\Local\Temp\544db85f-b02a-4c30-ae5a-0f05a9316849.vbs

Filesize
749B

MD5
77d2ddcefb01b9875eb00c2842c928a1

SHA1
d49e1f5f2d7fc97c9ca963ab0fb7dedc699b4aa1

SHA256
d3d0c156a70eabd80d05892fb58c2a1851302fad39adc74d1369f701307c5968

SHA512
623f32ca8e485a7e4c0e10babc00f69196a9e979990739e570c45a0546b30f8842b02d1881c201fa6aed02e947504a7cd2320f4a05ac4bf942cfdc5288a64767

Download Submit
C:\Users\Admin\AppData\Local\Temp\791f30e8-ea9c-4da9-a511-d3618a9f6912.vbs

Filesize
525B

MD5
b4b456f8108506a62f80b6198cec257e

SHA1
37b95d2faa30dcd5c18509929e23c22c20e044b0

SHA256
60cafdd9e84a9399150fa10f55581637ad2a99e179598a1bf97b8a96bff873d8

SHA512
b31cbfc3805caf460922448b7bfe729ffeae05e4bdee34c2e58e37d8930f4bd94f9eb46b5684160660ecb11940db6ecbbc3f378509baf7ed746aabb00a90bca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\8044ee4a-9ed0-456b-86f5-6b1e5eb937cd.vbs

Filesize
749B

MD5
771af5e77530a5a3f846a58defa945d8

SHA1
2751945a94d0967f7f7eb6ee646fe0a7dacf3ece

SHA256
f1efe2cf316ca8b5dbc2dbd50c36f79a62dd915ceacea59742a23bbe3ad1ddeb

SHA512
10944909e253cb1d4943822e1d14cbbaf0a4a7da4c14c34c2e4d9be249e7c20c70bed666a3052e233b1093629ebe3f452aa0f7ea811ae80af91c846c0659f09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a736794f-0bfc-4474-a415-f33a5e1f31dc.vbs

Filesize
749B

MD5
76ac6a46ca7254311cc4cab07809cd2b

SHA1
9dd3eda75f501c57df1772cf56ee11ff0a471e13

SHA256
efaa73fa96a7b7ac520b9dc60878a68a6550bdfd4934e3bfe23844af657f30f8

SHA512
4912c504bb984d8438aa9ccb124e091897224ad9e7ddfb3b0c3f30df391eaa447032c162eccc479d212440807cb763249f910e1b9bdb9988cb1ce4f571b4e746

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3b3ecbd-c1f7-44c0-bb31-b83282fe6c1b.vbs

Filesize
749B

MD5
5fb07f856150fc81b510bad417f01192

SHA1
64fce4baa700e77f5e350bce957c346bd8609f18

SHA256
cb2783f3dd2d1a02a322c89076bb81fdccae247fb7a3ce7ddf74049db88a70b4

SHA512
ea93152ee081b2f34f6a8689d39ea6fb26921c19271e9118a899285fe1bbe93cde4ed25df3c78da050d6c53e2688c5f794762482678d64eaddfc1522e8614497

Download Submit
C:\Users\Admin\AppData\Local\Temp\c515c678-4b2e-4b82-b178-d3dc6b667d24.vbs

Filesize
748B

MD5
956bb56590f4bca52c9aabf06181add9

SHA1
3e371f74d53cc5ea473576008f90464b398da79d

SHA256
a830bba5b36facd774ee0adf07dccdf7edcf4721c9dda93a7bbd93480da37efc

SHA512
2836ed96b7500d2a0641126fb6d43c8ffcd9dde31f9f97cee08f7a9290ba6056f008f108413c779b1c06534b972dc709aaf8b2d4ba7bfe32289e47c0b6c81e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\f088c10b-1ad8-4ce4-9da2-0702912e4320.vbs

Filesize
749B

MD5
441d43acfe70b04e172f83ffb1333081

SHA1
ac287f68c7fa7716137c535f1be6d7912e393c38

SHA256
5f6376b10f79b59e8092e6d9896fb28b9d26b9366c0f813e117790823b6c2070

SHA512
0895db7299d494b010eddd0c6050093f8709f3276a14a2ccb741fa6c6b87fdaeed5a231874080fc120da123a1f89ed6724a9237f5aff469b44bc9ad98b4705c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ae62de1653fe8c43382c34d088c63daf

SHA1
1d4a77eb9e936da4593683e328db43947dc756bd

SHA256
ef27c253f8e92a830d3b6107058b8d40912b900d2f831c3ca529b3b0844bd8a6

SHA512
570c82e6d459b02a684eb33dece15564a1cf779a86a4eb8af0d5cf2fd2f218c63a8c9989a670237dbf8b9211f19ea7763038d5dece0538c084fcc66ceaac3a6c

Download Submit
memory/948-116-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/948-117-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/1140-186-0x0000000001310000-0x00000000014D0000-memory.dmp

Filesize
1.8MB

Download
memory/1476-175-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/1476-173-0x0000000001110000-0x00000000012D0000-memory.dmp

Filesize
1.8MB

Download
memory/1568-281-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

Filesize
72KB

Download
memory/1568-280-0x00000000012F0000-0x00000000014B0000-memory.dmp

Filesize
1.8MB

Download
memory/1904-221-0x0000000000140000-0x0000000000300000-memory.dmp

Filesize
1.8MB

Download
memory/2424-268-0x00000000007B0000-0x00000000007C2000-memory.dmp

Filesize
72KB

Download
memory/2424-267-0x0000000000010000-0x00000000001D0000-memory.dmp

Filesize
1.8MB

Download
memory/2688-9-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/2688-13-0x0000000000CA0000-0x0000000000CAA000-memory.dmp

Filesize
40KB

Download
memory/2688-12-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/2688-11-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/2688-0-0x000007FEF5723000-0x000007FEF5724000-memory.dmp

Filesize
4KB

Download
memory/2688-17-0x0000000000CD0000-0x0000000000CDC000-memory.dmp

Filesize
48KB

Download
memory/2688-174-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/2688-8-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2688-7-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/2688-20-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/2688-6-0x00000000004E0000-0x00000000004F6000-memory.dmp

Filesize
88KB

Download
memory/2688-1-0x0000000001360000-0x0000000001520000-memory.dmp

Filesize
1.8MB

Download
memory/2688-5-0x0000000000440000-0x0000000000450000-memory.dmp

Filesize
64KB

Download
memory/2688-4-0x00000000001C0000-0x00000000001C8000-memory.dmp

Filesize
32KB

Download
memory/2688-3-0x0000000000410000-0x000000000042C000-memory.dmp

Filesize
112KB

Download
memory/2688-14-0x0000000000C90000-0x0000000000C9E000-memory.dmp

Filesize
56KB

Download
memory/2688-15-0x0000000000CB0000-0x0000000000CB8000-memory.dmp

Filesize
32KB

Download
memory/2688-2-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/2688-16-0x0000000000CC0000-0x0000000000CCC000-memory.dmp

Filesize
48KB

Download
memory/2896-198-0x0000000000A20000-0x0000000000A32000-memory.dmp

Filesize
72KB

Download
memory/3040-233-0x0000000001220000-0x00000000013E0000-memory.dmp

Filesize
1.8MB

Download