Overview

overview

10

Static

static

10

0db13d5a3f...2N.exe

windows7-x64

10

0db13d5a3f...2N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    115s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2025 10:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0db13d5a3f1aa341822454bf1d807a06240479a15513185097217bdaf5f8b012N.exe

  • Size

    1.7MB

  • MD5

    41ab31f7992973414712ec5526c1fc70

  • SHA1

    bd1eb2471b1a16ef2e2bc29571c98b670de563f3

  • SHA256

    0db13d5a3f1aa341822454bf1d807a06240479a15513185097217bdaf5f8b012

  • SHA512

    f3d90be2a0fbb838fbaf222ec6d64db5597e8104d53f863e0240cb8fd5bf72fb7f3c3d072b37e91967f80f4c298c295886eff89fd7b9831bbf8f2bc6d7120960

  • SSDEEP

    49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:+THUxUoh1IF9gl2

Score
10/10
dcratexecutioninfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 35 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\0db13d5a3f1aa341822454bf1d807a06240479a15513185097217bdaf5f8b012N.exe
    "C:\Users\Admin\AppData\Local\Temp\0db13d5a3f1aa341822454bf1d807a06240479a15513185097217bdaf5f8b012N.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2584
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2880
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2556
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2368
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2024
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2628
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1572
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1448
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1516
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2772
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2084
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1352
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BHZBPNi6aG.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2484
        • C:\Program Files (x86)\Microsoft Sync Framework\Idle.exe
          "C:\Program Files (x86)\Microsoft Sync Framework\Idle.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2708
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b18b173b-c4f6-4315-b3b7-56103a754604.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:856
            • C:\Program Files (x86)\Microsoft Sync Framework\Idle.exe
              "C:\Program Files (x86)\Microsoft Sync Framework\Idle.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2176
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1eecb393-d38b-4b47-a7af-cd085ca93ec0.vbs"
                6⤵
                  PID:1708
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fa74715-4fb5-4105-88fc-b32051eaf7da.vbs"
                  6⤵
                    PID:2564
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38e39b95-dd16-4ecb-bb0d-01e03264d9bb.vbs"
                4⤵
                  PID:2712
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2752
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2700
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2684
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2668
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2576
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2688
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "0db13d5a3f1aa341822454bf1d807a06240479a15513185097217bdaf5f8b012N0" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\0db13d5a3f1aa341822454bf1d807a06240479a15513185097217bdaf5f8b012N.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1304
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "0db13d5a3f1aa341822454bf1d807a06240479a15513185097217bdaf5f8b012N" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\0db13d5a3f1aa341822454bf1d807a06240479a15513185097217bdaf5f8b012N.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2564
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "0db13d5a3f1aa341822454bf1d807a06240479a15513185097217bdaf5f8b012N0" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\0db13d5a3f1aa341822454bf1d807a06240479a15513185097217bdaf5f8b012N.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2616
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\wininit.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2220
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\DESIGNER\wininit.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2248
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\wininit.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:844
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2896
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2044
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1852
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\WmiPrvSE.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2772
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Libraries\WmiPrvSE.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2300
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\WmiPrvSE.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2452
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dwm.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2640
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dwm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1836
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dwm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1984
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Videos\WMIADAP.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:564
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\WMIADAP.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1776
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\My Videos\WMIADAP.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2924
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\en-US\taskhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3056
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\en-US\taskhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1160
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\taskhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:892
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2228
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3048
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:940
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\ja-JP\taskhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1488
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\taskhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1616
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\ja-JP\taskhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1124
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\Idle.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:664
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1092
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1972
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\csrss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1316
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:904
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:296

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe
            Filesize

            1.7MB

            MD5

            41ab31f7992973414712ec5526c1fc70

            SHA1

            bd1eb2471b1a16ef2e2bc29571c98b670de563f3

            SHA256

            0db13d5a3f1aa341822454bf1d807a06240479a15513185097217bdaf5f8b012

            SHA512

            f3d90be2a0fbb838fbaf222ec6d64db5597e8104d53f863e0240cb8fd5bf72fb7f3c3d072b37e91967f80f4c298c295886eff89fd7b9831bbf8f2bc6d7120960

            Download Submit

          • C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe
            Filesize

            1.7MB

            MD5

            49c85a5251c1f5db5183c52902b3c117

            SHA1

            4c07c204de6e0d4b852679414b145bfa935d0667

            SHA256

            c756d3eb09bc009f8078a8b765a685ad19a46a28131492f6cdd84d7867651ce2

            SHA512

            5515f82d3c878ef98d797cb4981d0bc2cbbd1404b4399d3da61f02dc22b255aaf7f8475ac7498f59777d64770cd467fc534b08392e3b1885a6b8f57383af0c6d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\1eecb393-d38b-4b47-a7af-cd085ca93ec0.vbs
            Filesize

            732B

            MD5

            8adbeac67c0352482605c324b3e882fc

            SHA1

            6c7bfc90ebb2a755682f87192bfdd37abc2f4da6

            SHA256

            ecc5f297e568b065d5f19e2f601945c967ecf2cd05f468464f206d85ca000060

            SHA512

            158a2e9bc098346e974af4932864f5ba0c7341098324977dd22a5cfc25f9d3833979dd0a0a89d3bac038ead87b4a685ba1f7c312059e854d030a9f8a484ccfad

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\38e39b95-dd16-4ecb-bb0d-01e03264d9bb.vbs
            Filesize

            508B

            MD5

            c8b83927d56e24bb31c0de1bc20121cc

            SHA1

            c00b630d708a73790f5fc284b6e4a008fe6ec3fe

            SHA256

            faa7e217aeda13b28923fce17d51edb74d708b6c85bdfccc7e5ad67905722cfa

            SHA512

            d1b7e5faeea2ce1614eaed8432742fa7ead62b719d0dd071dd325c309aa7417fdcf770c22edff75987c0c1c0d0c111bdd5693fe824b1bf6e5fb57912ad8aa1c6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\BHZBPNi6aG.bat
            Filesize

            221B

            MD5

            7045fc0eef5c40d76b8a9db79ebc26f1

            SHA1

            b358f469817abba9c8ab1449c1e49b0adff5ffcf

            SHA256

            bdf1e535daad5abe3f4722f841dce7db14e7c1ed116697aabf20fc640bf0a72d

            SHA512

            e0d7850c8592a5e6854d6b5ea19496c6f85794eae8f330cbec12ef8d353d9bf5c4924ba75ba55666aa1553258343c64fd1adfa0734a8c60a88a0a58b51322731

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\b18b173b-c4f6-4315-b3b7-56103a754604.vbs
            Filesize

            732B

            MD5

            6c6d9877c3d6b29ce5b873aecbb3e7c1

            SHA1

            829e3a86f3d906b860d6dace27955c854b2f1ec9

            SHA256

            b856a2ed5007b2d2ba307d01bc844002dacf2612ab78d0dd4a06c48fa10e2017

            SHA512

            cfeed9e258c2291413dee2b3d76b61fcfe173caa6f97d7aa1cde49ff1c673e12451335a807658a9f06a885f162b0063819876e2088d731029fcbd0fd1137d47f

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
            Filesize

            7KB

            MD5

            b036951fc518ecf218deb64120dfcee7

            SHA1

            538d0def943bcbb86c707a152b6885afe285da04

            SHA256

            23133d28f40c0a66d00e840265a14f37967762df72c0947da9e34eb96c70e148

            SHA512

            bb52feaa782e17641b70b077fec2403e6e73d38662885bfe99cecde48d322a42912ffa1ffc0a5ace8749b62b08f24aafa2208d67ef816d0a7391118f8ceba5ee

            Download Submit

          • C:\Users\Public\Libraries\WmiPrvSE.exe
            Filesize

            1.7MB

            MD5

            d4c4fbad0ea4c39260010d502a8bd109

            SHA1

            818a422e8d3e890444aea0e35523a1476dd23ca4

            SHA256

            6c9b4070c92f1f3bd53a377ad2ebe75531691792a993359ddec9ab09ea7eacbb

            SHA512

            2646ce6a291eef921480b96146961a02fce866928dc56585c22d7b23d6020f6c3f9b2a2bc139b19b57ee16e2f0a8bdf3e3283e22fb73306c6e92030def46b392

            Download Submit

          • C:\Users\Public\Videos\WMIADAP.exe
            Filesize

            1.7MB

            MD5

            bca9e192dd319bb3ab1a2a25320aa1df

            SHA1

            9be6d920db9e0467fd7e5b020e3a56cc3fde0200

            SHA256

            3828ddef4c3a37f0176b5b6e68bc8d3a5585e872218a5830a40b4a4e1ab0ae5d

            SHA512

            c044d168347c90103d18978972a42ecde9081859e0ed934701ffa517270fd8a2f8adcbdbdf05dc3043441a6dc7ec0013c61f6d51b7350e12e4d160fe8191f4c5

            Download Submit

          • C:\Windows\en-US\taskhost.exe
            Filesize

            1.7MB

            MD5

            cc8cffdde64925ca9bdfadfdbc49d2f4

            SHA1

            2a9f3a473c2e8c14caba7a3dee239ed9dfc102c0

            SHA256

            0b74a2ad56740a214dc74950045c55f3f3a5b969a9cc2e1bce08e173e44d7caf

            SHA512

            20af2f88936f28b2f6c12f5f87b3e3ceabfe25395101e9b264bb83faf169f9b1282d48fd65b58bb8931a71ebddb0f3768a8d430e532e52fe6541ecf43a1255e5

            Download Submit

          • memory/2348-17-0x000000001ABF0000-0x000000001ABFC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2348-176-0x000007FEF5BE3000-0x000007FEF5BE4000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2348-14-0x000000001ABC0000-0x000000001ABCE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2348-13-0x000000001AC00000-0x000000001AC0A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2348-15-0x000000001ABD0000-0x000000001ABD8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2348-16-0x000000001ABE0000-0x000000001ABEC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2348-0-0x000007FEF5BE3000-0x000007FEF5BE4000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2348-20-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2348-11-0x000000001AB80000-0x000000001AB92000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2348-9-0x000000001AB70000-0x000000001AB78000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2348-8-0x000000001AB60000-0x000000001AB6C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2348-7-0x00000000020F0000-0x0000000002100000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2348-6-0x00000000020D0000-0x00000000020E6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2348-12-0x000000001ABB0000-0x000000001ABBC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2348-199-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2348-5-0x0000000000690000-0x00000000006A0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2348-1-0x0000000000200000-0x00000000003C0000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/2348-2-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2348-212-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2348-4-0x0000000000510000-0x0000000000518000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2348-3-0x00000000020B0000-0x00000000020CC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/2584-210-0x000000001B660000-0x000000001B942000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/2584-211-0x0000000001BE0000-0x0000000001BE8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2708-271-0x00000000004D0000-0x00000000004E2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2708-270-0x00000000011B0000-0x0000000001370000-memory.dmp

            Filesize

            1.8MB

            Download