dcrat | f08d555b265bc840ef4d7904f37de7886b276d3b2f85180bb63b0e29445e02b1

Analysis

max time kernel
149s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c870e41803c86f574d467de03b94d3a5.exe
Size

1.6MB
MD5

c870e41803c86f574d467de03b94d3a5
SHA1

400b9e869b220989490c27fde0cfab9870cf5bc9
SHA256

f1967d6c082848ffbdf221a89f81eb9755ac78c924bd642ddab409969e81a37a
SHA512

9cc4b7d1d438a0a06acb3edd0fa0f9b1fb96ef291637bc6e146d0ece96225063d277eed8b8ce560b467d65df009a9b0d35f1bcf2448b2a58f098157d495bfe4a
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral13/memory/2136-1-0x0000000000D10000-0x0000000000EB2000-memory.dmp	dcrat
behavioral13/files/0x000500000001a518-56.dat	dcrat
behavioral13/files/0x0005000000019fbc-25.dat	dcrat
behavioral13/files/0x000a000000019d3d-172.dat	dcrat
behavioral13/memory/1540-277-0x0000000000A30000-0x0000000000BD2000-memory.dmp	dcrat
behavioral13/memory/1428-289-0x0000000000070000-0x0000000000212000-memory.dmp	dcrat
behavioral13/memory/1976-301-0x0000000000380000-0x0000000000522000-memory.dmp	dcrat
behavioral13/memory/2008-313-0x0000000000BD0000-0x0000000000D72000-memory.dmp	dcrat
behavioral13/memory/2940-336-0x0000000000E60000-0x0000000001002000-memory.dmp	dcrat
behavioral13/memory/2376-381-0x0000000000340000-0x00000000004E2000-memory.dmp	dcrat
behavioral13/memory/2524-393-0x0000000000800000-0x00000000009A2000-memory.dmp	dcrat
behavioral13/memory/1632-405-0x0000000000270000-0x0000000000412000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2436	powershell.exe
1572	powershell.exe
768	powershell.exe
1880	powershell.exe
1636	powershell.exe
2228	powershell.exe
2428	powershell.exe
2008	powershell.exe
2852	powershell.exe
2512	powershell.exe
2332	powershell.exe
1784	powershell.exe
2672	powershell.exe
2708	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
1540	System.exe
1428	System.exe
1976	System.exe
2008	System.exe
2160	System.exe
2940	System.exe
3056	System.exe
1916	System.exe
2364	System.exe
2376	System.exe
2524	System.exe
1632	System.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXFD1B.tmp	c870e41803c86f574d467de03b94d3a5.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\dwm.exe	c870e41803c86f574d467de03b94d3a5.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\System.exe	c870e41803c86f574d467de03b94d3a5.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\27d1bcfc3c54e0	c870e41803c86f574d467de03b94d3a5.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\6cb0b6c459d5d3	c870e41803c86f574d467de03b94d3a5.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\smss.exe	c870e41803c86f574d467de03b94d3a5.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\69ddcba757bf72	c870e41803c86f574d467de03b94d3a5.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXEE1F.tmp	c870e41803c86f574d467de03b94d3a5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\System.exe	c870e41803c86f574d467de03b94d3a5.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXFCAD.tmp	c870e41803c86f574d467de03b94d3a5.exe
File created	C:\Program Files (x86)\Uninstall Information\explorer.exe	c870e41803c86f574d467de03b94d3a5.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\c5b4cb5e9653cc	c870e41803c86f574d467de03b94d3a5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\RCXF228.tmp	c870e41803c86f574d467de03b94d3a5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\RCXF229.tmp	c870e41803c86f574d467de03b94d3a5.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCXF8A4.tmp	c870e41803c86f574d467de03b94d3a5.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\RCX124.tmp	c870e41803c86f574d467de03b94d3a5.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\RCX125.tmp	c870e41803c86f574d467de03b94d3a5.exe
File created	C:\Program Files (x86)\Uninstall Information\7a0fd90576e088	c870e41803c86f574d467de03b94d3a5.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\smss.exe	c870e41803c86f574d467de03b94d3a5.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\services.exe	c870e41803c86f574d467de03b94d3a5.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\dwm.exe	c870e41803c86f574d467de03b94d3a5.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXEE1E.tmp	c870e41803c86f574d467de03b94d3a5.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\explorer.exe	c870e41803c86f574d467de03b94d3a5.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCXF8A5.tmp	c870e41803c86f574d467de03b94d3a5.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\services.exe	c870e41803c86f574d467de03b94d3a5.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Media\taskhost.exe	c870e41803c86f574d467de03b94d3a5.exe
File created	C:\Windows\TAPI\csrss.exe	c870e41803c86f574d467de03b94d3a5.exe
File opened for modification	C:\Windows\Media\RCXE93B.tmp	c870e41803c86f574d467de03b94d3a5.exe
File opened for modification	C:\Windows\Media\taskhost.exe	c870e41803c86f574d467de03b94d3a5.exe
File opened for modification	C:\Windows\TAPI\RCXEBAC.tmp	c870e41803c86f574d467de03b94d3a5.exe
File opened for modification	C:\Windows\TAPI\RCXEBAD.tmp	c870e41803c86f574d467de03b94d3a5.exe
File opened for modification	C:\Windows\TAPI\csrss.exe	c870e41803c86f574d467de03b94d3a5.exe
File created	C:\Windows\Media\b75386f1303e64	c870e41803c86f574d467de03b94d3a5.exe
File created	C:\Windows\TAPI\886983d96e3d3e	c870e41803c86f574d467de03b94d3a5.exe
File opened for modification	C:\Windows\Media\RCXE93A.tmp	c870e41803c86f574d467de03b94d3a5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1568	schtasks.exe
2276	schtasks.exe
1944	schtasks.exe
2536	schtasks.exe
2772	schtasks.exe
2748	schtasks.exe
1948	schtasks.exe
776	schtasks.exe
712	schtasks.exe
2824	schtasks.exe
2556	schtasks.exe
2868	schtasks.exe
1640	schtasks.exe
1292	schtasks.exe
1400	schtasks.exe
1964	schtasks.exe
1656	schtasks.exe
2568	schtasks.exe
2612	schtasks.exe
2640	schtasks.exe
2068	schtasks.exe
1048	schtasks.exe
540	schtasks.exe
2092	schtasks.exe
2844	schtasks.exe
1524	schtasks.exe
2080	schtasks.exe
2060	schtasks.exe
2672	schtasks.exe
680	schtasks.exe
1940	schtasks.exe
1588	schtasks.exe
872	schtasks.exe
444	schtasks.exe
3044	schtasks.exe
2360	schtasks.exe
2924	schtasks.exe
2588	schtasks.exe
2036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2136	c870e41803c86f574d467de03b94d3a5.exe
2136	c870e41803c86f574d467de03b94d3a5.exe
2136	c870e41803c86f574d467de03b94d3a5.exe
2136	c870e41803c86f574d467de03b94d3a5.exe
2136	c870e41803c86f574d467de03b94d3a5.exe
2136	c870e41803c86f574d467de03b94d3a5.exe
2136	c870e41803c86f574d467de03b94d3a5.exe
2136	c870e41803c86f574d467de03b94d3a5.exe
2136	c870e41803c86f574d467de03b94d3a5.exe
2708	powershell.exe
2428	powershell.exe
2008	powershell.exe
2852	powershell.exe
2228	powershell.exe
2672	powershell.exe
1784	powershell.exe
1636	powershell.exe
1880	powershell.exe
2436	powershell.exe
768	powershell.exe
2332	powershell.exe
2512	powershell.exe
1572	powershell.exe
1540	System.exe
1428	System.exe
1976	System.exe
2008	System.exe
2160	System.exe
2940	System.exe
3056	System.exe
1916	System.exe
2364	System.exe
2376	System.exe
2524	System.exe
1632	System.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	c870e41803c86f574d467de03b94d3a5.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	1540	System.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	1428	System.exe
Token: SeDebugPrivilege	1976	System.exe
Token: SeDebugPrivilege	2008	System.exe
Token: SeDebugPrivilege	2160	System.exe
Token: SeDebugPrivilege	2940	System.exe
Token: SeDebugPrivilege	3056	System.exe
Token: SeDebugPrivilege	1916	System.exe
Token: SeDebugPrivilege	2364	System.exe
Token: SeDebugPrivilege	2376	System.exe
Token: SeDebugPrivilege	2524	System.exe
Token: SeDebugPrivilege	1632	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2332	2136	c870e41803c86f574d467de03b94d3a5.exe	71
PID 2136 wrote to memory of 2332	2136	c870e41803c86f574d467de03b94d3a5.exe	71
PID 2136 wrote to memory of 2332	2136	c870e41803c86f574d467de03b94d3a5.exe	71
PID 2136 wrote to memory of 2512	2136	c870e41803c86f574d467de03b94d3a5.exe	72
PID 2136 wrote to memory of 2512	2136	c870e41803c86f574d467de03b94d3a5.exe	72
PID 2136 wrote to memory of 2512	2136	c870e41803c86f574d467de03b94d3a5.exe	72
PID 2136 wrote to memory of 1636	2136	c870e41803c86f574d467de03b94d3a5.exe	73
PID 2136 wrote to memory of 1636	2136	c870e41803c86f574d467de03b94d3a5.exe	73
PID 2136 wrote to memory of 1636	2136	c870e41803c86f574d467de03b94d3a5.exe	73
PID 2136 wrote to memory of 2852	2136	c870e41803c86f574d467de03b94d3a5.exe	74
PID 2136 wrote to memory of 2852	2136	c870e41803c86f574d467de03b94d3a5.exe	74
PID 2136 wrote to memory of 2852	2136	c870e41803c86f574d467de03b94d3a5.exe	74
PID 2136 wrote to memory of 1880	2136	c870e41803c86f574d467de03b94d3a5.exe	75
PID 2136 wrote to memory of 1880	2136	c870e41803c86f574d467de03b94d3a5.exe	75
PID 2136 wrote to memory of 1880	2136	c870e41803c86f574d467de03b94d3a5.exe	75
PID 2136 wrote to memory of 768	2136	c870e41803c86f574d467de03b94d3a5.exe	77
PID 2136 wrote to memory of 768	2136	c870e41803c86f574d467de03b94d3a5.exe	77
PID 2136 wrote to memory of 768	2136	c870e41803c86f574d467de03b94d3a5.exe	77
PID 2136 wrote to memory of 2008	2136	c870e41803c86f574d467de03b94d3a5.exe	108
PID 2136 wrote to memory of 2008	2136	c870e41803c86f574d467de03b94d3a5.exe	108
PID 2136 wrote to memory of 2008	2136	c870e41803c86f574d467de03b94d3a5.exe	108
PID 2136 wrote to memory of 2428	2136	c870e41803c86f574d467de03b94d3a5.exe	80
PID 2136 wrote to memory of 2428	2136	c870e41803c86f574d467de03b94d3a5.exe	80
PID 2136 wrote to memory of 2428	2136	c870e41803c86f574d467de03b94d3a5.exe	80
PID 2136 wrote to memory of 1572	2136	c870e41803c86f574d467de03b94d3a5.exe	81
PID 2136 wrote to memory of 1572	2136	c870e41803c86f574d467de03b94d3a5.exe	81
PID 2136 wrote to memory of 1572	2136	c870e41803c86f574d467de03b94d3a5.exe	81
PID 2136 wrote to memory of 2436	2136	c870e41803c86f574d467de03b94d3a5.exe	83
PID 2136 wrote to memory of 2436	2136	c870e41803c86f574d467de03b94d3a5.exe	83
PID 2136 wrote to memory of 2436	2136	c870e41803c86f574d467de03b94d3a5.exe	83
PID 2136 wrote to memory of 2228	2136	c870e41803c86f574d467de03b94d3a5.exe	85
PID 2136 wrote to memory of 2228	2136	c870e41803c86f574d467de03b94d3a5.exe	85
PID 2136 wrote to memory of 2228	2136	c870e41803c86f574d467de03b94d3a5.exe	85
PID 2136 wrote to memory of 2708	2136	c870e41803c86f574d467de03b94d3a5.exe	86
PID 2136 wrote to memory of 2708	2136	c870e41803c86f574d467de03b94d3a5.exe	86
PID 2136 wrote to memory of 2708	2136	c870e41803c86f574d467de03b94d3a5.exe	86
PID 2136 wrote to memory of 2672	2136	c870e41803c86f574d467de03b94d3a5.exe	87
PID 2136 wrote to memory of 2672	2136	c870e41803c86f574d467de03b94d3a5.exe	87
PID 2136 wrote to memory of 2672	2136	c870e41803c86f574d467de03b94d3a5.exe	87
PID 2136 wrote to memory of 1784	2136	c870e41803c86f574d467de03b94d3a5.exe	110
PID 2136 wrote to memory of 1784	2136	c870e41803c86f574d467de03b94d3a5.exe	110
PID 2136 wrote to memory of 1784	2136	c870e41803c86f574d467de03b94d3a5.exe	110
PID 2136 wrote to memory of 1540	2136	c870e41803c86f574d467de03b94d3a5.exe	99
PID 2136 wrote to memory of 1540	2136	c870e41803c86f574d467de03b94d3a5.exe	99
PID 2136 wrote to memory of 1540	2136	c870e41803c86f574d467de03b94d3a5.exe	99
PID 1540 wrote to memory of 1484	1540	System.exe	100
PID 1540 wrote to memory of 1484	1540	System.exe	100
PID 1540 wrote to memory of 1484	1540	System.exe	100
PID 1540 wrote to memory of 2432	1540	System.exe	101
PID 1540 wrote to memory of 2432	1540	System.exe	101
PID 1540 wrote to memory of 2432	1540	System.exe	101
PID 1484 wrote to memory of 1428	1484	WScript.exe	102
PID 1484 wrote to memory of 1428	1484	WScript.exe	102
PID 1484 wrote to memory of 1428	1484	WScript.exe	102
PID 1428 wrote to memory of 2976	1428	System.exe	103
PID 1428 wrote to memory of 2976	1428	System.exe	103
PID 1428 wrote to memory of 2976	1428	System.exe	103
PID 1428 wrote to memory of 2360	1428	System.exe	104
PID 1428 wrote to memory of 2360	1428	System.exe	104
PID 1428 wrote to memory of 2360	1428	System.exe	104
PID 2976 wrote to memory of 1976	2976	WScript.exe	105
PID 2976 wrote to memory of 1976	2976	WScript.exe	105
PID 2976 wrote to memory of 1976	2976	WScript.exe	105
PID 1976 wrote to memory of 2748	1976	System.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c870e41803c86f574d467de03b94d3a5.exe
"C:\Users\Admin\AppData\Local\Temp\c870e41803c86f574d467de03b94d3a5.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c870e41803c86f574d467de03b94d3a5.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Pictures\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\de-DE\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\it-IT\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
  "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\529eb5e7-510d-498f-bba5-8b59c15f76c3.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
      C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1428
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40beae4c-7798-4e6b-94ab-e23619a47421.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c5a3443-c8bf-43c9-8816-f2881c076a8b.vbs"
        7⤵
        
        PID:2748
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ecd43b6-08d3-4722-b895-aabc024786db.vbs"
        9⤵
        
        PID:2864
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\269768b6-1f2c-4ee7-8884-8eec5466098e.vbs"
        11⤵
        
        PID:2904
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\817a38dd-30f3-4842-a20c-a0264ff794a9.vbs"
        13⤵
        
        PID:1584
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8581a33d-ccc2-4fb2-8c8f-1a19ff7018bd.vbs"
        15⤵
        
        PID:1260
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2290957a-0f53-4fd3-8291-2bf0a24ed50b.vbs"
        17⤵
        
        PID:1628
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e44e476f-0022-4641-b8de-30ea36759cb9.vbs"
        19⤵
        
        PID:2476
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1181b759-0dbd-4258-b018-3256fdb39b21.vbs"
        21⤵
        
        PID:2532
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0f5fc68-5e50-48c6-9187-3779dcef2431.vbs"
        23⤵
        
        PID:1940
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df2a63c7-16ac-41bd-b38f-0dd233538827.vbs"
        25⤵
        
        PID:2640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0beb14e-714c-4afb-9446-273900a6ee6f.vbs"
        25⤵
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\988bc2dd-c2ef-4413-8064-a9c81930f198.vbs"
        23⤵
        
        PID:1680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d32abd49-55b4-4da7-af12-70c90fc46711.vbs"
        21⤵
        
        PID:2904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82150c86-10fd-446a-b1c1-9f3a91ac6743.vbs"
        19⤵
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\325b103e-8d1a-4ddb-9d5d-9d916c641ba6.vbs"
        17⤵
        
        PID:484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86ee93f7-d0de-4821-a8ba-cccb88fab09f.vbs"
        15⤵
        
        PID:2060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad714636-8410-4d7e-894d-7e430d1f9f26.vbs"
        13⤵
        
        PID:2736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09c55836-fc7a-4e29-a7d7-3dfe8a25719b.vbs"
        11⤵
        
        PID:1396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56cc0c5e-b6e0-420f-80dc-83738eb60f8b.vbs"
        9⤵
        
        PID:1784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ccadf5c-2962-4466-a564-26b6cb859a52.vbs"
        7⤵
        
        PID:2868
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab1d6f3c-f483-4450-9677-e80bac3c8394.vbs"
        5⤵
        
        PID:2360
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cf26a6d-5323-49f4-9438-0777fbd66f27.vbs"
    3⤵
    PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\taskhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\taskhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Media\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\Media\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\TAPI\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Uninstall Information\explorer.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Pictures\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\System.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\services.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\dwm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\smss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\dwm.exe

Filesize
1.6MB

MD5
2ae5a3977765220c24626e3f35d0ba1e

SHA1
253f8ca32fe815875fde2beff39bbafff292e3f0

SHA256
50449862d42f8b004e50066750c26d5ed8036a5e8e2396e17c2dd8cefd7094e0

SHA512
5a41579ca1d30889620aa436eac81d7635f92202ead94edce425df59d86e83ad945b2621b2b0b9525bac0521683d4f5c4a86f286bb156e6da46370ff33a439bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1181b759-0dbd-4258-b018-3256fdb39b21.vbs

Filesize
735B

MD5
33267ea353e92ec7f7abf286f281d5d5

SHA1
1cff7104cb82203c5a7c47dfb73e655630559cc7

SHA256
3326c6070bd192e6fc790729775cdf1c998a3c0a7ceebf9456366b7774a65d6d

SHA512
7a62fef63015a0a2e7d0631925d06146e8ac4ff1921210e0453021d4a426e5467a238066e13274a9c50ee90329ca3cf077ba6f618643e8c092b2f8cd726bcc12

Download Submit
C:\Users\Admin\AppData\Local\Temp\2290957a-0f53-4fd3-8291-2bf0a24ed50b.vbs

Filesize
735B

MD5
4160950a7bcbdce5b59aae6341f442d2

SHA1
0290f2f187d9f313a75fb3f6a32ce103d65214cc

SHA256
df9b5aca8dbd3a3f877525e7bada00002adda1a3052f10b9380062baa010e4b7

SHA512
e55601e59e15fa8aeef6943fbf5795a41b2e2d439f58d9820513c89b4437395906f992eb8da35ec5bd3c670d8b050fa512bf2ea6b8d0b3eee29ac2c21f7a72b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\269768b6-1f2c-4ee7-8884-8eec5466098e.vbs

Filesize
735B

MD5
3dd2de03024db388d0141daf45790408

SHA1
b386819cf1c38b20b1701e2bfd335e0190bbbada

SHA256
a8542a64334681b56835f2758aab5f022dc796f60f160a0b0a3542d904cdad57

SHA512
8a4b8f12b539a85743d4da2f1ab1cee33b793169bb90d71234731328ca4d8d0206c1ea68bb86443ae261ffe40c8ed6bf7af860692cfcb2fa8ef666a958994196

Download Submit
C:\Users\Admin\AppData\Local\Temp\40beae4c-7798-4e6b-94ab-e23619a47421.vbs

Filesize
735B

MD5
d8c26c8e9ebbeca750fd3cb46ce1ff02

SHA1
e866146c6a3f6fe7d3b3af7d7b3b409f4f2677d8

SHA256
c649e746d25780c04e345671ddd8ed3d8e8d9941ac40b6fa227968b0e38496c3

SHA512
6df60cffe8e396b6182e2000bc84218f32c8c64f32a49c538dbf75973b903f657b106280a86076601bd66f78c03900142a63cc8df42ea60f5a894258c57cbd69

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ecd43b6-08d3-4722-b895-aabc024786db.vbs

Filesize
735B

MD5
217c854642d48e6ef995df64bbde0cdb

SHA1
ceb99a5e7386b55adb56b78cf79ec50881b0d971

SHA256
1bd8841354231554d541885eab33a9ce10fc52958b19019b793ef4e485555b48

SHA512
f26ddaa221303df9338c68dd453759bcda08e4036df49abbc81ed88b6b534204518df86dabe34426d2f2358de563f3fb89b8dfd51811d043ddf7d7a90370cc23

Download Submit
C:\Users\Admin\AppData\Local\Temp\529eb5e7-510d-498f-bba5-8b59c15f76c3.vbs

Filesize
735B

MD5
d6105fec35077adc6f13435a8ecdd0d3

SHA1
b8ed2934aec6bdfb5f9f2e1c2498171b34a96e63

SHA256
f9a5c8d4181aed545c10393e11e9e2c50d13e4282625e7cc6435800579885626

SHA512
86e3050ac76e7b63335857665f767256d88dd66dcb93a49ac5eeccbea4cee4c6015460f1186c7b56ce6a5162c45a29cefe6a6a25dceb5776b61af893333e5930

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cf26a6d-5323-49f4-9438-0777fbd66f27.vbs

Filesize
511B

MD5
07a6146248cca022a393c1f08bbb2f65

SHA1
1c769b69f409d504a7fe9b966c1fa5960b9657ff

SHA256
eda0936a973910655ea618baec6fdec8ab1d7248371c85b63d90f6b36ed3dfb3

SHA512
6dd60d15d81e9e25088a8001712543cf0d980f848c7d0d52a516250a34bb57138c292f6ff210fb7d60bcdcc060eb46bdc2c8424fcec9987e3dfcb72a604df392

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c5a3443-c8bf-43c9-8816-f2881c076a8b.vbs

Filesize
735B

MD5
b6778cb449091353012714cdc59a8776

SHA1
ac3e0d4f2d43b8d89917fcdf284a5202951dda57

SHA256
3da44e9523c585b3c44b4de02f4d45b9e6d2ec18610d6841140750218c7c0f02

SHA512
f18b5cca45bb8aa96a57c0081cd68bd5779cc33a99297ba3557b4c7cf3b43847882d49bebb9c1dd2d02871c7d3da7bf13049f494877b043439806ed94228adeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\817a38dd-30f3-4842-a20c-a0264ff794a9.vbs

Filesize
735B

MD5
08146ce8529af59507f79eaa0ea04279

SHA1
f9317f5ba6e3386607239f7f89311a7ed9237d84

SHA256
f26bc40a7a0f42ed681cc3641b87e31ad780bb283cbac71b3e9b032b31e8beb8

SHA512
1462b9331ced4422f364c4f59d93f0b07955037652aee42fe844ccb9444f516e1acc126917c6742fa2b8b1240a7351c73ab8d6ecf7a0378475486a188e4ac10d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8581a33d-ccc2-4fb2-8c8f-1a19ff7018bd.vbs

Filesize
735B

MD5
8a2babea6023579d011640cbf5569e96

SHA1
6af33bb79f19e03432667280ac9c107af3a0eb38

SHA256
b3791e449148fc533e90460e81d65fa846d0b51339f46f2fbaa78596e3340185

SHA512
b9b361ce11653b9bdd94e9aa269a281dd449d88e02f1de46e4e3bc9efece33a77c4d7093fe89cc86ddc12c85d06d70606ca73c06f13512e1b4a8feceb05bbc74

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0f5fc68-5e50-48c6-9187-3779dcef2431.vbs

Filesize
735B

MD5
377f0878c5bdfc38ec12a32541073adf

SHA1
37215b2cb704491e58e38bddc37cac7042474c5a

SHA256
2fd6339cf731eb44b859d8370028adbf3a0e2ab1fef885f2aec6888c8294fec7

SHA512
87f03e2177ef6636e8fbca63f388d3b5b542c305829cebef31c1f4d4d8cfecd7d41da50b7574790c19ff008631c32e4816e7439d0f776f5dc666c52ddb74a153

Download Submit
C:\Users\Admin\AppData\Local\Temp\df2a63c7-16ac-41bd-b38f-0dd233538827.vbs

Filesize
735B

MD5
d9669151fb6d020b95d177f723e20144

SHA1
5c5856a2c9591ceb114c135bea18c21c56c9e2fc

SHA256
12c8629312c0f887df773dd26357ca3f261a5675df1e1febe03d47b6b0765f10

SHA512
b4907ae91bf7fb1064f52de4422baa1185b054abafb81e40c96c49bdce0f3f949d17cb3b5305e22069b3c5f01dfa446d9527d2b3bedf7b67172e582967dde22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e44e476f-0022-4641-b8de-30ea36759cb9.vbs

Filesize
735B

MD5
e1618238a01399f6ece35ae124e8f399

SHA1
51e66e90efa21de5cc274a47be63880366fe4cb8

SHA256
2abc5a4b6cd191632e50e81aa1dc45d2986effb94f9f8c40909c882a449ddfe3

SHA512
4469d008405132dcdacbe24fe3d9337994161dd2cd3711226fec763b5be69fbeac1882f4f08edfcce5f30d41ed964d07bafe511e7219cd8144f9776b07c86be5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4a2bab2186b13ba91e7de76688607b7a

SHA1
763080e779667a243ef87954f71454e7c39bd09b

SHA256
0a64c9702ce66d5fb4488c699a33e17302ba39a80495454253ab2b013261cf87

SHA512
23e685fbac6598d446a1929ce8fcadba22bad84ddf28e9f75b624705ddb89879b3e4ebcc672b90e49f9e29f9d99c41d67a0a5e9d7c3999d0dbc1dac0de83ed61

Download Submit
C:\Users\Admin\Pictures\csrss.exe

Filesize
1.6MB

MD5
c870e41803c86f574d467de03b94d3a5

SHA1
400b9e869b220989490c27fde0cfab9870cf5bc9

SHA256
f1967d6c082848ffbdf221a89f81eb9755ac78c924bd642ddab409969e81a37a

SHA512
9cc4b7d1d438a0a06acb3edd0fa0f9b1fb96ef291637bc6e146d0ece96225063d277eed8b8ce560b467d65df009a9b0d35f1bcf2448b2a58f098157d495bfe4a

Download Submit
C:\Users\Admin\taskhost.exe

Filesize
1.6MB

MD5
02a265afdb3fc3025ae4e5c4caffad57

SHA1
4fe1381fd8721c22c29c99e9b91baef86f3a7a33

SHA256
cbec9883968458871cd54f1edbd3d2f6f1f8c298352b7171fc8a070549e9cdda

SHA512
4fa351959844162cc4edbdd196c5dc801a39b7bc4afd4a33d43cef4e4fced654c73363052bbd5ca1b01bf7d58e5d14da1e0bee0a8654dace9eb452857c464213

Download Submit
memory/1428-289-0x0000000000070000-0x0000000000212000-memory.dmp

Filesize
1.6MB

Download
memory/1540-277-0x0000000000A30000-0x0000000000BD2000-memory.dmp

Filesize
1.6MB

Download
memory/1632-405-0x0000000000270000-0x0000000000412000-memory.dmp

Filesize
1.6MB

Download
memory/1976-301-0x0000000000380000-0x0000000000522000-memory.dmp

Filesize
1.6MB

Download
memory/2008-313-0x0000000000BD0000-0x0000000000D72000-memory.dmp

Filesize
1.6MB

Download
memory/2136-16-0x0000000000B00000-0x0000000000B0C000-memory.dmp

Filesize
48KB

Download
memory/2136-12-0x0000000000690000-0x000000000069E000-memory.dmp

Filesize
56KB

Download
memory/2136-1-0x0000000000D10000-0x0000000000EB2000-memory.dmp

Filesize
1.6MB

Download
memory/2136-5-0x00000000003F0000-0x0000000000406000-memory.dmp

Filesize
88KB

Download
memory/2136-6-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/2136-8-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/2136-9-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/2136-10-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/2136-0-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp

Filesize
4KB

Download
memory/2136-11-0x0000000000680000-0x000000000068A000-memory.dmp

Filesize
40KB

Download
memory/2136-245-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp

Filesize
4KB

Download
memory/2136-278-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2136-13-0x00000000006A0000-0x00000000006A8000-memory.dmp

Filesize
32KB

Download
memory/2136-2-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2136-14-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/2136-3-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/2136-15-0x0000000000AF0000-0x0000000000AFA000-memory.dmp

Filesize
40KB

Download
memory/2136-7-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/2136-4-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/2376-381-0x0000000000340000-0x00000000004E2000-memory.dmp

Filesize
1.6MB

Download
memory/2524-393-0x0000000000800000-0x00000000009A2000-memory.dmp

Filesize
1.6MB

Download
memory/2708-215-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2708-216-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2940-336-0x0000000000E60000-0x0000000001002000-memory.dmp

Filesize
1.6MB

Download