dcrat | 249f9bd035685660ae45fc4138334e744c30ce7e1038c140a98529b90c4270c5

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de7c6ded508e6b46e7f6b385572c426f.exe
Size

885KB
MD5

de7c6ded508e6b46e7f6b385572c426f
SHA1

13cb214fcfaca4c85c59c002ea2769d8db3fccc0
SHA256

aa8cbabea544c7e766f4a2096cf7aa8ebc23e4677812b23910524d0a089d2502
SHA512

c98b77f486f1d0c607eab5b9776dbbd1fc97581e313302d03cc9b18cf5af53196cc280503acdb8c91cd7a44906001bb24fa423cb8eb8a732562fffdb18dc7b0c
SSDEEP

12288:8lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyxT:8lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2616	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2616	schtasks.exe	30

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral9/memory/2888-1-0x00000000001F0000-0x00000000002D4000-memory.dmp	dcrat
behavioral9/files/0x000500000001961f-18.dat	dcrat
behavioral9/files/0x000700000001a4aa-73.dat	dcrat
behavioral9/files/0x000800000001a4b1-105.dat	dcrat
behavioral9/files/0x000700000001a4b7-126.dat	dcrat
behavioral9/memory/1344-201-0x0000000000920000-0x0000000000A04000-memory.dmp	dcrat
behavioral9/memory/592-213-0x0000000000EA0000-0x0000000000F84000-memory.dmp	dcrat
behavioral9/memory/2540-236-0x00000000000E0000-0x00000000001C4000-memory.dmp	dcrat
behavioral9/memory/1696-248-0x0000000000BD0000-0x0000000000CB4000-memory.dmp	dcrat
behavioral9/memory/1004-260-0x0000000001250000-0x0000000001334000-memory.dmp	dcrat
behavioral9/memory/372-305-0x0000000000160000-0x0000000000244000-memory.dmp	dcrat
behavioral9/memory/2680-317-0x0000000000A30000-0x0000000000B14000-memory.dmp	dcrat
behavioral9/memory/912-329-0x0000000000CB0000-0x0000000000D94000-memory.dmp	dcrat

Executes dropped EXE 12 IoCs

pid	Process
1344	winlogon.exe
592	winlogon.exe
2000	winlogon.exe
2540	winlogon.exe
1696	winlogon.exe
1004	winlogon.exe
924	winlogon.exe
400	winlogon.exe
2712	winlogon.exe
372	winlogon.exe
2680	winlogon.exe
912	winlogon.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCX6EBF.tmp	de7c6ded508e6b46e7f6b385572c426f.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX7059.tmp	de7c6ded508e6b46e7f6b385572c426f.exe
File created	C:\Program Files\Uninstall Information\winlogon.exe	de7c6ded508e6b46e7f6b385572c426f.exe
File created	C:\Program Files\Uninstall Information\cc11b995f2a76d	de7c6ded508e6b46e7f6b385572c426f.exe
File created	C:\Program Files (x86)\Windows Portable Devices\27d1bcfc3c54e0	de7c6ded508e6b46e7f6b385572c426f.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX6EAD.tmp	de7c6ded508e6b46e7f6b385572c426f.exe
File opened for modification	C:\Program Files\Uninstall Information\winlogon.exe	de7c6ded508e6b46e7f6b385572c426f.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\wininit.exe	de7c6ded508e6b46e7f6b385572c426f.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\explorer.exe	de7c6ded508e6b46e7f6b385572c426f.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\RCX706C.tmp	de7c6ded508e6b46e7f6b385572c426f.exe
File created	C:\Program Files (x86)\Windows Portable Devices\System.exe	de7c6ded508e6b46e7f6b385572c426f.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX6EAE.tmp	de7c6ded508e6b46e7f6b385572c426f.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX7058.tmp	de7c6ded508e6b46e7f6b385572c426f.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\RCX707C.tmp	de7c6ded508e6b46e7f6b385572c426f.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\56085415360792	de7c6ded508e6b46e7f6b385572c426f.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\7a0fd90576e088	de7c6ded508e6b46e7f6b385572c426f.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCX6EAF.tmp	de7c6ded508e6b46e7f6b385572c426f.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\dllhost.exe	de7c6ded508e6b46e7f6b385572c426f.exe
File created	C:\Windows\L2Schemas\5940a34987c991	de7c6ded508e6b46e7f6b385572c426f.exe
File opened for modification	C:\Windows\L2Schemas\RCX6F2F.tmp	de7c6ded508e6b46e7f6b385572c426f.exe
File opened for modification	C:\Windows\L2Schemas\RCX6F30.tmp	de7c6ded508e6b46e7f6b385572c426f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2148	schtasks.exe
1892	schtasks.exe
3060	schtasks.exe
2496	schtasks.exe
2368	schtasks.exe
3036	schtasks.exe
1132	schtasks.exe
2244	schtasks.exe
2684	schtasks.exe
2364	schtasks.exe
1076	schtasks.exe
1476	schtasks.exe
2604	schtasks.exe
2980	schtasks.exe
1160	schtasks.exe
2556	schtasks.exe
1696	schtasks.exe
1148	schtasks.exe
2348	schtasks.exe
2700	schtasks.exe
1920	schtasks.exe
2500	schtasks.exe
3044	schtasks.exe
704	schtasks.exe
560	schtasks.exe
288	schtasks.exe
1392	schtasks.exe
1228	schtasks.exe
3016	schtasks.exe
1296	schtasks.exe
2036	schtasks.exe
1724	schtasks.exe
864	schtasks.exe
536	schtasks.exe
584	schtasks.exe
468	schtasks.exe
2676	schtasks.exe
2588	schtasks.exe
2088	schtasks.exe
2928	schtasks.exe
1364	schtasks.exe
2960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2888	de7c6ded508e6b46e7f6b385572c426f.exe
2888	de7c6ded508e6b46e7f6b385572c426f.exe
2888	de7c6ded508e6b46e7f6b385572c426f.exe
2888	de7c6ded508e6b46e7f6b385572c426f.exe
2888	de7c6ded508e6b46e7f6b385572c426f.exe
1344	winlogon.exe
592	winlogon.exe
2000	winlogon.exe
2540	winlogon.exe
1696	winlogon.exe
1004	winlogon.exe
924	winlogon.exe
400	winlogon.exe
2712	winlogon.exe
372	winlogon.exe
2680	winlogon.exe
912	winlogon.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	de7c6ded508e6b46e7f6b385572c426f.exe
Token: SeDebugPrivilege	1344	winlogon.exe
Token: SeDebugPrivilege	592	winlogon.exe
Token: SeDebugPrivilege	2000	winlogon.exe
Token: SeDebugPrivilege	2540	winlogon.exe
Token: SeDebugPrivilege	1696	winlogon.exe
Token: SeDebugPrivilege	1004	winlogon.exe
Token: SeDebugPrivilege	924	winlogon.exe
Token: SeDebugPrivilege	400	winlogon.exe
Token: SeDebugPrivilege	2712	winlogon.exe
Token: SeDebugPrivilege	372	winlogon.exe
Token: SeDebugPrivilege	2680	winlogon.exe
Token: SeDebugPrivilege	912	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 1344	2888	de7c6ded508e6b46e7f6b385572c426f.exe	73
PID 2888 wrote to memory of 1344	2888	de7c6ded508e6b46e7f6b385572c426f.exe	73
PID 2888 wrote to memory of 1344	2888	de7c6ded508e6b46e7f6b385572c426f.exe	73
PID 1344 wrote to memory of 768	1344	winlogon.exe	74
PID 1344 wrote to memory of 768	1344	winlogon.exe	74
PID 1344 wrote to memory of 768	1344	winlogon.exe	74
PID 1344 wrote to memory of 1904	1344	winlogon.exe	75
PID 1344 wrote to memory of 1904	1344	winlogon.exe	75
PID 1344 wrote to memory of 1904	1344	winlogon.exe	75
PID 768 wrote to memory of 592	768	WScript.exe	76
PID 768 wrote to memory of 592	768	WScript.exe	76
PID 768 wrote to memory of 592	768	WScript.exe	76
PID 592 wrote to memory of 1548	592	winlogon.exe	77
PID 592 wrote to memory of 1548	592	winlogon.exe	77
PID 592 wrote to memory of 1548	592	winlogon.exe	77
PID 592 wrote to memory of 2252	592	winlogon.exe	78
PID 592 wrote to memory of 2252	592	winlogon.exe	78
PID 592 wrote to memory of 2252	592	winlogon.exe	78
PID 1548 wrote to memory of 2000	1548	WScript.exe	79
PID 1548 wrote to memory of 2000	1548	WScript.exe	79
PID 1548 wrote to memory of 2000	1548	WScript.exe	79
PID 2000 wrote to memory of 2788	2000	winlogon.exe	81
PID 2000 wrote to memory of 2788	2000	winlogon.exe	81
PID 2000 wrote to memory of 2788	2000	winlogon.exe	81
PID 2000 wrote to memory of 2584	2000	winlogon.exe	82
PID 2000 wrote to memory of 2584	2000	winlogon.exe	82
PID 2000 wrote to memory of 2584	2000	winlogon.exe	82
PID 2788 wrote to memory of 2540	2788	WScript.exe	83
PID 2788 wrote to memory of 2540	2788	WScript.exe	83
PID 2788 wrote to memory of 2540	2788	WScript.exe	83
PID 2540 wrote to memory of 1880	2540	winlogon.exe	84
PID 2540 wrote to memory of 1880	2540	winlogon.exe	84
PID 2540 wrote to memory of 1880	2540	winlogon.exe	84
PID 2540 wrote to memory of 3068	2540	winlogon.exe	85
PID 2540 wrote to memory of 3068	2540	winlogon.exe	85
PID 2540 wrote to memory of 3068	2540	winlogon.exe	85
PID 1880 wrote to memory of 1696	1880	WScript.exe	86
PID 1880 wrote to memory of 1696	1880	WScript.exe	86
PID 1880 wrote to memory of 1696	1880	WScript.exe	86
PID 1696 wrote to memory of 704	1696	winlogon.exe	87
PID 1696 wrote to memory of 704	1696	winlogon.exe	87
PID 1696 wrote to memory of 704	1696	winlogon.exe	87
PID 1696 wrote to memory of 2468	1696	winlogon.exe	88
PID 1696 wrote to memory of 2468	1696	winlogon.exe	88
PID 1696 wrote to memory of 2468	1696	winlogon.exe	88
PID 704 wrote to memory of 1004	704	WScript.exe	89
PID 704 wrote to memory of 1004	704	WScript.exe	89
PID 704 wrote to memory of 1004	704	WScript.exe	89
PID 1004 wrote to memory of 1716	1004	winlogon.exe	90
PID 1004 wrote to memory of 1716	1004	winlogon.exe	90
PID 1004 wrote to memory of 1716	1004	winlogon.exe	90
PID 1004 wrote to memory of 2672	1004	winlogon.exe	91
PID 1004 wrote to memory of 2672	1004	winlogon.exe	91
PID 1004 wrote to memory of 2672	1004	winlogon.exe	91
PID 1716 wrote to memory of 924	1716	WScript.exe	92
PID 1716 wrote to memory of 924	1716	WScript.exe	92
PID 1716 wrote to memory of 924	1716	WScript.exe	92
PID 924 wrote to memory of 3048	924	winlogon.exe	93
PID 924 wrote to memory of 3048	924	winlogon.exe	93
PID 924 wrote to memory of 3048	924	winlogon.exe	93
PID 924 wrote to memory of 2812	924	winlogon.exe	94
PID 924 wrote to memory of 2812	924	winlogon.exe	94
PID 924 wrote to memory of 2812	924	winlogon.exe	94
PID 3048 wrote to memory of 400	3048	WScript.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\de7c6ded508e6b46e7f6b385572c426f.exe
"C:\Users\Admin\AppData\Local\Temp\de7c6ded508e6b46e7f6b385572c426f.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Program Files\Uninstall Information\winlogon.exe
  "C:\Program Files\Uninstall Information\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\435b7918-fc96-477a-9f67-6a3b07029798.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Program Files\Uninstall Information\winlogon.exe
      "C:\Program Files\Uninstall Information\winlogon.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:592
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65bd6236-7204-4657-bb59-39494bdf255d.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1548
      - C:\Program Files\Uninstall Information\winlogon.exe
        
        "C:\Program Files\Uninstall Information\winlogon.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf30d137-d89d-4cc3-ab1e-9f1e920a0457.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Program Files\Uninstall Information\winlogon.exe
        
        "C:\Program Files\Uninstall Information\winlogon.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87b49f08-076d-421d-9ae8-22d1f44b56ea.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Program Files\Uninstall Information\winlogon.exe
        
        "C:\Program Files\Uninstall Information\winlogon.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9aaf95fb-ab19-4419-aec5-5822ac2e9a55.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Program Files\Uninstall Information\winlogon.exe
        
        "C:\Program Files\Uninstall Information\winlogon.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\563d159d-9bed-4ca6-ad82-db7883f2bc6d.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Program Files\Uninstall Information\winlogon.exe
        
        "C:\Program Files\Uninstall Information\winlogon.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3468b146-3fa8-4877-9e44-cdb5e3d76535.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Program Files\Uninstall Information\winlogon.exe
        
        "C:\Program Files\Uninstall Information\winlogon.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5de45078-192d-49c7-a57b-b43874b23565.vbs"
        17⤵
        
        PID:2816
        
        C:\Program Files\Uninstall Information\winlogon.exe
        
        "C:\Program Files\Uninstall Information\winlogon.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84fefc11-b722-48b9-8f1d-c2373f0db170.vbs"
        19⤵
        
        PID:2424
        
        C:\Program Files\Uninstall Information\winlogon.exe
        
        "C:\Program Files\Uninstall Information\winlogon.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aadbf62f-236e-4104-9c4a-9bf21c4e4d03.vbs"
        21⤵
        
        PID:2892
        
        C:\Program Files\Uninstall Information\winlogon.exe
        
        "C:\Program Files\Uninstall Information\winlogon.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e4c038e-f764-4876-9b8b-6a354ef8a57f.vbs"
        23⤵
        
        PID:2872
        
        C:\Program Files\Uninstall Information\winlogon.exe
        
        "C:\Program Files\Uninstall Information\winlogon.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a3aae51-331b-4e7c-bc94-67be7b82d33b.vbs"
        25⤵
        
        PID:1920
        
        C:\Program Files\Uninstall Information\winlogon.exe
        
        "C:\Program Files\Uninstall Information\winlogon.exe"
        26⤵
        
        PID:2984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cfe38e7-cbc6-4b4e-af40-ad84629c1bcd.vbs"
        27⤵
        
        PID:948
        
        C:\Program Files\Uninstall Information\winlogon.exe
        
        "C:\Program Files\Uninstall Information\winlogon.exe"
        28⤵
        
        PID:2036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d098e08-a815-44d7-be82-baaf6e6bb0cc.vbs"
        29⤵
        
        PID:2500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c97d08e6-dbf2-4f61-957a-82d63093d725.vbs"
        29⤵
        
        PID:944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6750de6-fa2d-4e68-b752-823c6bc92367.vbs"
        27⤵
        
        PID:1148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff96f032-c85f-4ccd-9e97-13eb42b15c75.vbs"
        25⤵
        
        PID:800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\645f8616-64e9-4092-8d36-d0ce2ca81fec.vbs"
        23⤵
        
        PID:1936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df99468e-b56c-48d2-86ee-7eababfdc954.vbs"
        21⤵
        
        PID:3000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\646d4ba9-ed4c-43d0-8f92-9e0f45f912bb.vbs"
        19⤵
        
        PID:2172
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f67c810-f6ef-4969-95c8-36127dc0cb80.vbs"
        17⤵
        
        PID:2952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cb3ecb8-396f-43b8-b93b-f0d8c540191e.vbs"
        15⤵
        
        PID:2812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfa6583c-b9a5-4188-a33b-9f2673c9d2ed.vbs"
        13⤵
        
        PID:2672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9f28f94-58f8-4db0-8507-be41862e523c.vbs"
        11⤵
        
        PID:2468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfcf8fc3-e9de-4847-9bf6-087adb2b9b2f.vbs"
        9⤵
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62778fc5-682a-48b6-acb6-ee9cbf97009f.vbs"
        7⤵
        
        PID:2584
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54383470-c6f8-455f-bd2c-83dc9dbf8363.vbs"
        5⤵
        
        PID:2252
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce12c148-82a2-4c26-adda-551b72458efb.vbs"
    3⤵
    PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Start Menu\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Start Menu\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\L2Schemas\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\L2Schemas\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Pictures\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Application Data\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\lsass.exe

Filesize
885KB

MD5
4c3247cad9d124c6b04c8330f02af758

SHA1
ee88d5bd321d94d67d78b0e69764cf21ba96aca5

SHA256
fc380bcfa1fa6f7ee30aa8aae31b68edd00be7beaf2b8ab93d585e6c5d1e4a80

SHA512
5f88b3b70517eda92d8672501ec05ae91a0bf6fa811cc2fbcb1b3272b2a20beec6ad589a59eb928679ddc2f0c208cf02f9ffbf590adb3582a71611c96765a438

Download Submit
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe

Filesize
885KB

MD5
5cf3c2ad98845dd9994d8d2f70bb5a08

SHA1
c6be6eb326632de2601891e9958bb39c427ce909

SHA256
0cffd47c529b429a5e62a563cec949cedb9c7c0d1f49102b47be7633d54ce810

SHA512
b3844a141abfa4804df39cbf306a8b6ce9fe4d2e83d3051a1bf2f5427f47ccd1bfa22a731670a2ee61f54c72b4943237cbb53c9a13e429cd77498c38d2572560

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e4c038e-f764-4876-9b8b-6a354ef8a57f.vbs

Filesize
727B

MD5
18153dcde2857a9e46b0a90eb1cc2b32

SHA1
5c68532a291772963659419c6e0e305905091ecb

SHA256
62ba90384cba3f9b0f86db821aa8298d1ae4741ca786d07af6d61984b01c7536

SHA512
3e143c3557f6d70f5ff904bce09c6da5c81eca4a3181638ef71ff0dce602f837123cc027241b6f2add92cc1b9872577f427de5e13cd74e607f84869bf107b177

Download Submit
C:\Users\Admin\AppData\Local\Temp\3468b146-3fa8-4877-9e44-cdb5e3d76535.vbs

Filesize
726B

MD5
3eedf805526bfec5d39c4ab7ead6c2b6

SHA1
625af6c29de91aa4aecf8f1225db3afd1616d50b

SHA256
4e84ced7da95d6c2cc57917931fe541b885c88ef705cdcd70faec6f0388faf45

SHA512
0a9b1bb09aa8201c63db28b34d5f850fbfdefe88594e81bd3babe37b8c1d8bda6664a9350b05d22e41e3460207eea140cb4039c0b731cf33f1c0930a67dbc43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\435b7918-fc96-477a-9f67-6a3b07029798.vbs

Filesize
727B

MD5
7629a28c53d23cced753b216fce06f15

SHA1
2397802d97765857a1195d5bda6c2ea352cde6f4

SHA256
b31d960e6661e9521d5ab472e153591e01b30d3419f3fee3bc5d5f4f80b21717

SHA512
f220f7cb21e878ef65d8570f1cea69f24f096762b27027d6b3d9382eb4890f2af4591a2b8b92dc9ba65950103b41ffb43d30a722f0f271b37ae6a610fa50383d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4a3aae51-331b-4e7c-bc94-67be7b82d33b.vbs

Filesize
726B

MD5
35e869291fc2dda1aad070f412cf98d0

SHA1
b339051056e9aafaa0c9334727bc83a757b96751

SHA256
1eb904ce41eda5fc9d4adf16cbb73d8e1e549777b3eb6ea04f0f6c530259b12a

SHA512
c3714ad992ac4809954af47a07707130d6ed3288c328f45d3a13e79e6a427ddc893fc0a6e811b1df658cdf3d109935d5a315f20af8f22afc2a8fc38513bf396c

Download Submit
C:\Users\Admin\AppData\Local\Temp\563d159d-9bed-4ca6-ad82-db7883f2bc6d.vbs

Filesize
727B

MD5
365850ac17329c410ba693401ebdc528

SHA1
8a09c96aad8f8f243b128b0f550811fd8dfbff59

SHA256
db64a77ebc232405cf322034ee5dd4b711e59182eb47653de13ca7361055f2e7

SHA512
aa78cc71bc669ef65a9247cbfe1699975e3861974290909a426094484c55bb7ad4c1c4d75b5f481a55fb6b7fdb436acc40179fd6f697d1c3bf03a0294e3d5d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5de45078-192d-49c7-a57b-b43874b23565.vbs

Filesize
726B

MD5
7db1532b274abc8c9bb658dfb46699b8

SHA1
fa655f91b118b0fb7903cceb7ee1f8932d99cff1

SHA256
67f53d7c7ab2a00f1f0b00d8b79782ee54fe4d5e1316582aafb4a97c27524be5

SHA512
1deadffcda552d89d75d5644f866e1695ec789c4fc70102401ccca2dc3a2a6e46bd0bafb7de9af5a3bc9e1a36c242e5de0b21325018aecea3f76a6e1967518be

Download Submit
C:\Users\Admin\AppData\Local\Temp\65bd6236-7204-4657-bb59-39494bdf255d.vbs

Filesize
726B

MD5
8e948d42a67b4e22d6f4cf16793781cc

SHA1
d375698a16724cfcf7b81e72c3015b33a09c9f37

SHA256
6e87418cfd8e394bb132aa459819b78ac56b94bf203bde582e6cc860bb435834

SHA512
b7c1991cabb4084684343b7c3fd6140397622c678fc15103639fdeaae10950684ae5cb3f1d4f9c05fb8d042eb0b9716f11cca28cd7ab61b89da0614cc786c55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6cfe38e7-cbc6-4b4e-af40-ad84629c1bcd.vbs

Filesize
727B

MD5
06676b1fb9fea44172cf046700898a1a

SHA1
79f7c3638a9cddc63d19c222a6f5b5b990507775

SHA256
d82da1116283143a1e24a37c6008379310487706fc5eea5d472716492b442742

SHA512
d16c58d7584ece847218889c107625ee16b93716d05ad428787065a938a8cf7b04cf217901b09497a4b0874b815c0cb95d3cd0b95b799ee9597406dd0c81b798

Download Submit
C:\Users\Admin\AppData\Local\Temp\84fefc11-b722-48b9-8f1d-c2373f0db170.vbs

Filesize
727B

MD5
ee1e9e8b58327aa2ab8b3d386c73de17

SHA1
de5fdf67cafc219f9e931cd5d80a62f30e3db0d8

SHA256
d717d67a26c4d3ea7e0578ec3fce1f52dd3bf92f03cc4e82b8ebd5f6bf95da2c

SHA512
9bf97802f61a18e7ad356a7410aafe272ed24cd377aefbb70b87e8cc903c687144ead6f94b81e9ec6836c26e59ea47511501c6f1693233582cc7266ba062078d

Download Submit
C:\Users\Admin\AppData\Local\Temp\87b49f08-076d-421d-9ae8-22d1f44b56ea.vbs

Filesize
727B

MD5
67e435d253b1aa0da5f26b2e52d0d4cb

SHA1
183953cfb31e60e68b413f61253a51792081a696

SHA256
8a12ba761c8859dfbd332602725096f08376985d47e6cd82741095bcc8e7fdff

SHA512
31482c613b555186fcdfbde1896151ef3abcd7578c43cc9bc84e014479be529d7c2d9b1f2b8f4599603a78a63288fa094f1b39fe28a3c8c369ec4a0c2eda7095

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d098e08-a815-44d7-be82-baaf6e6bb0cc.vbs

Filesize
727B

MD5
441c3ac79eb945542c1e5e9fd8b520c6

SHA1
c225ff30b095cab4d2165e931c6247ea5eac8be6

SHA256
883793d92f2ec79c05c0bb0b1af627dd5ca613c5cfccb23dce842a8b1e2cdb0e

SHA512
8491b0220467edcc2d9a6513c92bc4c050259a544653e56c94f896e2785e811cca8ce46ebba33522cf1abc5e3d304a1807d5e4ba3175020904289e2fe10196dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\9aaf95fb-ab19-4419-aec5-5822ac2e9a55.vbs

Filesize
727B

MD5
2d3edd9927dd73accd773f33d660cc9a

SHA1
5532cb8e3c17f9b8d2554b96d32ab2fee83a7ae1

SHA256
007a303c2ffa6eba266a8d29e5aa0f77fe61889008e5f66474301cda4fa6e588

SHA512
9965070c462f5441472c17d68db74e493b7065f4f7be5d7d7978d4a9657e072285b2483b37026349ac86faaa88f96365708db45937038245e159fffee70053ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\aadbf62f-236e-4104-9c4a-9bf21c4e4d03.vbs

Filesize
726B

MD5
ae86a4bdfb6991820b07f9407c483881

SHA1
f6dd73e6fc460338e4bc21aa5e795c6fe3c59fa7

SHA256
388f954f1f5a8367fe3adfed34a930e9728ee228bd7a8843a8897551bae7f123

SHA512
3e6f0383f92374b887d5fb0483c180dd35db87bc067fde02dcb0dfad239ea7dfa183175bea5fa16c8d0d88804a4006b80ddda225817ab576fffaf11101bb3aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf30d137-d89d-4cc3-ab1e-9f1e920a0457.vbs

Filesize
727B

MD5
fccfa55c343e2c8f621cea6fd9082cde

SHA1
9973c121a913429459c59c7d9b1b6593e76aeaf7

SHA256
b4d8cd0bca6528af9db269a5554e64d67bd530029afc113a36ff1e81602f7baa

SHA512
8a6e21c24d1caef3794617a19c0652b9a178ead5ab458fb3d24bd643fdea8904b4d9e66021195284326d58f8074f104d29873051463c2c1d57d689ac8d7deef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce12c148-82a2-4c26-adda-551b72458efb.vbs

Filesize
503B

MD5
844e787f6852d1fec61dad82cfa015b2

SHA1
4efbc5c5c287fb4cc7006a05e5966a40e4560f5f

SHA256
41366b7ec486066c644e379a5e3803d2517a3890c0a4613e2709c40e9b1e7d61

SHA512
fc20dae43fd16b68b1560405e7cd8077856b86157876cd9f42468dcd49633e0bb6aef5b8c7bd6024e601f67693abdd7a800cc2dac195476450b18836f4e6bfae

Download Submit
C:\Users\Admin\Pictures\explorer.exe

Filesize
885KB

MD5
de7c6ded508e6b46e7f6b385572c426f

SHA1
13cb214fcfaca4c85c59c002ea2769d8db3fccc0

SHA256
aa8cbabea544c7e766f4a2096cf7aa8ebc23e4677812b23910524d0a089d2502

SHA512
c98b77f486f1d0c607eab5b9776dbbd1fc97581e313302d03cc9b18cf5af53196cc280503acdb8c91cd7a44906001bb24fa423cb8eb8a732562fffdb18dc7b0c

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\lsass.exe

Filesize
885KB

MD5
7f1a84eb3066f2f6aebe90e0330a3155

SHA1
7e300a9be04e5fa51e8f16f8266011e48990cd38

SHA256
272fa453723e3cdd746058d00f9a4dadc5810df316cb393e3f1f0f93cc229477

SHA512
32173fbe6199522e1306635e14332847f72ecedfe809c9a694843ddd5ef2f7e45d8093a7b9ffaf068b64a34672caf61df4ded324cb6947b1571d5641013cfdcc

Download Submit
memory/372-305-0x0000000000160000-0x0000000000244000-memory.dmp

Filesize
912KB

Download
memory/592-213-0x0000000000EA0000-0x0000000000F84000-memory.dmp

Filesize
912KB

Download
memory/912-329-0x0000000000CB0000-0x0000000000D94000-memory.dmp

Filesize
912KB

Download
memory/1004-260-0x0000000001250000-0x0000000001334000-memory.dmp

Filesize
912KB

Download
memory/1344-201-0x0000000000920000-0x0000000000A04000-memory.dmp

Filesize
912KB

Download
memory/1696-248-0x0000000000BD0000-0x0000000000CB4000-memory.dmp

Filesize
912KB

Download
memory/2540-236-0x00000000000E0000-0x00000000001C4000-memory.dmp

Filesize
912KB

Download
memory/2680-317-0x0000000000A30000-0x0000000000B14000-memory.dmp

Filesize
912KB

Download
memory/2888-8-0x0000000000620000-0x0000000000628000-memory.dmp

Filesize
32KB

Download
memory/2888-6-0x00000000002E0000-0x00000000002EA000-memory.dmp

Filesize
40KB

Download
memory/2888-5-0x00000000003F0000-0x0000000000406000-memory.dmp

Filesize
88KB

Download
memory/2888-9-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/2888-7-0x0000000000490000-0x000000000049E000-memory.dmp

Filesize
56KB

Download
memory/2888-202-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2888-3-0x00000000001C0000-0x00000000001DC000-memory.dmp

Filesize
112KB

Download
memory/2888-0-0x000007FEF5793000-0x000007FEF5794000-memory.dmp

Filesize
4KB

Download
memory/2888-4-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/2888-2-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2888-1-0x00000000001F0000-0x00000000002D4000-memory.dmp

Filesize
912KB

Download