dcrat | e5d28ec84e4b5f023e3f386cf7e0776850b67e2bad1299413885f3fdd757f58c

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
Size

1.6MB
MD5

d49f9f0f5730138879ce947728596fe0
SHA1

4757810dc00db1570dfd3508acaf6fd47b925e07
SHA256

e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b
SHA512

099508a93873b25601ab8e187cc731a00d6248455a3e60738bfc0f0d9eb23504f21cdb121b30fdd63d82eb5fd597f7f2a4629f489551dc7b08cf96acb68dbe9b
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2752	schtasks.exe	30

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral21/memory/1056-1-0x0000000000E60000-0x0000000001002000-memory.dmp	dcrat
behavioral21/files/0x000500000001a4d1-25.dat	dcrat
behavioral21/files/0x000600000001c858-56.dat	dcrat
behavioral21/files/0x000a000000019234-67.dat	dcrat
behavioral21/memory/1460-166-0x0000000000900000-0x0000000000AA2000-memory.dmp	dcrat
behavioral21/memory/1048-177-0x0000000000EF0000-0x0000000001092000-memory.dmp	dcrat
behavioral21/memory/2284-211-0x0000000000F60000-0x0000000001102000-memory.dmp	dcrat
behavioral21/memory/3060-234-0x0000000000180000-0x0000000000322000-memory.dmp	dcrat
behavioral21/memory/2796-246-0x0000000000AD0000-0x0000000000C72000-memory.dmp	dcrat
behavioral21/memory/2476-258-0x0000000000E60000-0x0000000001002000-memory.dmp	dcrat
behavioral21/memory/2700-270-0x0000000000370000-0x0000000000512000-memory.dmp	dcrat
behavioral21/memory/784-282-0x00000000009A0000-0x0000000000B42000-memory.dmp	dcrat
behavioral21/memory/2356-294-0x0000000000AB0000-0x0000000000C52000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1616	powershell.exe
1036	powershell.exe
1084	powershell.exe
652	powershell.exe
1640	powershell.exe
2124	powershell.exe
1496	powershell.exe
836	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
1460	WmiPrvSE.exe
1048	WmiPrvSE.exe
1620	WmiPrvSE.exe
1496	WmiPrvSE.exe
2284	WmiPrvSE.exe
2924	WmiPrvSE.exe
3060	WmiPrvSE.exe
2796	WmiPrvSE.exe
2476	WmiPrvSE.exe
2700	WmiPrvSE.exe
784	WmiPrvSE.exe
2356	WmiPrvSE.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows NT\Accessories\ja-JP\e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File created	C:\Program Files\Internet Explorer\es-ES\lsm.exe	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File created	C:\Program Files\Windows NT\Accessories\ja-JP\e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File created	C:\Program Files\Windows NT\Accessories\ja-JP\08bb61f6e61b69	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\RCXB85B.tmp	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\RCXB8C9.tmp	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\lsm.exe	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\ja-JP\RCXC3BB.tmp	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\ja-JP\RCXC3BC.tmp	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File created	C:\Program Files\Internet Explorer\es-ES\101b941d020240	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\ja-JP\f3b6ecef712a24	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\RCXB656.tmp	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\RCXB657.tmp	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File created	C:\Windows\PolicyDefinitions\ja-JP\spoolsv.exe	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\spoolsv.exe	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2812	schtasks.exe
3012	schtasks.exe
2492	schtasks.exe
2956	schtasks.exe
320	schtasks.exe
2780	schtasks.exe
1096	schtasks.exe
776	schtasks.exe
1380	schtasks.exe
2884	schtasks.exe
2136	schtasks.exe
1280	schtasks.exe
1472	schtasks.exe
3016	schtasks.exe
2900	schtasks.exe
2636	schtasks.exe
2612	schtasks.exe
2644	schtasks.exe
352	schtasks.exe
2520	schtasks.exe
2864	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
1616	powershell.exe
1084	powershell.exe
1496	powershell.exe
1640	powershell.exe
1036	powershell.exe
2124	powershell.exe
652	powershell.exe
836	powershell.exe
1460	WmiPrvSE.exe
1048	WmiPrvSE.exe
1620	WmiPrvSE.exe
1496	WmiPrvSE.exe
2284	WmiPrvSE.exe
2924	WmiPrvSE.exe
3060	WmiPrvSE.exe
2796	WmiPrvSE.exe
2476	WmiPrvSE.exe
2700	WmiPrvSE.exe
784	WmiPrvSE.exe
2356	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	1460	WmiPrvSE.exe
Token: SeDebugPrivilege	1048	WmiPrvSE.exe
Token: SeDebugPrivilege	1620	WmiPrvSE.exe
Token: SeDebugPrivilege	1496	WmiPrvSE.exe
Token: SeDebugPrivilege	2284	WmiPrvSE.exe
Token: SeDebugPrivilege	2924	WmiPrvSE.exe
Token: SeDebugPrivilege	3060	WmiPrvSE.exe
Token: SeDebugPrivilege	2796	WmiPrvSE.exe
Token: SeDebugPrivilege	2476	WmiPrvSE.exe
Token: SeDebugPrivilege	2700	WmiPrvSE.exe
Token: SeDebugPrivilege	784	WmiPrvSE.exe
Token: SeDebugPrivilege	2356	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 1084	1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	52
PID 1056 wrote to memory of 1084	1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	52
PID 1056 wrote to memory of 1084	1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	52
PID 1056 wrote to memory of 1640	1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	53
PID 1056 wrote to memory of 1640	1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	53
PID 1056 wrote to memory of 1640	1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	53
PID 1056 wrote to memory of 652	1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	54
PID 1056 wrote to memory of 652	1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	54
PID 1056 wrote to memory of 652	1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	54
PID 1056 wrote to memory of 2124	1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	56
PID 1056 wrote to memory of 2124	1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	56
PID 1056 wrote to memory of 2124	1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	56
PID 1056 wrote to memory of 1496	1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	57
PID 1056 wrote to memory of 1496	1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	57
PID 1056 wrote to memory of 1496	1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	57
PID 1056 wrote to memory of 1036	1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	58
PID 1056 wrote to memory of 1036	1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	58
PID 1056 wrote to memory of 1036	1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	58
PID 1056 wrote to memory of 1616	1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	59
PID 1056 wrote to memory of 1616	1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	59
PID 1056 wrote to memory of 1616	1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	59
PID 1056 wrote to memory of 836	1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	61
PID 1056 wrote to memory of 836	1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	61
PID 1056 wrote to memory of 836	1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	61
PID 1056 wrote to memory of 1932	1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	68
PID 1056 wrote to memory of 1932	1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	68
PID 1056 wrote to memory of 1932	1056	e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe	68
PID 1932 wrote to memory of 2624	1932	cmd.exe	70
PID 1932 wrote to memory of 2624	1932	cmd.exe	70
PID 1932 wrote to memory of 2624	1932	cmd.exe	70
PID 1932 wrote to memory of 1460	1932	cmd.exe	72
PID 1932 wrote to memory of 1460	1932	cmd.exe	72
PID 1932 wrote to memory of 1460	1932	cmd.exe	72
PID 1460 wrote to memory of 1424	1460	WmiPrvSE.exe	73
PID 1460 wrote to memory of 1424	1460	WmiPrvSE.exe	73
PID 1460 wrote to memory of 1424	1460	WmiPrvSE.exe	73
PID 1460 wrote to memory of 1528	1460	WmiPrvSE.exe	74
PID 1460 wrote to memory of 1528	1460	WmiPrvSE.exe	74
PID 1460 wrote to memory of 1528	1460	WmiPrvSE.exe	74
PID 1424 wrote to memory of 1048	1424	WScript.exe	75
PID 1424 wrote to memory of 1048	1424	WScript.exe	75
PID 1424 wrote to memory of 1048	1424	WScript.exe	75
PID 1048 wrote to memory of 2128	1048	WmiPrvSE.exe	76
PID 1048 wrote to memory of 2128	1048	WmiPrvSE.exe	76
PID 1048 wrote to memory of 2128	1048	WmiPrvSE.exe	76
PID 1048 wrote to memory of 1632	1048	WmiPrvSE.exe	77
PID 1048 wrote to memory of 1632	1048	WmiPrvSE.exe	77
PID 1048 wrote to memory of 1632	1048	WmiPrvSE.exe	77
PID 2128 wrote to memory of 1620	2128	WScript.exe	78
PID 2128 wrote to memory of 1620	2128	WScript.exe	78
PID 2128 wrote to memory of 1620	2128	WScript.exe	78
PID 1620 wrote to memory of 2876	1620	WmiPrvSE.exe	79
PID 1620 wrote to memory of 2876	1620	WmiPrvSE.exe	79
PID 1620 wrote to memory of 2876	1620	WmiPrvSE.exe	79
PID 1620 wrote to memory of 2448	1620	WmiPrvSE.exe	80
PID 1620 wrote to memory of 2448	1620	WmiPrvSE.exe	80
PID 1620 wrote to memory of 2448	1620	WmiPrvSE.exe	80
PID 2876 wrote to memory of 1496	2876	WScript.exe	81
PID 2876 wrote to memory of 1496	2876	WScript.exe	81
PID 2876 wrote to memory of 1496	2876	WScript.exe	81
PID 1496 wrote to memory of 1584	1496	WmiPrvSE.exe	82
PID 1496 wrote to memory of 1584	1496	WmiPrvSE.exe	82
PID 1496 wrote to memory of 1584	1496	WmiPrvSE.exe	82
PID 1496 wrote to memory of 2308	1496	WmiPrvSE.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
"C:\Users\Admin\AppData\Local\Temp\e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\ja-JP\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\es-ES\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\ja-JP\e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:836
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RyEOv3RD96.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2624
- - C:\Users\Default\Cookies\WmiPrvSE.exe
    "C:\Users\Default\Cookies\WmiPrvSE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efd9a008-30bb-4a06-9178-78968960979d.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1424
    - - C:\Users\Default\Cookies\WmiPrvSE.exe
        
        C:\Users\Default\Cookies\WmiPrvSE.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1048
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e085cfcd-79c7-48f2-9b5d-dff232d7ef5c.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Users\Default\Cookies\WmiPrvSE.exe
        
        C:\Users\Default\Cookies\WmiPrvSE.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\178b87c8-0fd0-44fd-9e2a-5f23132bf19e.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Users\Default\Cookies\WmiPrvSE.exe
        
        C:\Users\Default\Cookies\WmiPrvSE.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec34afb1-3731-4fb1-9b90-bab3c499de93.vbs"
        10⤵
        
        PID:1584
        
        C:\Users\Default\Cookies\WmiPrvSE.exe
        
        C:\Users\Default\Cookies\WmiPrvSE.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3afb28c1-827b-4c10-b1f2-adb4589bbd7f.vbs"
        12⤵
        
        PID:1748
        
        C:\Users\Default\Cookies\WmiPrvSE.exe
        
        C:\Users\Default\Cookies\WmiPrvSE.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\088d20b0-bb33-47f7-9490-da0c4ff39d0d.vbs"
        14⤵
        
        PID:1676
        
        C:\Users\Default\Cookies\WmiPrvSE.exe
        
        C:\Users\Default\Cookies\WmiPrvSE.exe
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6771ec7b-6baf-4ed5-83c5-0f118fa9a970.vbs"
        16⤵
        
        PID:1784
        
        C:\Users\Default\Cookies\WmiPrvSE.exe
        
        C:\Users\Default\Cookies\WmiPrvSE.exe
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\915e338d-56c9-433d-81ec-86f86da4a996.vbs"
        18⤵
        
        PID:2484
        
        C:\Users\Default\Cookies\WmiPrvSE.exe
        
        C:\Users\Default\Cookies\WmiPrvSE.exe
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c47deee-b02d-4a28-8b77-cab6b1202438.vbs"
        20⤵
        
        PID:2656
        
        C:\Users\Default\Cookies\WmiPrvSE.exe
        
        C:\Users\Default\Cookies\WmiPrvSE.exe
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb9f234b-7baf-4c83-a267-b9daab0571a9.vbs"
        22⤵
        
        PID:1612
        
        C:\Users\Default\Cookies\WmiPrvSE.exe
        
        C:\Users\Default\Cookies\WmiPrvSE.exe
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee2ad359-296e-4d42-979d-764b1bc4a3cf.vbs"
        24⤵
        
        PID:1340
        
        C:\Users\Default\Cookies\WmiPrvSE.exe
        
        C:\Users\Default\Cookies\WmiPrvSE.exe
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1c308eb-85d0-41d6-affd-d01a593ab325.vbs"
        26⤵
        
        PID:1056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a71c849-021d-4803-b874-0e696c4bacf0.vbs"
        26⤵
        
        PID:1808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d27e19de-ac6c-44a9-92df-1c87f0cff3cd.vbs"
        24⤵
        
        PID:704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81f40b2e-b770-46ca-9bfd-725f7a95aec9.vbs"
        22⤵
        
        PID:2364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61633ae1-dc66-4818-bb35-8b61e4111de7.vbs"
        20⤵
        
        PID:1244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4b3cf7f-2da9-46a5-952f-2919d4529027.vbs"
        18⤵
        
        PID:2500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4edcbfd1-f873-4cd4-bb64-5cab1719b4d3.vbs"
        16⤵
        
        PID:2880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee20084f-3919-473f-a893-a26e0857d114.vbs"
        14⤵
        
        PID:316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb5c34d6-7a22-4922-9c32-73e3fcb5114c.vbs"
        12⤵
        
        PID:1648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\408bcd44-2236-4eeb-9a9e-78f3ad05f144.vbs"
        10⤵
        
        PID:2308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20573078-84a7-4baa-9857-3cc890093552.vbs"
        8⤵
        
        PID:2448
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa9cf220-24c6-4a97-8aa4-6c1de696f5dc.vbs"
        6⤵
        
        PID:1632
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cabb344-3512-4085-a6f4-46ec0f230ddf.vbs"
      4⤵
      PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\PolicyDefinitions\ja-JP\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\es-ES\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Cookies\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Cookies\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Cookies\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\Default\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Default\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934be" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934be" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Internet Explorer\es-ES\lsm.exe

Filesize
1.6MB

MD5
b46ef45729d7d5449368d1b3dc6e5073

SHA1
0360ec03a07440d7c32eb7fa757744c4eb440929

SHA256
b896e930360f6c64b5f45a20a38d6a9889aaaf05e0953898416e1f1a3cbb7b65

SHA512
89ad022a3e8cc56ef64f2d6bc46ebc354459de4ce787b1fe24d52c33f1b52c07f0e99a1e8c3a5ce80749b062d73e49cbb86c0fd16c1dba43f5082fbbe9e94a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\088d20b0-bb33-47f7-9490-da0c4ff39d0d.vbs

Filesize
713B

MD5
073f9ffc7d62663e5cfecda85f041454

SHA1
8e903b968f9df64a6c45227cc7f66ba14df15837

SHA256
1bc66c2be21fded367401e97440d5ce613b3598894eddac964b17f3f18049904

SHA512
7dc2551b53466b5a6f734e488f1605504537bc0a8cc96ff2b02f87c8e311f37434ec5ab4ff44a10235653541d626d9f9cec93b94704f53f8054f955db3621373

Download Submit
C:\Users\Admin\AppData\Local\Temp\178b87c8-0fd0-44fd-9e2a-5f23132bf19e.vbs

Filesize
713B

MD5
166e27c088ed6e8c57cd16a62751be28

SHA1
9aa3e0ac3e0d902f348a30eda6a55b1cdde8cf2c

SHA256
1d4676d26450679ebb8034e8757c81a6fd07faa9f6f9c3a4933dbba556a4f0bd

SHA512
8a21c9b65c742628c166f9cb03222f58188e592211703ee045ee12c9a1e60e2ace0b85eddc54d3d04fd8e8c95781e935925e75988af9658cf21678c2a32f776e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3afb28c1-827b-4c10-b1f2-adb4589bbd7f.vbs

Filesize
713B

MD5
a3c9086bcfd5c401e73f5857e2bb0290

SHA1
05a4c9cb848f43303d97398e06e545493a18f381

SHA256
32ba9642b399828a0c4681afef402e09a071eaab9a5c9fb2467318b2029d679c

SHA512
1039e86291fd8a8e7ca1af1ab71b71d304ae24dc6a1da82077a157b4f44734bede7bc804b061a94ee13220516c00323c411535e8c09c2cdff3820721d735d5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c47deee-b02d-4a28-8b77-cab6b1202438.vbs

Filesize
713B

MD5
507db76135b22132d810d79b1c9954ab

SHA1
83e911d74936fc002778fe32b2c197b7edaf2610

SHA256
9d0648636c19c94666896e55f62232af618fb7abaec0c65bc8f59b9873f8bbd9

SHA512
eaeb477e46586c32588af706e25a8f08707af55b03d9af930d9e5e83991b25382288807c542f3c66cb539bdc703272a0dc23c5e91b04403244da4cc9d91b3f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\6771ec7b-6baf-4ed5-83c5-0f118fa9a970.vbs

Filesize
713B

MD5
f3024cd12814c32742090990f3e93132

SHA1
e701d3e66b8852270fcab9c527558bd09af4811e

SHA256
0bed290e3179a6e63c7de92a94deae9d6cd8a5851ed39fee7533ab5947742757

SHA512
e8796871878c886d83f70a602162745d5ed4884ac8e1933268a9524061eb408b9e642c81b1bad6736075864c0768f5d8ac742e51dee271014739fe25daf700b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6cabb344-3512-4085-a6f4-46ec0f230ddf.vbs

Filesize
489B

MD5
7e19d5b6ee9d7be1e9786fe1d634c749

SHA1
d6768ef3fd60f4aa31c5f3b6989d38066c71f9d5

SHA256
c689080f2cc2aa3572c62f455645ead7c9600ecb48054b5cdb28e904ef8b2e25

SHA512
d72ee260be1fbe8f9d170e05acec66ad7d2451bab1309a828591cc95a6352cf4a2c5e86edfa934372ed6245e9e035839e407adfa4090d5d276dfe2e8835aefaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\915e338d-56c9-433d-81ec-86f86da4a996.vbs

Filesize
713B

MD5
a6e86367b8e62f009a663e341aa2f4b7

SHA1
80c55d3be2623929cb622bdb17765e8d809de56a

SHA256
a0389dfca86aae0789ab9889f9cddcb56ca851156c541d8f2442889562bb531f

SHA512
c604da58d5fdc43b9cf843dfb64fe207f115ead88d4a4ffa4a8c5d33817d26cc887616d81fd7d60d5af761c402ec50bd86122ba641faf7a4bd75e2fbb9f9d7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyEOv3RD96.bat

Filesize
202B

MD5
2409ed796e5314aa5c54ddb28c3b7269

SHA1
be206223f4f0848ac4be9e48b69a73b329fe8507

SHA256
3f9f83e7b5c32ee923cc5359ca256aefd84f6fba44342e65f304c2cba8c6e4af

SHA512
f0fe754fdd6b14059d79623298423e106a2f18b476c7a5d2f9c34999786567834df37e9cf8f42779717428e02e8786402920661667c6c939a57dd36302891e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb9f234b-7baf-4c83-a267-b9daab0571a9.vbs

Filesize
713B

MD5
7284c57886e85a40a64b6e853fe8cba0

SHA1
170be63e7941c63243f876ad04b9e82e4f2ceca6

SHA256
da867e12f020dbb0dae246ff3e8a6c0920f87b889e233c3c96a2125e0c479151

SHA512
5f1e5ba0bdd946b9ff959de1c2ddc5a25c5cbce07e3a1cb45ab7c98f61afffadeadb9d131d49c9365af9eff0c6b18b2551b723118a26fd121dde77b778f6e7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\e085cfcd-79c7-48f2-9b5d-dff232d7ef5c.vbs

Filesize
713B

MD5
fea80f2ae1b392157c98d7512e678825

SHA1
9088aa4fd70986c85ead4f01892db5634b330112

SHA256
e6076e2fd501b3eb3b641631954da57c66f5033fbcf037cc2a03669d41a5de6c

SHA512
a8ce4d87ac6640c82e0427a626db9e368ad07aff6dd973d3cb6d9ae36c23273e35cc7d5ba59014fc1d46b17e0990e526fb7c3ba7bd996fa8725cf374c950e023

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec34afb1-3731-4fb1-9b90-bab3c499de93.vbs

Filesize
713B

MD5
0783520427a01f0db6d02b59f1916474

SHA1
eece43612abd6c1bff4bac857aeca8f376363896

SHA256
80dd4946dc04da6e63e8d4e96b5c951175c554d645636e30a2b6548140e6fa74

SHA512
685dd5c73b042fb47fdfc8f4101c0b1476b0f193ab4ed50018afe2008247acdcaec8fe889bb566308a8c43ddf32e1b2e30d2802b3f90eea86856b80eac65e824

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee2ad359-296e-4d42-979d-764b1bc4a3cf.vbs

Filesize
712B

MD5
b833a481a026b8058d8e063c5c734a71

SHA1
dd51d1838e189e0764ef89e98ac07c3d37be841e

SHA256
4b022cb6a1d4738c10476dd034ea028b76791bfc282422b293caa77612c2fe19

SHA512
6d780c621844f03313a8669b33aa6c7c52915fdb77552a7039dc318eccd8956b50803f828092900c080b24cb9ce38a789706c2361433efad49be29e859100bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\efd9a008-30bb-4a06-9178-78968960979d.vbs

Filesize
713B

MD5
b0547cbb0b3faaf72f2b230f88dd27fb

SHA1
687dd16f86c9dfaba70a1789f9587d11dbdc4bd3

SHA256
fdf4ef4602319c04076a93d0785beb15a82fd5a2160a7cf887c8e953d3dc2af8

SHA512
7302a2e4f3d84ea306d4bb327aba0294249b04d62174849e3f4fb00b68d644aa8391c11c1fc4bacf8a98780b4833318611fc5198f5ecc6408439dd1ae90c7c61

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1c308eb-85d0-41d6-affd-d01a593ab325.vbs

Filesize
713B

MD5
81fd2b780f240eec010381453276dc6f

SHA1
a20fabbb524ebe55b04f4f9c3226cb430b30bb7f

SHA256
31c47687bbc6ddb74c63a28b313c5565f71404ae862429bf82ceab50a27651d5

SHA512
ce0c0e679a4c305f6d183703951cddf6850ccd11a25e4f3d0a9af79c0df1afcf9fe5f51ea3935eb031112b00aa6dff1419427302ca7c9441b9c13e1adfcfe6cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e75f495033d4e06d62d15b1018fc7242

SHA1
ab18c53e7db9430778632001d95e3031a7fe7c40

SHA256
cf61f2d314aedbba142d6aae5163e238e0adb302a88ecfb23024467c9eede506

SHA512
de4e42283e60c478e68a3833330e200b35498eff350caa052d1ce38749c360c06b7ced95f579be9a20c48a69902961f75ff9e5f62a8f6699458eb93ac15f0301

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\WmiPrvSE.exe

Filesize
1.6MB

MD5
7cf6c062b0ddb12a9b79ec59d0e9eef3

SHA1
09d3e5b792c63564ce8ae949b778f00b8d270a3e

SHA256
6010c02bbff90c01409f58221f3c4a0dea1d86a661f76ed0b3a3c81c6848c32f

SHA512
3b4a8ab6652e005aa681e5837fa96ffa9676c9beb0984158ba72b3a0ee0b625eccbda1f9a65b0627eb5159b8e03b5f8196269e6e149655017b50338f750b12ab

Download Submit
C:\Users\Default\audiodg.exe

Filesize
1.6MB

MD5
d49f9f0f5730138879ce947728596fe0

SHA1
4757810dc00db1570dfd3508acaf6fd47b925e07

SHA256
e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b

SHA512
099508a93873b25601ab8e187cc731a00d6248455a3e60738bfc0f0d9eb23504f21cdb121b30fdd63d82eb5fd597f7f2a4629f489551dc7b08cf96acb68dbe9b

Download Submit
memory/784-282-0x00000000009A0000-0x0000000000B42000-memory.dmp

Filesize
1.6MB

Download
memory/1048-177-0x0000000000EF0000-0x0000000001092000-memory.dmp

Filesize
1.6MB

Download
memory/1056-11-0x0000000000D40000-0x0000000000D4A000-memory.dmp

Filesize
40KB

Download
memory/1056-9-0x0000000000B80000-0x0000000000B8C000-memory.dmp

Filesize
48KB

Download
memory/1056-1-0x0000000000E60000-0x0000000001002000-memory.dmp

Filesize
1.6MB

Download
memory/1056-141-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/1056-2-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/1056-3-0x0000000000B10000-0x0000000000B2C000-memory.dmp

Filesize
112KB

Download
memory/1056-15-0x0000000000D80000-0x0000000000D8A000-memory.dmp

Filesize
40KB

Download
memory/1056-13-0x0000000000D60000-0x0000000000D68000-memory.dmp

Filesize
32KB

Download
memory/1056-14-0x0000000000D70000-0x0000000000D78000-memory.dmp

Filesize
32KB

Download
memory/1056-12-0x0000000000D50000-0x0000000000D5E000-memory.dmp

Filesize
56KB

Download
memory/1056-0-0x000007FEF5683000-0x000007FEF5684000-memory.dmp

Filesize
4KB

Download
memory/1056-10-0x0000000000D30000-0x0000000000D3C000-memory.dmp

Filesize
48KB

Download
memory/1056-4-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/1056-16-0x0000000000D90000-0x0000000000D9C000-memory.dmp

Filesize
48KB

Download
memory/1056-8-0x0000000000B60000-0x0000000000B68000-memory.dmp

Filesize
32KB

Download
memory/1056-5-0x0000000000B30000-0x0000000000B46000-memory.dmp

Filesize
88KB

Download
memory/1056-7-0x0000000000B70000-0x0000000000B80000-memory.dmp

Filesize
64KB

Download
memory/1056-6-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/1084-142-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/1460-166-0x0000000000900000-0x0000000000AA2000-memory.dmp

Filesize
1.6MB

Download
memory/1616-140-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2284-211-0x0000000000F60000-0x0000000001102000-memory.dmp

Filesize
1.6MB

Download
memory/2356-294-0x0000000000AB0000-0x0000000000C52000-memory.dmp

Filesize
1.6MB

Download
memory/2476-258-0x0000000000E60000-0x0000000001002000-memory.dmp

Filesize
1.6MB

Download
memory/2700-270-0x0000000000370000-0x0000000000512000-memory.dmp

Filesize
1.6MB

Download
memory/2796-246-0x0000000000AD0000-0x0000000000C72000-memory.dmp

Filesize
1.6MB

Download
memory/3060-234-0x0000000000180000-0x0000000000322000-memory.dmp

Filesize
1.6MB

Download