dcrat | 8e52ba8956d643c96cdeb75c43492302cf710a3d2acc852442930dedbe9ea1bb

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb00f484dd8074177d1c4ad20203982a.exe
Size

1.6MB
MD5

eb00f484dd8074177d1c4ad20203982a
SHA1

9f3ac964a1c915cf7b2954dca26acb17baa73586
SHA256

64cf79a4ca419db52372e76dea60756bd9b17e62c3c416145b37e88d1fe17def
SHA512

20664145ca390fe8bd9028e772e9263a83063ee2ff460d44fa2653f38879c00d9311ff0c7dc4a84735d952761fb1e5f9da95ec39070e459371b4675fd52a4551
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2888	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2888	schtasks.exe	30

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral17/memory/2388-1-0x0000000000880000-0x0000000000A22000-memory.dmp	dcrat
behavioral17/files/0x00050000000194c9-25.dat	dcrat
behavioral17/files/0x000700000001a429-68.dat	dcrat
behavioral17/memory/2468-125-0x00000000000E0000-0x0000000000282000-memory.dmp	dcrat
behavioral17/memory/1148-179-0x00000000008F0000-0x0000000000A92000-memory.dmp	dcrat
behavioral17/memory/1768-191-0x0000000001390000-0x0000000001532000-memory.dmp	dcrat
behavioral17/memory/2808-214-0x00000000002F0000-0x0000000000492000-memory.dmp	dcrat
behavioral17/memory/2940-226-0x0000000001090000-0x0000000001232000-memory.dmp	dcrat
behavioral17/memory/2608-249-0x00000000002A0000-0x0000000000442000-memory.dmp	dcrat
behavioral17/memory/1260-261-0x0000000000EA0000-0x0000000001042000-memory.dmp	dcrat
behavioral17/memory/2792-306-0x0000000001170000-0x0000000001312000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2224	powershell.exe
1372	powershell.exe
1612	powershell.exe
928	powershell.exe
2084	powershell.exe
484	powershell.exe
2928	powershell.exe
1972	powershell.exe

Executes dropped EXE 14 IoCs

pid	Process
2468	wininit.exe
1148	wininit.exe
1768	wininit.exe
2860	wininit.exe
2808	wininit.exe
2940	wininit.exe
1608	wininit.exe
2608	wininit.exe
1260	wininit.exe
2588	wininit.exe
960	wininit.exe
1688	wininit.exe
2792	wininit.exe
2308	wininit.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\69ddcba757bf72	eb00f484dd8074177d1c4ad20203982a.exe
File created	C:\Program Files\Windows NT\Accessories\wininit.exe	eb00f484dd8074177d1c4ad20203982a.exe
File created	C:\Program Files\Windows NT\Accessories\56085415360792	eb00f484dd8074177d1c4ad20203982a.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\RCX9A95.tmp	eb00f484dd8074177d1c4ad20203982a.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\RCX9A96.tmp	eb00f484dd8074177d1c4ad20203982a.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\wininit.exe	eb00f484dd8074177d1c4ad20203982a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\RCX93AC.tmp	eb00f484dd8074177d1c4ad20203982a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\RCX93AD.tmp	eb00f484dd8074177d1c4ad20203982a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\smss.exe	eb00f484dd8074177d1c4ad20203982a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\smss.exe	eb00f484dd8074177d1c4ad20203982a.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\L2Schemas\explorer.exe	eb00f484dd8074177d1c4ad20203982a.exe
File created	C:\Windows\L2Schemas\7a0fd90576e088	eb00f484dd8074177d1c4ad20203982a.exe
File opened for modification	C:\Windows\L2Schemas\RCX91A7.tmp	eb00f484dd8074177d1c4ad20203982a.exe
File opened for modification	C:\Windows\L2Schemas\RCX91A8.tmp	eb00f484dd8074177d1c4ad20203982a.exe
File opened for modification	C:\Windows\fr-FR\RCX95B1.tmp	eb00f484dd8074177d1c4ad20203982a.exe
File created	C:\Windows\L2Schemas\explorer.exe	eb00f484dd8074177d1c4ad20203982a.exe
File created	C:\Windows\fr-FR\lsass.exe	eb00f484dd8074177d1c4ad20203982a.exe
File created	C:\Windows\fr-FR\6203df4a6bafc7	eb00f484dd8074177d1c4ad20203982a.exe
File opened for modification	C:\Windows\fr-FR\RCX961F.tmp	eb00f484dd8074177d1c4ad20203982a.exe
File opened for modification	C:\Windows\fr-FR\lsass.exe	eb00f484dd8074177d1c4ad20203982a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1912	schtasks.exe
2024	schtasks.exe
2768	schtasks.exe
2720	schtasks.exe
2680	schtasks.exe
1964	schtasks.exe
2804	schtasks.exe
2424	schtasks.exe
1712	schtasks.exe
2732	schtasks.exe
1388	schtasks.exe
852	schtasks.exe
2824	schtasks.exe
2832	schtasks.exe
2612	schtasks.exe
2808	schtasks.exe
2620	schtasks.exe
2364	schtasks.exe
1280	schtasks.exe
2816	schtasks.exe
2092	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2388	eb00f484dd8074177d1c4ad20203982a.exe
2388	eb00f484dd8074177d1c4ad20203982a.exe
2388	eb00f484dd8074177d1c4ad20203982a.exe
2388	eb00f484dd8074177d1c4ad20203982a.exe
2388	eb00f484dd8074177d1c4ad20203982a.exe
484	powershell.exe
2084	powershell.exe
928	powershell.exe
2224	powershell.exe
1972	powershell.exe
1372	powershell.exe
2928	powershell.exe
1612	powershell.exe
2468	wininit.exe
1148	wininit.exe
1768	wininit.exe
2860	wininit.exe
2808	wininit.exe
2940	wininit.exe
1608	wininit.exe
2608	wininit.exe
1260	wininit.exe
2588	wininit.exe
960	wininit.exe
1688	wininit.exe
2792	wininit.exe
2308	wininit.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2388	eb00f484dd8074177d1c4ad20203982a.exe
Token: SeDebugPrivilege	484	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	2468	wininit.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1148	wininit.exe
Token: SeDebugPrivilege	1768	wininit.exe
Token: SeDebugPrivilege	2860	wininit.exe
Token: SeDebugPrivilege	2808	wininit.exe
Token: SeDebugPrivilege	2940	wininit.exe
Token: SeDebugPrivilege	1608	wininit.exe
Token: SeDebugPrivilege	2608	wininit.exe
Token: SeDebugPrivilege	1260	wininit.exe
Token: SeDebugPrivilege	2588	wininit.exe
Token: SeDebugPrivilege	960	wininit.exe
Token: SeDebugPrivilege	1688	wininit.exe
Token: SeDebugPrivilege	2792	wininit.exe
Token: SeDebugPrivilege	2308	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 1612	2388	eb00f484dd8074177d1c4ad20203982a.exe	52
PID 2388 wrote to memory of 1612	2388	eb00f484dd8074177d1c4ad20203982a.exe	52
PID 2388 wrote to memory of 1612	2388	eb00f484dd8074177d1c4ad20203982a.exe	52
PID 2388 wrote to memory of 928	2388	eb00f484dd8074177d1c4ad20203982a.exe	53
PID 2388 wrote to memory of 928	2388	eb00f484dd8074177d1c4ad20203982a.exe	53
PID 2388 wrote to memory of 928	2388	eb00f484dd8074177d1c4ad20203982a.exe	53
PID 2388 wrote to memory of 2084	2388	eb00f484dd8074177d1c4ad20203982a.exe	54
PID 2388 wrote to memory of 2084	2388	eb00f484dd8074177d1c4ad20203982a.exe	54
PID 2388 wrote to memory of 2084	2388	eb00f484dd8074177d1c4ad20203982a.exe	54
PID 2388 wrote to memory of 484	2388	eb00f484dd8074177d1c4ad20203982a.exe	55
PID 2388 wrote to memory of 484	2388	eb00f484dd8074177d1c4ad20203982a.exe	55
PID 2388 wrote to memory of 484	2388	eb00f484dd8074177d1c4ad20203982a.exe	55
PID 2388 wrote to memory of 2928	2388	eb00f484dd8074177d1c4ad20203982a.exe	56
PID 2388 wrote to memory of 2928	2388	eb00f484dd8074177d1c4ad20203982a.exe	56
PID 2388 wrote to memory of 2928	2388	eb00f484dd8074177d1c4ad20203982a.exe	56
PID 2388 wrote to memory of 1972	2388	eb00f484dd8074177d1c4ad20203982a.exe	57
PID 2388 wrote to memory of 1972	2388	eb00f484dd8074177d1c4ad20203982a.exe	57
PID 2388 wrote to memory of 1972	2388	eb00f484dd8074177d1c4ad20203982a.exe	57
PID 2388 wrote to memory of 2224	2388	eb00f484dd8074177d1c4ad20203982a.exe	58
PID 2388 wrote to memory of 2224	2388	eb00f484dd8074177d1c4ad20203982a.exe	58
PID 2388 wrote to memory of 2224	2388	eb00f484dd8074177d1c4ad20203982a.exe	58
PID 2388 wrote to memory of 1372	2388	eb00f484dd8074177d1c4ad20203982a.exe	59
PID 2388 wrote to memory of 1372	2388	eb00f484dd8074177d1c4ad20203982a.exe	59
PID 2388 wrote to memory of 1372	2388	eb00f484dd8074177d1c4ad20203982a.exe	59
PID 2388 wrote to memory of 2468	2388	eb00f484dd8074177d1c4ad20203982a.exe	68
PID 2388 wrote to memory of 2468	2388	eb00f484dd8074177d1c4ad20203982a.exe	68
PID 2388 wrote to memory of 2468	2388	eb00f484dd8074177d1c4ad20203982a.exe	68
PID 2468 wrote to memory of 1580	2468	wininit.exe	69
PID 2468 wrote to memory of 1580	2468	wininit.exe	69
PID 2468 wrote to memory of 1580	2468	wininit.exe	69
PID 2468 wrote to memory of 2680	2468	wininit.exe	70
PID 2468 wrote to memory of 2680	2468	wininit.exe	70
PID 2468 wrote to memory of 2680	2468	wininit.exe	70
PID 1580 wrote to memory of 1148	1580	WScript.exe	72
PID 1580 wrote to memory of 1148	1580	WScript.exe	72
PID 1580 wrote to memory of 1148	1580	WScript.exe	72
PID 1148 wrote to memory of 288	1148	wininit.exe	73
PID 1148 wrote to memory of 288	1148	wininit.exe	73
PID 1148 wrote to memory of 288	1148	wininit.exe	73
PID 1148 wrote to memory of 3024	1148	wininit.exe	74
PID 1148 wrote to memory of 3024	1148	wininit.exe	74
PID 1148 wrote to memory of 3024	1148	wininit.exe	74
PID 288 wrote to memory of 1768	288	WScript.exe	75
PID 288 wrote to memory of 1768	288	WScript.exe	75
PID 288 wrote to memory of 1768	288	WScript.exe	75
PID 1768 wrote to memory of 1996	1768	wininit.exe	76
PID 1768 wrote to memory of 1996	1768	wininit.exe	76
PID 1768 wrote to memory of 1996	1768	wininit.exe	76
PID 1768 wrote to memory of 880	1768	wininit.exe	77
PID 1768 wrote to memory of 880	1768	wininit.exe	77
PID 1768 wrote to memory of 880	1768	wininit.exe	77
PID 1996 wrote to memory of 2860	1996	WScript.exe	78
PID 1996 wrote to memory of 2860	1996	WScript.exe	78
PID 1996 wrote to memory of 2860	1996	WScript.exe	78
PID 2860 wrote to memory of 2440	2860	wininit.exe	79
PID 2860 wrote to memory of 2440	2860	wininit.exe	79
PID 2860 wrote to memory of 2440	2860	wininit.exe	79
PID 2860 wrote to memory of 352	2860	wininit.exe	80
PID 2860 wrote to memory of 352	2860	wininit.exe	80
PID 2860 wrote to memory of 352	2860	wininit.exe	80
PID 2440 wrote to memory of 2808	2440	WScript.exe	81
PID 2440 wrote to memory of 2808	2440	WScript.exe	81
PID 2440 wrote to memory of 2808	2440	WScript.exe	81
PID 2808 wrote to memory of 2816	2808	wininit.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\eb00f484dd8074177d1c4ad20203982a.exe
"C:\Users\Admin\AppData\Local\Temp\eb00f484dd8074177d1c4ad20203982a.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\eb00f484dd8074177d1c4ad20203982a.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- C:\Program Files\Windows NT\Accessories\wininit.exe
  "C:\Program Files\Windows NT\Accessories\wininit.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c05b4a63-5bed-47c2-9a28-4f6e0195d014.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Program Files\Windows NT\Accessories\wininit.exe
      "C:\Program Files\Windows NT\Accessories\wininit.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa802fae-4538-44c4-9eaa-badc375d9f61.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:288
      - C:\Program Files\Windows NT\Accessories\wininit.exe
        
        "C:\Program Files\Windows NT\Accessories\wininit.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d6b2501-72e9-41e7-bba0-49c0f4bbf8a0.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Program Files\Windows NT\Accessories\wininit.exe
        
        "C:\Program Files\Windows NT\Accessories\wininit.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\310484bb-b686-47a0-85e0-8fb48df9a42d.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Program Files\Windows NT\Accessories\wininit.exe
        
        "C:\Program Files\Windows NT\Accessories\wininit.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd0997ca-9d6b-4052-b73b-d4f3d7d7fe5a.vbs"
        11⤵
        
        PID:2816
        
        C:\Program Files\Windows NT\Accessories\wininit.exe
        
        "C:\Program Files\Windows NT\Accessories\wininit.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68091366-4fe9-4ea2-bbb6-ab3ab4884d2f.vbs"
        13⤵
        
        PID:2288
        
        C:\Program Files\Windows NT\Accessories\wininit.exe
        
        "C:\Program Files\Windows NT\Accessories\wininit.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23f91c64-6146-4579-bdd5-05a840169d46.vbs"
        15⤵
        
        PID:2856
        
        C:\Program Files\Windows NT\Accessories\wininit.exe
        
        "C:\Program Files\Windows NT\Accessories\wininit.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\850680b8-738a-447f-bce9-ff134fb34a81.vbs"
        17⤵
        
        PID:3064
        
        C:\Program Files\Windows NT\Accessories\wininit.exe
        
        "C:\Program Files\Windows NT\Accessories\wininit.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0057c84d-126c-4492-9905-de5141cb397f.vbs"
        19⤵
        
        PID:1640
        
        C:\Program Files\Windows NT\Accessories\wininit.exe
        
        "C:\Program Files\Windows NT\Accessories\wininit.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46167efa-49ac-46ef-ba24-74b2e8bc8478.vbs"
        21⤵
        
        PID:1664
        
        C:\Program Files\Windows NT\Accessories\wininit.exe
        
        "C:\Program Files\Windows NT\Accessories\wininit.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab1dfea5-9595-4648-9703-b7ff56175e47.vbs"
        23⤵
        
        PID:2788
        
        C:\Program Files\Windows NT\Accessories\wininit.exe
        
        "C:\Program Files\Windows NT\Accessories\wininit.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03e10de1-20b8-44b9-9343-2b82e4ce7cbe.vbs"
        25⤵
        
        PID:2420
        
        C:\Program Files\Windows NT\Accessories\wininit.exe
        
        "C:\Program Files\Windows NT\Accessories\wininit.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\070067d3-2415-4737-b5c2-d9333410ec12.vbs"
        27⤵
        
        PID:2528
        
        C:\Program Files\Windows NT\Accessories\wininit.exe
        
        "C:\Program Files\Windows NT\Accessories\wininit.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\132b798a-ee26-4003-bcd9-b18919df4e05.vbs"
        29⤵
        
        PID:2516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18fc4286-91de-4f42-b0cd-88f768034575.vbs"
        29⤵
        
        PID:1368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ff849be-bd11-4c88-99c6-6677013901d8.vbs"
        27⤵
        
        PID:1624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15d56e38-daba-4c76-9e51-ab5e128089a9.vbs"
        25⤵
        
        PID:2244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8146a6f7-bd2a-4541-abab-7e5c444ea39c.vbs"
        23⤵
        
        PID:1980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\788707ee-cd9c-4271-a1f2-1ea3972a0de2.vbs"
        21⤵
        
        PID:2400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\505ef44f-dad7-41c6-8c1e-5be164bc8c15.vbs"
        19⤵
        
        PID:2624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f058d6c8-612a-46a5-9222-3295f2c1b788.vbs"
        17⤵
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fbb8a24-4bc1-42aa-967c-8f9485bffd9d.vbs"
        15⤵
        
        PID:2012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1f4d939-064a-4095-9036-0d79c727d4d0.vbs"
        13⤵
        
        PID:2188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87d753d2-dc42-42b0-a316-dc6161f49b3a.vbs"
        11⤵
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4bc70cc-dd30-42a7-9b28-378ef1da8e93.vbs"
        9⤵
        
        PID:352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84ea38f4-f078-46e3-9ad8-3e6efdcc162d.vbs"
        7⤵
        
        PID:880
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d9c8b42-e0d9-45b3-b1dd-04b6b4356f5a.vbs"
        5⤵
        
        PID:3024
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b7cffa5-c58f-49b6-8511-4a057557f997.vbs"
    3⤵
    PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\L2Schemas\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\L2Schemas\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\fr-FR\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\fr-FR\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows NT\Accessories\wininit.exe

Filesize
1.6MB

MD5
eb00f484dd8074177d1c4ad20203982a

SHA1
9f3ac964a1c915cf7b2954dca26acb17baa73586

SHA256
64cf79a4ca419db52372e76dea60756bd9b17e62c3c416145b37e88d1fe17def

SHA512
20664145ca390fe8bd9028e772e9263a83063ee2ff460d44fa2653f38879c00d9311ff0c7dc4a84735d952761fb1e5f9da95ec39070e459371b4675fd52a4551

Download Submit
C:\Users\Admin\AppData\Local\Temp\0057c84d-126c-4492-9905-de5141cb397f.vbs

Filesize
727B

MD5
9ba68ef19e5634da8a0eea7181be111b

SHA1
5c0d600131ae8f246edf5cc50b21e1edc8b19740

SHA256
bbb4fad14380a6ad3b597fe26b9bda046439419db2b5535acf1686a629ddf39b

SHA512
ee11cab663260fe7eba2a5be78f64125fb3ab51336bc3ea690ba06196f58dc9226829e30288d1603107821ff7e9f9b00036e4d00e350184a00c3069b3efcdf44

Download Submit
C:\Users\Admin\AppData\Local\Temp\03e10de1-20b8-44b9-9343-2b82e4ce7cbe.vbs

Filesize
727B

MD5
4c59f97d60776fc4c3923f0ee00a6772

SHA1
9a05d62f831d0949e3719649e6cd47df2bb375f8

SHA256
337d3500adc429df6d22fb009440e494c78eb930fe26c81c1fc398e7ba95ecac

SHA512
e74090d44d87065482315687df767155c0b30fcab3e6d6b0bc18530d0ba85c6dac27e7c838bee4cc0ceabdd91f2e98d71e567cf748c1f5be2b0c9be39f867f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\070067d3-2415-4737-b5c2-d9333410ec12.vbs

Filesize
727B

MD5
f6617818d3bc6dd8017934c4cc9eac3a

SHA1
637a87ece099914cd4078bda6680f1c72b24a2ea

SHA256
14a57475bdc4a8e605129b08cde760ee625e31510821f9186c8669694052e3ce

SHA512
27a0a85a86e73c4e64c254301606aa5f15682c6398a44ff1823a16a17dc82277d7fa60dbe23c1d44ac5b57972be9da616e36b49e5d434119df239ca07485c068

Download Submit
C:\Users\Admin\AppData\Local\Temp\132b798a-ee26-4003-bcd9-b18919df4e05.vbs

Filesize
727B

MD5
1899cb8af964a9ade1bbd73774fd376a

SHA1
cf213ea4cbb841980507862b0b35d2c08d32f7c5

SHA256
4b05ff1b3073076ebeb1781ae2255ff09b0284eef2167ec10c406fb4436fa4c9

SHA512
08e6eed35e27d6f9698973ab80b054465f17ba69c576109df53f360425487acc336ef057384a214520da3fd0ee1fb95bc21ea2f2221650682e222d2e2b9257c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\23f91c64-6146-4579-bdd5-05a840169d46.vbs

Filesize
727B

MD5
86ff41bd42fbcd661fb72628cc51b6c2

SHA1
49a695192918fbec96b14831c690ab25a485b0ab

SHA256
34763b752ece3c883412bcfd3f1a799f8dc6fb79af42e972b795d87015bd34c4

SHA512
a97fb0d7c1d13197bc3d8dea4f2656d7e7ed3c3aa7249cd73830097c2ebd43429e0e2af677758c6a0aebdd13653ba3b733b6d0b67e54abb4a6ce17084ebfbc89

Download Submit
C:\Users\Admin\AppData\Local\Temp\310484bb-b686-47a0-85e0-8fb48df9a42d.vbs

Filesize
727B

MD5
8abf52453d2d80cb33cf0bd3bfe9feb2

SHA1
8657980e4e0ab95d506b4940704941febd5a693a

SHA256
0e8ca0ebca2150158bb3935037b69e2df6860786bd843f27a7e78a36248a45ca

SHA512
0c0da155d5adbd4f059aea315e1be15d9c6d16ed7870edad51a1aef6975d95e12e6654e13648d7345cfbd08ade00da2fd149bbc504d7ccde14f722e89bd429c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d6b2501-72e9-41e7-bba0-49c0f4bbf8a0.vbs

Filesize
727B

MD5
5e5a25e88aa97c3ff492f4aff3795f7d

SHA1
c315274a6be3a0c2d744a762b12c1399fb1bee04

SHA256
05f6e010d6238a2edffe55917aac4422a781b50abfc72274284891894b6c199a

SHA512
ba999a72de68968eb75d1ba7919d878d384b7a47a2324451b2b57e944e04e5011a45bac2b578c8f9573bfb5c46498666412e3d61ee748a5e519c44a2dade7321

Download Submit
C:\Users\Admin\AppData\Local\Temp\46167efa-49ac-46ef-ba24-74b2e8bc8478.vbs

Filesize
727B

MD5
514a84b06b9bf7326ccd47f1d1f91767

SHA1
feb9723c9e5174b4e8f263b6a26c68ed672a85c6

SHA256
9613fc9eb99ec39a5abf6f633c11b1e4a68679cf1367494dddb0df3249bfd055

SHA512
2028bf9ff132efa6d94007488f677b4a855f17c5715cb7a5601c843e1296fb6818a536cef41b67fe40db56acd29951f0d82b428e52fcb080bbd9f67ab3d2800c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b7cffa5-c58f-49b6-8511-4a057557f997.vbs

Filesize
503B

MD5
52263769148645b37b48b9487028986c

SHA1
0180c19c4c1883c699b97cf839044f170fcc2394

SHA256
9d23b2c68862dbb84a7c38da7f610222f7babb1a4f0758b75a568092ad8ff9ce

SHA512
3704e1ca99b8362ab25b0aaa594c4270310f43c089b21cedcbc58ca3cb75d330d51c741b5acd56db08d671ee8205e38f62f74758fccbb54caf15ce460c37f329

Download Submit
C:\Users\Admin\AppData\Local\Temp\68091366-4fe9-4ea2-bbb6-ab3ab4884d2f.vbs

Filesize
727B

MD5
a360f977b56f4fca15599e0c913fd0bd

SHA1
183692f343f61f45de3a4454375422679b7ca0b9

SHA256
d1415fedebd15073c448f4be92a20ac0abb2147ffb8a3df82732bec274dad6d4

SHA512
57bd9307055ce8ebe26389a25a7d8d7e28d6bf9953430a6a0f240e00cfdc2e14b3d36920b018725097873bece39ca1aa39f0df23e15c8d69657881342caa92ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\850680b8-738a-447f-bce9-ff134fb34a81.vbs

Filesize
727B

MD5
b164b583d368fef826e86f76972f57d5

SHA1
a901174c2da5a4a3a3d5f7aba42cdfb6114e6f44

SHA256
4235f468e18ccef5cb208f2d41745e3f4ed10457eeb4ba411caaa6c0c3ad5f95

SHA512
13d3c64025f4daa1f6cb2a9a07f2bb38d50791d630d496666a6a1bddaaaeb5b69d3f0c3a587bc248baa8aedb215e8f478a286dc94762d85d554f15d21668cbcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab1dfea5-9595-4648-9703-b7ff56175e47.vbs

Filesize
726B

MD5
f7a76bf12b955afcd5eaf84bb22b3019

SHA1
69cd44ba5926a81ad516a68042c6ec6340d602ab

SHA256
4153be3623481a87ff83ab7ef18108cd255f6782e823a80dfe3e1841e03588b3

SHA512
8301b8c8466b80ab298c5a314c316d9753d8f7f2be706a49de3ff6178ccd2122ef213f7281cc5424c052f5bb2384f4ba67f91d7067383c549ec094f222da7c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\c05b4a63-5bed-47c2-9a28-4f6e0195d014.vbs

Filesize
727B

MD5
a016c70873fff254a0417105b988d867

SHA1
f4ca93bf9776b92f460d5768440b86b35fb3f574

SHA256
f653b7f379e1f36c9b1374c6d1efa516969f7017be627f914bd99c8b077bc582

SHA512
edb032e966f2df39d3f876af5fda3025e3f581f52f3d6bb8416eb3d7656015fbed0ee7079a047115a7758767e92ed30dd045f2ce81137ee6bff2c3335ff2173e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa802fae-4538-44c4-9eaa-badc375d9f61.vbs

Filesize
727B

MD5
803b9a14d25fe42381c3b8ec718cafad

SHA1
b20e2ba319b80b4be281f8b62a3978fa395f65ec

SHA256
1fd19f08dcfe1603d6081cf4d5648fc4f3480bcfa47600508c21f09453d5d277

SHA512
631b85e636398d88ed4abf990d43572d17b2559866bb9081a90d9a835fd338b0e48d18d7717bab4c1a81177f3bc0c225cc50e65160a8465ce6cec1776fea4aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd0997ca-9d6b-4052-b73b-d4f3d7d7fe5a.vbs

Filesize
727B

MD5
0197bb5bbbf809185cf894c37d389c16

SHA1
b45eae89083a2e4535dfc69c706d56e95ccd9ca2

SHA256
47881e82798ab73da52cca04db6153eac90570c62111bd9183ddfa02fc925fcf

SHA512
c25c3aa9049370771cb2f85ccb86e6f22f5576d0732996edc2eb70e11a5464c0889bb097b662dbb41934d56955612542a6f511685bbe2f546608e194a2d350af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3419dd92f4d6aa9ede1ec3a09c0e65d5

SHA1
ce8ddf73fd60880cdca0cb625ca602e504959a21

SHA256
20408fcdf019d6114472bcc2f4505173b9d5e73db298dabfc774ee650a37b1ef

SHA512
f6566084d158c6f43415535dc844a67f88d874055b0e010e6eafdb14c8e46e72144608c0acc8873f08292f4f11466f63b111a019b6643ff574dbb9650fb8f96d

Download Submit
C:\Windows\fr-FR\lsass.exe

Filesize
1.6MB

MD5
d3b53cfb259209ef3f5e30456739d519

SHA1
bf9098bd78d238529dd5db2d9849a7ea750d7881

SHA256
6be11bc8dbd47c073a0110b4e8380d66b04269d329be5f089a8d9fd9076d1f99

SHA512
5e26967cdcd7106fb1cb9f77427593ae5512789cebcea599f56602adca90117ea99b311d90965da8ecbb09282c8b7ceafde4d0b08c10519e52261d45284b4870

Download Submit
memory/484-158-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/484-142-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/1148-179-0x00000000008F0000-0x0000000000A92000-memory.dmp

Filesize
1.6MB

Download
memory/1260-261-0x0000000000EA0000-0x0000000001042000-memory.dmp

Filesize
1.6MB

Download
memory/1768-191-0x0000000001390000-0x0000000001532000-memory.dmp

Filesize
1.6MB

Download
memory/2388-7-0x0000000002310000-0x0000000002320000-memory.dmp

Filesize
64KB

Download
memory/2388-9-0x0000000002330000-0x000000000233C000-memory.dmp

Filesize
48KB

Download
memory/2388-14-0x000000001AAF0000-0x000000001AAF8000-memory.dmp

Filesize
32KB

Download
memory/2388-1-0x0000000000880000-0x0000000000A22000-memory.dmp

Filesize
1.6MB

Download
memory/2388-15-0x000000001AB00000-0x000000001AB0A000-memory.dmp

Filesize
40KB

Download
memory/2388-0-0x000007FEF5A23000-0x000007FEF5A24000-memory.dmp

Filesize
4KB

Download
memory/2388-16-0x000000001AB10000-0x000000001AB1C000-memory.dmp

Filesize
48KB

Download
memory/2388-12-0x000000001AAD0000-0x000000001AADE000-memory.dmp

Filesize
56KB

Download
memory/2388-2-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2388-10-0x0000000002360000-0x000000000236C000-memory.dmp

Filesize
48KB

Download
memory/2388-3-0x0000000002150000-0x000000000216C000-memory.dmp

Filesize
112KB

Download
memory/2388-13-0x000000001AAE0000-0x000000001AAE8000-memory.dmp

Filesize
32KB

Download
memory/2388-8-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/2388-4-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/2388-11-0x000000001AAC0000-0x000000001AACA000-memory.dmp

Filesize
40KB

Download
memory/2388-126-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2388-5-0x00000000021F0000-0x0000000002206000-memory.dmp

Filesize
88KB

Download
memory/2388-6-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/2468-125-0x00000000000E0000-0x0000000000282000-memory.dmp

Filesize
1.6MB

Download
memory/2608-249-0x00000000002A0000-0x0000000000442000-memory.dmp

Filesize
1.6MB

Download
memory/2792-306-0x0000000001170000-0x0000000001312000-memory.dmp

Filesize
1.6MB

Download
memory/2808-214-0x00000000002F0000-0x0000000000492000-memory.dmp

Filesize
1.6MB

Download
memory/2940-226-0x0000000001090000-0x0000000001232000-memory.dmp

Filesize
1.6MB

Download