dcrat | 1364e3f0b350e7b83a82e9d75745a14b1d88ee737583dcf3450ec719fadf6ad8

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
Size

1.6MB
MD5

3f11fa2cd76162ff88f473e5ce7370bd
SHA1

c9d23fd0b96a490dd737f8cee733d2efdebe5b17
SHA256

0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624
SHA512

2c54a9e1dd2eb6cd53517f4731920bfa324aa867a81adefee61f1ec487ba1f38a2f403e0f083b73c489281f7956dad294e3c179bcf71e8392ec01c039be13c75
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2856	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2856	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2856	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2856	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2856	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2856	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2856	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2856	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2856	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2856	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2856	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2856	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2856	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2856	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2856	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2856	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2856	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2856	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2856	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2856	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2856	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2856	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2856	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2856	schtasks.exe	29

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral3/memory/1660-1-0x0000000000230000-0x00000000003D2000-memory.dmp	dcrat
behavioral3/files/0x000500000001a4d9-25.dat	dcrat
behavioral3/files/0x000500000001c875-46.dat	dcrat
behavioral3/files/0x000600000001a4e2-114.dat	dcrat
behavioral3/memory/2504-185-0x0000000000C20000-0x0000000000DC2000-memory.dmp	dcrat
behavioral3/memory/1112-196-0x0000000000EF0000-0x0000000001092000-memory.dmp	dcrat
behavioral3/memory/1948-219-0x00000000002B0000-0x0000000000452000-memory.dmp	dcrat
behavioral3/memory/2868-231-0x00000000009E0000-0x0000000000B82000-memory.dmp	dcrat
behavioral3/memory/836-243-0x0000000001050000-0x00000000011F2000-memory.dmp	dcrat
behavioral3/memory/2224-255-0x0000000001070000-0x0000000001212000-memory.dmp	dcrat
behavioral3/memory/2312-267-0x0000000001160000-0x0000000001302000-memory.dmp	dcrat
behavioral3/memory/1548-301-0x00000000012D0000-0x0000000001472000-memory.dmp	dcrat
behavioral3/memory/1952-313-0x00000000013A0000-0x0000000001542000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2580	powershell.exe
1676	powershell.exe
1960	powershell.exe
1860	powershell.exe
1880	powershell.exe
2432	powershell.exe
1620	powershell.exe
1932	powershell.exe
2000	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2504	smss.exe
1112	smss.exe
2672	smss.exe
1948	smss.exe
2868	smss.exe
836	smss.exe
2224	smss.exe
2312	smss.exe
2828	smss.exe
1196	smss.exe
1548	smss.exe
1952	smss.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\RCX5923.tmp	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File created	C:\Program Files\Uninstall Information\69ddcba757bf72	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\886983d96e3d3e	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX5519.tmp	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX551A.tmp	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File opened for modification	C:\Program Files\Mozilla Firefox\OSPPSVC.exe	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\csrss.exe	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File created	C:\Program Files\Uninstall Information\smss.exe	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File opened for modification	C:\Program Files\Uninstall Information\smss.exe	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\RCX5B28.tmp	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File opened for modification	C:\Program Files\Mozilla Firefox\RCX5922.tmp	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\RCX5B27.tmp	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File created	C:\Program Files\Mozilla Firefox\OSPPSVC.exe	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File created	C:\Program Files\Mozilla Firefox\1610b97d3ab4a7	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\csrss.exe	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Web\Wallpaper\Characters\56085415360792	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File opened for modification	C:\Windows\es-ES\RCX571D.tmp	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File opened for modification	C:\Windows\es-ES\dllhost.exe	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File opened for modification	C:\Windows\Web\Wallpaper\Characters\RCX602A.tmp	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File opened for modification	C:\Windows\Web\Wallpaper\Characters\RCX602B.tmp	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File opened for modification	C:\Windows\es-ES\RCX571E.tmp	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File opened for modification	C:\Windows\Web\Wallpaper\Characters\wininit.exe	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File created	C:\Windows\es-ES\dllhost.exe	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File created	C:\Windows\es-ES\5940a34987c991	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
File created	C:\Windows\Web\Wallpaper\Characters\wininit.exe	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2980	schtasks.exe
2480	schtasks.exe
1288	schtasks.exe
2604	schtasks.exe
2956	schtasks.exe
2996	schtasks.exe
880	schtasks.exe
2328	schtasks.exe
1260	schtasks.exe
2736	schtasks.exe
2756	schtasks.exe
2920	schtasks.exe
1460	schtasks.exe
2668	schtasks.exe
2200	schtasks.exe
1196	schtasks.exe
2584	schtasks.exe
2436	schtasks.exe
2632	schtasks.exe
668	schtasks.exe
924	schtasks.exe
2988	schtasks.exe
2880	schtasks.exe
1056	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
1860	powershell.exe
1676	powershell.exe
1960	powershell.exe
2580	powershell.exe
2432	powershell.exe
1880	powershell.exe
1620	powershell.exe
1932	powershell.exe
2000	powershell.exe
2504	smss.exe
1112	smss.exe
2672	smss.exe
1948	smss.exe
2868	smss.exe
836	smss.exe
2224	smss.exe
2312	smss.exe
2828	smss.exe
1196	smss.exe
1548	smss.exe
1952	smss.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	2504	smss.exe
Token: SeDebugPrivilege	1112	smss.exe
Token: SeDebugPrivilege	2672	smss.exe
Token: SeDebugPrivilege	1948	smss.exe
Token: SeDebugPrivilege	2868	smss.exe
Token: SeDebugPrivilege	836	smss.exe
Token: SeDebugPrivilege	2224	smss.exe
Token: SeDebugPrivilege	2312	smss.exe
Token: SeDebugPrivilege	2828	smss.exe
Token: SeDebugPrivilege	1196	smss.exe
Token: SeDebugPrivilege	1548	smss.exe
Token: SeDebugPrivilege	1952	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 1676	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	54
PID 1660 wrote to memory of 1676	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	54
PID 1660 wrote to memory of 1676	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	54
PID 1660 wrote to memory of 1932	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	55
PID 1660 wrote to memory of 1932	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	55
PID 1660 wrote to memory of 1932	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	55
PID 1660 wrote to memory of 2580	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	56
PID 1660 wrote to memory of 2580	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	56
PID 1660 wrote to memory of 2580	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	56
PID 1660 wrote to memory of 1960	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	58
PID 1660 wrote to memory of 1960	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	58
PID 1660 wrote to memory of 1960	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	58
PID 1660 wrote to memory of 2000	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	60
PID 1660 wrote to memory of 2000	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	60
PID 1660 wrote to memory of 2000	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	60
PID 1660 wrote to memory of 1860	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	61
PID 1660 wrote to memory of 1860	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	61
PID 1660 wrote to memory of 1860	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	61
PID 1660 wrote to memory of 1880	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	62
PID 1660 wrote to memory of 1880	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	62
PID 1660 wrote to memory of 1880	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	62
PID 1660 wrote to memory of 2432	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	63
PID 1660 wrote to memory of 2432	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	63
PID 1660 wrote to memory of 2432	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	63
PID 1660 wrote to memory of 1620	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	64
PID 1660 wrote to memory of 1620	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	64
PID 1660 wrote to memory of 1620	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	64
PID 1660 wrote to memory of 3028	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	72
PID 1660 wrote to memory of 3028	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	72
PID 1660 wrote to memory of 3028	1660	0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe	72
PID 3028 wrote to memory of 1624	3028	cmd.exe	74
PID 3028 wrote to memory of 1624	3028	cmd.exe	74
PID 3028 wrote to memory of 1624	3028	cmd.exe	74
PID 3028 wrote to memory of 2504	3028	cmd.exe	75
PID 3028 wrote to memory of 2504	3028	cmd.exe	75
PID 3028 wrote to memory of 2504	3028	cmd.exe	75
PID 2504 wrote to memory of 2940	2504	smss.exe	76
PID 2504 wrote to memory of 2940	2504	smss.exe	76
PID 2504 wrote to memory of 2940	2504	smss.exe	76
PID 2504 wrote to memory of 2040	2504	smss.exe	77
PID 2504 wrote to memory of 2040	2504	smss.exe	77
PID 2504 wrote to memory of 2040	2504	smss.exe	77
PID 2940 wrote to memory of 1112	2940	WScript.exe	78
PID 2940 wrote to memory of 1112	2940	WScript.exe	78
PID 2940 wrote to memory of 1112	2940	WScript.exe	78
PID 1112 wrote to memory of 1796	1112	smss.exe	79
PID 1112 wrote to memory of 1796	1112	smss.exe	79
PID 1112 wrote to memory of 1796	1112	smss.exe	79
PID 1112 wrote to memory of 2128	1112	smss.exe	80
PID 1112 wrote to memory of 2128	1112	smss.exe	80
PID 1112 wrote to memory of 2128	1112	smss.exe	80
PID 1796 wrote to memory of 2672	1796	WScript.exe	81
PID 1796 wrote to memory of 2672	1796	WScript.exe	81
PID 1796 wrote to memory of 2672	1796	WScript.exe	81
PID 2672 wrote to memory of 1648	2672	smss.exe	82
PID 2672 wrote to memory of 1648	2672	smss.exe	82
PID 2672 wrote to memory of 1648	2672	smss.exe	82
PID 2672 wrote to memory of 2692	2672	smss.exe	83
PID 2672 wrote to memory of 2692	2672	smss.exe	83
PID 2672 wrote to memory of 2692	2672	smss.exe	83
PID 1648 wrote to memory of 1948	1648	WScript.exe	84
PID 1648 wrote to memory of 1948	1648	WScript.exe	84
PID 1648 wrote to memory of 1948	1648	WScript.exe	84
PID 1948 wrote to memory of 1492	1948	smss.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe
"C:\Users\Admin\AppData\Local\Temp\0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\Characters\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dhVcTArxqY.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1624
- - C:\Program Files\Uninstall Information\smss.exe
    "C:\Program Files\Uninstall Information\smss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24c99366-4c53-46f5-8c12-b96f8cece480.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Program Files\Uninstall Information\smss.exe
        
        "C:\Program Files\Uninstall Information\smss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1112
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60d1af15-9821-445a-ae97-d102d8a0856f.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Program Files\Uninstall Information\smss.exe
        
        "C:\Program Files\Uninstall Information\smss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4228d9c9-97a0-458d-b220-b501eba9606d.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Program Files\Uninstall Information\smss.exe
        
        "C:\Program Files\Uninstall Information\smss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3652ce3c-2141-43be-80df-d87b46bf8419.vbs"
        10⤵
        
        PID:1492
        
        C:\Program Files\Uninstall Information\smss.exe
        
        "C:\Program Files\Uninstall Information\smss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\948ab925-0eba-48a3-8a30-622bbf5ba3db.vbs"
        12⤵
        
        PID:1016
        
        C:\Program Files\Uninstall Information\smss.exe
        
        "C:\Program Files\Uninstall Information\smss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f0ff381-985f-4d47-a821-fa5be7a16eb3.vbs"
        14⤵
        
        PID:1412
        
        C:\Program Files\Uninstall Information\smss.exe
        
        "C:\Program Files\Uninstall Information\smss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\985c4151-9aad-45b4-93c7-0049c81ab2cc.vbs"
        16⤵
        
        PID:2996
        
        C:\Program Files\Uninstall Information\smss.exe
        
        "C:\Program Files\Uninstall Information\smss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a6cf469-0b69-4543-b6ca-3623b9eb4eb0.vbs"
        18⤵
        
        PID:2756
        
        C:\Program Files\Uninstall Information\smss.exe
        
        "C:\Program Files\Uninstall Information\smss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b056821-9465-4efd-b88d-1fc7a579b3f0.vbs"
        20⤵
        
        PID:2368
        
        C:\Program Files\Uninstall Information\smss.exe
        
        "C:\Program Files\Uninstall Information\smss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcd55896-85d1-4afe-901d-8969297a7764.vbs"
        22⤵
        
        PID:944
        
        C:\Program Files\Uninstall Information\smss.exe
        
        "C:\Program Files\Uninstall Information\smss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\687e80f6-6a5b-4355-9bbe-c9f601c972d7.vbs"
        24⤵
        
        PID:2768
        
        C:\Program Files\Uninstall Information\smss.exe
        
        "C:\Program Files\Uninstall Information\smss.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cacf6242-22bf-4576-8eca-962165079537.vbs"
        26⤵
        
        PID:876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1270b96e-fc54-41e5-b0c2-aaa7373f47d2.vbs"
        26⤵
        
        PID:3064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\561aa179-99f2-4912-b497-5e67c1c39e9d.vbs"
        24⤵
        
        PID:2696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b1f3e45-3e04-4a33-95a1-e3de6f1c0ab9.vbs"
        22⤵
        
        PID:2196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\523de61a-d843-4a90-b561-f6f45d2b94b1.vbs"
        20⤵
        
        PID:1660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a87914a-c2ef-470b-945e-33db4df2946d.vbs"
        18⤵
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\872aa164-44ea-497b-80de-b2802ed1e1b7.vbs"
        16⤵
        
        PID:2332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd261170-21f8-4c6c-b4a3-c10e41afda61.vbs"
        14⤵
        
        PID:1312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\284c9239-9a50-4626-837d-dd2fe1cf10ce.vbs"
        12⤵
        
        PID:408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5739a715-ecaf-48d3-98d9-fbb61fcb2f1a.vbs"
        10⤵
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94a68a7c-c245-4ca3-ae1d-0e3bcfaf0283.vbs"
        8⤵
        
        PID:2692
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\575b96dc-c932-4a7e-b106-3d27b2c6c32f.vbs"
        6⤵
        
        PID:2128
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70513ebb-7240-4a8f-9c0c-8fedf593d113.vbs"
      4⤵
      PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f96240" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f96240" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\Wallpaper\Characters\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Characters\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\Wallpaper\Characters\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe

Filesize
1.6MB

MD5
52c05f2d75ee57df2c1f078163028538

SHA1
c407ea69e6eb06e56aef289a2b67b4de8adc235d

SHA256
eabbaa3e17c856663c1635dc3205ebca35bf52325a25665e11c7e1f021dc3f37

SHA512
a3325b4dabc6911c0a826e9430ba013279f99cc9cac98332109ce3e705f6b1d5fa06c6493d0b12808b1b7ca65667f4307779e4e789b044b8f87f9bf098a70f8f

Download Submit
C:\Program Files\Mozilla Firefox\OSPPSVC.exe

Filesize
1.6MB

MD5
3f11fa2cd76162ff88f473e5ce7370bd

SHA1
c9d23fd0b96a490dd737f8cee733d2efdebe5b17

SHA256
0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624

SHA512
2c54a9e1dd2eb6cd53517f4731920bfa324aa867a81adefee61f1ec487ba1f38a2f403e0f083b73c489281f7956dad294e3c179bcf71e8392ec01c039be13c75

Download Submit
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\0913fbedc27f633ea1ec101a6a59751c4766b5c708eaa3e2ebfbfaebf01f9624.exe

Filesize
1.6MB

MD5
402d9e153dc3e0f4d04d70f7ba4e9026

SHA1
f3bb6d586892f2e5ca03697818669e9d1ffacfed

SHA256
bf9a815e3a01ec969a6fc18810cf135acba37199a9b0b46edc6b6526af8277f7

SHA512
57cb2ead5117493635d0d0b3075fedd62ad2dd6f3e4d9518697a9b7f534c5dc304df3edcba398dc9bbd089109d538a0405466c72676e19bb3e58f12e559fc212

Download Submit
C:\Users\Admin\AppData\Local\Temp\24c99366-4c53-46f5-8c12-b96f8cece480.vbs

Filesize
723B

MD5
d802c42e5111c61c2b34e796b1bf8688

SHA1
79e916b2cd7a85dee8d2c5eeca6a1c5032ce746b

SHA256
5ac92539bef34bca808bc239c8dc574c32e46ca873f20d2249b090273aa406c2

SHA512
641fa697f39285a15e61fe5574f1d3fb9cf17a5efb20b67260c891774a286e0e39bf8a4fa612d44e095663227f34c0b7e988d860bc771c8e86092afb8d45a77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3652ce3c-2141-43be-80df-d87b46bf8419.vbs

Filesize
723B

MD5
e5da7da18ac5524cbb62b152e39ceee4

SHA1
ce67c485bc875d516e2f25ff9ef9c24d51a7ae74

SHA256
5d670ddd7ec79370f0f6106abb77c261d5d4bcc93e819c1cff72f7a82976e51e

SHA512
9677785b68147a3a3c9952d7cc96436adbc9d0a67212e31650c469d180385aecf682971532463383c2f47ea6bc605ae496d5b3ba59f13d5947568d8b7e0701a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4228d9c9-97a0-458d-b220-b501eba9606d.vbs

Filesize
723B

MD5
1c2cbfc05408938c99d622895fd49335

SHA1
0887e292dcfbe669837107ecbbf015cc60ea0c49

SHA256
0422301883a0e5aac7039f1309502bc1a5d0f4697eb92b6d6607151805a939a6

SHA512
72a3b86a3231ea4cf8e405f914ba90df5a01911ba7e3e624fddd5479af376896250f6b6ac6ff54f4da95107cdd46c8970ef2e962ad4c7cff0f3c6a3163f6bafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\4a6cf469-0b69-4543-b6ca-3623b9eb4eb0.vbs

Filesize
723B

MD5
ac16962c114a21ddb8c2c614497afca5

SHA1
69471557ff304073f0f83265b961d306cb80c621

SHA256
164ac63b9bdfa2e52da071f1e854a2001abe7ca15236c2db89254422dedba490

SHA512
3ebdb6cfb14201b597da9a104d4d329a40009a663602021dc127ae1d594955deba7e819e33156f4b462357e9cc19714b83e9a0de4d465d63d6ca9c44580436f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\60d1af15-9821-445a-ae97-d102d8a0856f.vbs

Filesize
723B

MD5
954212a816d869a0add2f286f0c13f93

SHA1
4781b0e6504c79a7249c5241ac214b7b324fd45c

SHA256
5fb698335a0712c4215cfa1ab150d9e4477c4a431ad584baf922049f8c847c77

SHA512
4171b579071bc99e4f71be25631ec926a35c2284bfe9e2df1a4a6c26ecad5e234bf5f5572ca3bde1a93f952ac4d84c8ed7ac709d20b868b86f03faac829a3d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\687e80f6-6a5b-4355-9bbe-c9f601c972d7.vbs

Filesize
723B

MD5
9fd56d73b535009573982633161b3ca9

SHA1
1cd37f44e966dd8fac27b03aa16389257f042aea

SHA256
30af95415189cb223cda90b294f20480c3c88511cd3bc11a43a27af7d65c1455

SHA512
438020365e00ca211cb8b66406acfc23739280d8cf8821f8899ec4028809f18bd95c7bed4a78020120ca7a42872ccf8c693dac78f355102f4bf67e7a18082ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\70513ebb-7240-4a8f-9c0c-8fedf593d113.vbs

Filesize
499B

MD5
2b7e85d5f5d8c7fedd215570f1db7c1c

SHA1
98e5a7fa93e13eb1f522dc285bfa2f76e58a008c

SHA256
52021aa0a996409f855a18d05d07f393b8c2e238e27ef2b79775d292f2f239da

SHA512
cc107b2e48dfeda9739ed1313dc72ef268ef35f93b78d663a6d564810574c79c391e4b76891f7e11b7c075fa5a93ded8d5a0db75648bc24fb3efa803d2835039

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b056821-9465-4efd-b88d-1fc7a579b3f0.vbs

Filesize
723B

MD5
474aabb43c32e55e4d61ff1854c7a15b

SHA1
bf582243fe8eaa7db7db97f5fd709d7be2216fd8

SHA256
26cdc852eabbf749fd47c50bb032bbe97cebe2ea5be182ac7191714b834659bd

SHA512
c3346ebdfce86cea65c47282f2f9ad5ecf372bbcda27e376d283c6e683fefdb1a87aa2c84aef02d4772ce795c7d2939756ca0fccc877f6c530e0cd5f7adbcaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\948ab925-0eba-48a3-8a30-622bbf5ba3db.vbs

Filesize
723B

MD5
5574840d177ff5ae62dca0e7f6b7d1df

SHA1
7c84aed2f89238725653494ff6b07c746e177b41

SHA256
015a4d65235f1d712f8189df29d24293d12b9062fedcf26ad30513567ff51cb9

SHA512
880e4b0fa5ee99c3cfacd8fe4d1dd6fddb6d96f83a97b92e92c097a9e912d65cd22edee2b87f68013a08aef8cf97288df2d92b29ffdee188b63d39543889395a

Download Submit
C:\Users\Admin\AppData\Local\Temp\985c4151-9aad-45b4-93c7-0049c81ab2cc.vbs

Filesize
723B

MD5
ba16aff8d82774ffa144f68b7732e606

SHA1
87e17c963333a3898a82b6d177cd6b6197dd4df1

SHA256
5e8d70dc0f9d36eca496bae3e260811c3288f797d1bdaf7a80a9fb005621707b

SHA512
1fc3016a2e4b626d6993a1e33b825ec5abef732851e3bb7b7f7438aef9bc2d962bb09af3f4f56b809ae581a31b4a5c7cee15bd1a29a7437cbce70300e989db11

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f0ff381-985f-4d47-a821-fa5be7a16eb3.vbs

Filesize
722B

MD5
948ea7f38124b0fd76442f2a9b492005

SHA1
6d8a3202f255024c626a37bbefb30548a7aa7aa3

SHA256
8f1fdab4a508c3a805c62edae5b3de89afccc9ab9204e929088636571efee7ba

SHA512
fb8cb30ee00c7cb5cd46b88f012641d5583d1381f660a2b28f51cc4b059c7729513129d5086da350fb55695bae8b986cf91dba69664ba73c2431f42f9dcacf94

Download Submit
C:\Users\Admin\AppData\Local\Temp\cacf6242-22bf-4576-8eca-962165079537.vbs

Filesize
723B

MD5
ae024fba64cc51fbc95a9c43073e0529

SHA1
dfdea6b48b9ab381880b09aaf95c8030b1e1dad2

SHA256
b3e3b531f6ec3ff6c99741416ebcfb5b0f546f12e499c6c6ae8824e5fb290f0a

SHA512
0d6a0b78b4c760418aef2da45925c37ba14428521f6af669aed0ce36a609c4757fdbdd01f8549094ca030ade1bc6b4cb8271aabeb03fb552f290cced2c14a97c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd55896-85d1-4afe-901d-8969297a7764.vbs

Filesize
723B

MD5
9e05c6bed70f91a6b5f0ca31f4727341

SHA1
4888d029d82c8f535ee119df9cce51fae3342716

SHA256
b29c90f677e19493316096072a33ccd24a2e62699c8a681aaff8bd79628279f8

SHA512
77099aaab760e02c3a407bf853f411748166d251ee4ffe4aeb1f9d9c455a99248ec2271cf4f5c96ef309bee631cabef8af4f2c5ce2a48aaebdcb87f97b5413b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhVcTArxqY.bat

Filesize
212B

MD5
d46f5ca5bafd3ee1c8f4e96795b97175

SHA1
7c251c1b34a003d944cd43d6a83c452c6012cf4c

SHA256
5427d7fcc81b9d646de4226e5a4b4a6e4d9287631d171cd88727ccc74e80c351

SHA512
2132fb25c78cfea121c2abb131e37c8ed8cedf7d76a0c4a543539e4180c5b3ca10f8b4882e907ddd9f057872eb04379187e29b01de16bb961460afb7b2756005

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6bf8a41df60744f8474d40f1898718f1

SHA1
15f75245847d4ee507efe609fc802906429ea2cc

SHA256
e14298f932b24d94632738cd402c232bb0e575ea49803556d2a024bbe0155aca

SHA512
9d8e5eab952132e99b141b71992464b0ea87b139ccfcda1edfdfa8c918833d1b308f350657a16ea0d419b46656717460153ff64548ea5716c607f8587b43422c

Download Submit
memory/836-243-0x0000000001050000-0x00000000011F2000-memory.dmp

Filesize
1.6MB

Download
memory/1112-196-0x0000000000EF0000-0x0000000001092000-memory.dmp

Filesize
1.6MB

Download
memory/1548-301-0x00000000012D0000-0x0000000001472000-memory.dmp

Filesize
1.6MB

Download
memory/1660-11-0x0000000002200000-0x000000000220A000-memory.dmp

Filesize
40KB

Download
memory/1660-10-0x0000000002170000-0x000000000217C000-memory.dmp

Filesize
48KB

Download
memory/1660-1-0x0000000000230000-0x00000000003D2000-memory.dmp

Filesize
1.6MB

Download
memory/1660-2-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/1660-3-0x00000000003F0000-0x000000000040C000-memory.dmp

Filesize
112KB

Download
memory/1660-16-0x0000000002250000-0x000000000225C000-memory.dmp

Filesize
48KB

Download
memory/1660-12-0x0000000002210000-0x000000000221E000-memory.dmp

Filesize
56KB

Download
memory/1660-13-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/1660-14-0x0000000002230000-0x0000000002238000-memory.dmp

Filesize
32KB

Download
memory/1660-15-0x0000000002240000-0x000000000224A000-memory.dmp

Filesize
40KB

Download
memory/1660-4-0x0000000000410000-0x0000000000420000-memory.dmp

Filesize
64KB

Download
memory/1660-0-0x000007FEF5E03000-0x000007FEF5E04000-memory.dmp

Filesize
4KB

Download
memory/1660-5-0x00000000005A0000-0x00000000005B6000-memory.dmp

Filesize
88KB

Download
memory/1660-176-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/1660-8-0x00000000020E0000-0x00000000020E8000-memory.dmp

Filesize
32KB

Download
memory/1660-9-0x0000000002140000-0x000000000214C000-memory.dmp

Filesize
48KB

Download
memory/1660-7-0x0000000002130000-0x0000000002140000-memory.dmp

Filesize
64KB

Download
memory/1660-6-0x0000000000730000-0x0000000000738000-memory.dmp

Filesize
32KB

Download
memory/1676-156-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/1860-175-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/1948-219-0x00000000002B0000-0x0000000000452000-memory.dmp

Filesize
1.6MB

Download
memory/1952-313-0x00000000013A0000-0x0000000001542000-memory.dmp

Filesize
1.6MB

Download
memory/2224-255-0x0000000001070000-0x0000000001212000-memory.dmp

Filesize
1.6MB

Download
memory/2312-267-0x0000000001160000-0x0000000001302000-memory.dmp

Filesize
1.6MB

Download
memory/2504-185-0x0000000000C20000-0x0000000000DC2000-memory.dmp

Filesize
1.6MB

Download
memory/2868-231-0x00000000009E0000-0x0000000000B82000-memory.dmp

Filesize
1.6MB

Download