dcrat | 777f77c1c53c3551c89ef44c86c06cbfe0b2bb04374b7d7d9f6153d3ecc3c267

Analysis

max time kernel
10s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4202cc1a54d458c6b3a7579733cc35c1.exe
Size

1.6MB
MD5

4202cc1a54d458c6b3a7579733cc35c1
SHA1

db3f6aee406b73fb0a831cf988b98282d7516918
SHA256

545876aff174a4c02160e0c1b7e3d513f9010daa140b1e287883e2387aca8a96
SHA512

b2423ec0ed40f7de79b0e8248858354e1d5fee95b66f72612048aace23e1e0d39945cd769ff7866adbc41cbb7f90983f438f8667ddff6fbc8445eb76ba2fac92
SSDEEP

24576:Msm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:MD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2236	schtasks.exe	30

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral25/memory/2816-1-0x0000000000BD0000-0x0000000000D72000-memory.dmp	dcrat
behavioral25/files/0x0005000000019627-25.dat	dcrat
behavioral25/files/0x000500000001a4f9-56.dat	dcrat
behavioral25/files/0x000b0000000120f6-67.dat	dcrat
behavioral25/files/0x00090000000195e6-90.dat	dcrat
behavioral25/files/0x000c000000019623-137.dat	dcrat
behavioral25/memory/3056-248-0x0000000000140000-0x00000000002E2000-memory.dmp	dcrat
behavioral25/memory/2412-280-0x0000000000E30000-0x0000000000FD2000-memory.dmp	dcrat
behavioral25/memory/2532-314-0x0000000001350000-0x00000000014F2000-memory.dmp	dcrat
behavioral25/memory/1964-326-0x0000000000020000-0x00000000001C2000-memory.dmp	dcrat
behavioral25/memory/1160-338-0x0000000000370000-0x0000000000512000-memory.dmp	dcrat
behavioral25/memory/2260-350-0x0000000001390000-0x0000000001532000-memory.dmp	dcrat
behavioral25/memory/2796-362-0x00000000001A0000-0x0000000000342000-memory.dmp	dcrat
behavioral25/files/0x000b000000019c73-366.dat	dcrat
behavioral25/memory/1840-374-0x00000000000B0000-0x0000000000252000-memory.dmp	dcrat
behavioral25/files/0x000b000000019c73-378.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
292	powershell.exe
2532	powershell.exe
2184	powershell.exe
3040	powershell.exe
2676	powershell.exe
2832	powershell.exe
576	powershell.exe
1940	powershell.exe
2936	powershell.exe
2564	powershell.exe
264	powershell.exe
1088	powershell.exe
2524	powershell.exe
1144	powershell.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX80B6.tmp	4202cc1a54d458c6b3a7579733cc35c1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCX879F.tmp	4202cc1a54d458c6b3a7579733cc35c1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCX880D.tmp	4202cc1a54d458c6b3a7579733cc35c1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe	4202cc1a54d458c6b3a7579733cc35c1.exe
File created	C:\Program Files (x86)\Windows Portable Devices\taskhost.exe	4202cc1a54d458c6b3a7579733cc35c1.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\taskhost.exe	4202cc1a54d458c6b3a7579733cc35c1.exe
File created	C:\Program Files (x86)\Windows Portable Devices\b75386f1303e64	4202cc1a54d458c6b3a7579733cc35c1.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\886983d96e3d3e	4202cc1a54d458c6b3a7579733cc35c1.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\69ddcba757bf72	4202cc1a54d458c6b3a7579733cc35c1.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\c5b4cb5e9653cc	4202cc1a54d458c6b3a7579733cc35c1.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\RCX9291.tmp	4202cc1a54d458c6b3a7579733cc35c1.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\smss.exe	4202cc1a54d458c6b3a7579733cc35c1.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\RCX92A2.tmp	4202cc1a54d458c6b3a7579733cc35c1.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX8124.tmp	4202cc1a54d458c6b3a7579733cc35c1.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RCX901F.tmp	4202cc1a54d458c6b3a7579733cc35c1.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RCX908E.tmp	4202cc1a54d458c6b3a7579733cc35c1.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\smss.exe	4202cc1a54d458c6b3a7579733cc35c1.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\services.exe	4202cc1a54d458c6b3a7579733cc35c1.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe	4202cc1a54d458c6b3a7579733cc35c1.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\services.exe	4202cc1a54d458c6b3a7579733cc35c1.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\AuthCabs\lsass.exe	4202cc1a54d458c6b3a7579733cc35c1.exe
File created	C:\Windows\AppCompat\Programs\lsass.exe	4202cc1a54d458c6b3a7579733cc35c1.exe
File opened for modification	C:\Windows\Vss\Writers\RCX94A6.tmp	4202cc1a54d458c6b3a7579733cc35c1.exe
File opened for modification	C:\Windows\Vss\Writers\RCX94C6.tmp	4202cc1a54d458c6b3a7579733cc35c1.exe
File opened for modification	C:\Windows\Vss\Writers\spoolsv.exe	4202cc1a54d458c6b3a7579733cc35c1.exe
File opened for modification	C:\Windows\SoftwareDistribution\AuthCabs\RCX9B5E.tmp	4202cc1a54d458c6b3a7579733cc35c1.exe
File created	C:\Windows\Vss\Writers\spoolsv.exe	4202cc1a54d458c6b3a7579733cc35c1.exe
File created	C:\Windows\AppCompat\Programs\6203df4a6bafc7	4202cc1a54d458c6b3a7579733cc35c1.exe
File created	C:\Windows\Vss\Writers\f3b6ecef712a24	4202cc1a54d458c6b3a7579733cc35c1.exe
File created	C:\Windows\SoftwareDistribution\AuthCabs\6203df4a6bafc7	4202cc1a54d458c6b3a7579733cc35c1.exe
File opened for modification	C:\Windows\AppCompat\Programs\RCX8A12.tmp	4202cc1a54d458c6b3a7579733cc35c1.exe
File opened for modification	C:\Windows\AppCompat\Programs\lsass.exe	4202cc1a54d458c6b3a7579733cc35c1.exe
File opened for modification	C:\Windows\SoftwareDistribution\AuthCabs\RCX9B5F.tmp	4202cc1a54d458c6b3a7579733cc35c1.exe
File created	C:\Windows\SoftwareDistribution\AuthCabs\lsass.exe	4202cc1a54d458c6b3a7579733cc35c1.exe
File opened for modification	C:\Windows\AppCompat\Programs\RCX8A11.tmp	4202cc1a54d458c6b3a7579733cc35c1.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1432	schtasks.exe
2532	schtasks.exe
2908	schtasks.exe
2904	schtasks.exe
2028	schtasks.exe
2248	schtasks.exe
700	schtasks.exe
780	schtasks.exe
2828	schtasks.exe
2644	schtasks.exe
3060	schtasks.exe
2204	schtasks.exe
2452	schtasks.exe
2152	schtasks.exe
2196	schtasks.exe
1780	schtasks.exe
2556	schtasks.exe
2460	schtasks.exe
3068	schtasks.exe
2968	schtasks.exe
592	schtasks.exe
2700	schtasks.exe
2360	schtasks.exe
1864	schtasks.exe
2976	schtasks.exe
2208	schtasks.exe
1644	schtasks.exe
1320	schtasks.exe
1012	schtasks.exe
2184	schtasks.exe
2428	schtasks.exe
280	schtasks.exe
1840	schtasks.exe
1244	schtasks.exe
784	schtasks.exe
2628	schtasks.exe
2872	schtasks.exe
1608	schtasks.exe
1620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2816	4202cc1a54d458c6b3a7579733cc35c1.exe
2816	4202cc1a54d458c6b3a7579733cc35c1.exe
2816	4202cc1a54d458c6b3a7579733cc35c1.exe
2816	4202cc1a54d458c6b3a7579733cc35c1.exe
2816	4202cc1a54d458c6b3a7579733cc35c1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	4202cc1a54d458c6b3a7579733cc35c1.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2564	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	70
PID 2816 wrote to memory of 2564	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	70
PID 2816 wrote to memory of 2564	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	70
PID 2816 wrote to memory of 2936	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	71
PID 2816 wrote to memory of 2936	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	71
PID 2816 wrote to memory of 2936	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	71
PID 2816 wrote to memory of 1940	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	72
PID 2816 wrote to memory of 1940	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	72
PID 2816 wrote to memory of 1940	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	72
PID 2816 wrote to memory of 576	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	74
PID 2816 wrote to memory of 576	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	74
PID 2816 wrote to memory of 576	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	74
PID 2816 wrote to memory of 2532	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	75
PID 2816 wrote to memory of 2532	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	75
PID 2816 wrote to memory of 2532	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	75
PID 2816 wrote to memory of 2832	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	77
PID 2816 wrote to memory of 2832	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	77
PID 2816 wrote to memory of 2832	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	77
PID 2816 wrote to memory of 2676	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	78
PID 2816 wrote to memory of 2676	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	78
PID 2816 wrote to memory of 2676	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	78
PID 2816 wrote to memory of 292	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	80
PID 2816 wrote to memory of 292	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	80
PID 2816 wrote to memory of 292	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	80
PID 2816 wrote to memory of 3040	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	81
PID 2816 wrote to memory of 3040	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	81
PID 2816 wrote to memory of 3040	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	81
PID 2816 wrote to memory of 1144	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	83
PID 2816 wrote to memory of 1144	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	83
PID 2816 wrote to memory of 1144	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	83
PID 2816 wrote to memory of 2524	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	84
PID 2816 wrote to memory of 2524	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	84
PID 2816 wrote to memory of 2524	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	84
PID 2816 wrote to memory of 2184	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	85
PID 2816 wrote to memory of 2184	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	85
PID 2816 wrote to memory of 2184	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	85
PID 2816 wrote to memory of 1088	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	86
PID 2816 wrote to memory of 1088	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	86
PID 2816 wrote to memory of 1088	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	86
PID 2816 wrote to memory of 264	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	87
PID 2816 wrote to memory of 264	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	87
PID 2816 wrote to memory of 264	2816	4202cc1a54d458c6b3a7579733cc35c1.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4202cc1a54d458c6b3a7579733cc35c1.exe
"C:\Users\Admin\AppData\Local\Temp\4202cc1a54d458c6b3a7579733cc35c1.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4202cc1a54d458c6b3a7579733cc35c1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppCompat\Programs\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\it-IT\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\AuthCabs\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:264
- C:\Program Files (x86)\Windows Mail\it-IT\services.exe
  "C:\Program Files (x86)\Windows Mail\it-IT\services.exe"
  2⤵
  PID:3056
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5e7b11d-6383-4792-b7b3-eb41493e54c6.vbs"
    3⤵
    PID:2416
  - - C:\Program Files (x86)\Windows Mail\it-IT\services.exe
      "C:\Program Files (x86)\Windows Mail\it-IT\services.exe"
      4⤵
      PID:2412
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a01e1611-94d5-4f96-b8d7-071ea11fdfea.vbs"
        5⤵
        
        PID:1620
      - C:\Program Files (x86)\Windows Mail\it-IT\services.exe
        
        "C:\Program Files (x86)\Windows Mail\it-IT\services.exe"
        6⤵
        
        PID:2772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8de8e239-d012-47c3-9769-385b89619351.vbs"
        7⤵
        
        PID:1088
        
        C:\Program Files (x86)\Windows Mail\it-IT\services.exe
        
        "C:\Program Files (x86)\Windows Mail\it-IT\services.exe"
        8⤵
        
        PID:2428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f98a09d-4696-4204-933d-46b0f0a60bb7.vbs"
        9⤵
        
        PID:2340
        
        C:\Program Files (x86)\Windows Mail\it-IT\services.exe
        
        "C:\Program Files (x86)\Windows Mail\it-IT\services.exe"
        10⤵
        
        PID:2532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f67cd7fa-8ce2-4bc9-8c22-6316bea21f08.vbs"
        11⤵
        
        PID:780
        
        C:\Program Files (x86)\Windows Mail\it-IT\services.exe
        
        "C:\Program Files (x86)\Windows Mail\it-IT\services.exe"
        12⤵
        
        PID:1964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b5f7273-a00d-40a7-b43a-36fb287d23b0.vbs"
        13⤵
        
        PID:1008
        
        C:\Program Files (x86)\Windows Mail\it-IT\services.exe
        
        "C:\Program Files (x86)\Windows Mail\it-IT\services.exe"
        14⤵
        
        PID:1160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58d2682c-8eb0-4332-9c0f-750666c32a43.vbs"
        15⤵
        
        PID:2744
        
        C:\Program Files (x86)\Windows Mail\it-IT\services.exe
        
        "C:\Program Files (x86)\Windows Mail\it-IT\services.exe"
        16⤵
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09515537-4051-4cbe-9429-7658e8155cf9.vbs"
        17⤵
        
        PID:2768
        
        C:\Program Files (x86)\Windows Mail\it-IT\services.exe
        
        "C:\Program Files (x86)\Windows Mail\it-IT\services.exe"
        18⤵
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6dc03f34-e87d-4823-b025-dc57c06379aa.vbs"
        19⤵
        
        PID:2752
        
        C:\Program Files (x86)\Windows Mail\it-IT\services.exe
        
        "C:\Program Files (x86)\Windows Mail\it-IT\services.exe"
        20⤵
        
        PID:1840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae55c203-389a-4535-b374-d778763182d0.vbs"
        21⤵
        
        PID:2852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4c45629-b80b-4f89-8526-6da53e29c6d8.vbs"
        21⤵
        
        PID:2028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45124545-41fe-40a9-a803-bbdebeb5c758.vbs"
        19⤵
        
        PID:2340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd45532a-2141-4685-b3dc-a7d9f88627c9.vbs"
        17⤵
        
        PID:2476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\347d95cc-a68c-4241-b7a4-86e0d9d84331.vbs"
        15⤵
        
        PID:972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e646c956-85b2-4d59-8b8f-7e665dd79ce7.vbs"
        13⤵
        
        PID:808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cded9839-63dc-4bfd-93de-f89dfb2d3fa4.vbs"
        11⤵
        
        PID:1916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13db0ddf-3c33-4f90-b51f-c4638927e3dd.vbs"
        9⤵
        
        PID:2444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1c7f08b-ec97-47e7-a7a2-25201daed684.vbs"
        7⤵
        
        PID:900
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0f7d395-a3e2-4288-8688-0f0f62c7e46d.vbs"
        5⤵
        
        PID:1636
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8ad8d2f-b6f7-4183-abff-a609a638710f.vbs"
    3⤵
    PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\NetHood\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\NetHood\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\NetHood\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\AppCompat\Programs\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\AppCompat\Programs\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Videos\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Videos\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Videos\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\Vss\Writers\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Vss\Writers\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\SoftwareDistribution\AuthCabs\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\AuthCabs\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\SoftwareDistribution\AuthCabs\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\smss.exe

Filesize
1.6MB

MD5
e2c076cc7f28ed5f8def933fcffb775e

SHA1
34f988af88f2e05283d545d8e925a787bcdbab92

SHA256
61972641b2219f13a6e01bac3d6087913402594847589ac61b2f466c75ce6314

SHA512
f506898239e6b56c1db7c5fa498b34dd5df5b31f47bda1d48e9810a7dca1de439677e290116fd9733b2037425e5afaaf6bb7a9f1c785eb0cc0c87fd27ae3dbd5

Download Submit
C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe

Filesize
1.6MB

MD5
5081d9e1d2b101cc34424a8e58bf0259

SHA1
a769ac7eb7271836d1d708d287db19b30ac9991e

SHA256
a4a479fdf3a409628c6ad09d904c39746a7d04cdfa937b90c250521ddfd68830

SHA512
5274c73002560f19ca746c6038a5309afa006541e6c88e34d6029f39538225d0ae3b6818a1dfbd3fda296c7da7533971d9f8a396558ee7cdb140c3d8253609d3

Download Submit
C:\Program Files (x86)\Windows Portable Devices\taskhost.exe

Filesize
1.6MB

MD5
915809adfe6542f68cfd891b5bf70634

SHA1
92ba89664f8e52af7a2f198e65d877916bc2448f

SHA256
88a8454e514fa330e2437118964cb2314e61d423e5f64de0f97560ad46f72b60

SHA512
5440aa3936b5130f01c0347c864f9fba0d0e9723ad2d0175afd107574fc0a96e67f753abfc1fe9c7653e413dd68daa03b9657b7a3c951cc8b714977ed4af4165

Download Submit
C:\Users\Admin\AppData\Local\Temp\09515537-4051-4cbe-9429-7658e8155cf9.vbs

Filesize
730B

MD5
a1905aae8b2e4665a885f1d5d72d4bcd

SHA1
29ce1e350b76f9d0004778e3ddf1b8b190d81ba2

SHA256
89b3ef015963d5ab0e5dd60539e3fc765771ee412209e8c3cdd05b0f0a1155a3

SHA512
e953b20a7646da3102bb21561b041cdc02a4f5a10d990191cb61a49d64dc0b21a7ac6aa4f8e042fd9e9d199fb158aa36a2362a4b7f8553e61c47ff43078e1572

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b5f7273-a00d-40a7-b43a-36fb287d23b0.vbs

Filesize
730B

MD5
831aed6f057b61160a725d940027f889

SHA1
5952263f5bfe73d109410af6312dc76f400ed34c

SHA256
b11ee5c6282953a59e4dcf2dc5f94dae9c5e1afe01887f70a8dfde92d12e3dee

SHA512
404e068c847ecae22f31e82e30eeaa0227fde87be6bf1538e56f86f0a09a9778b6888811594726f5e3beed1075155382b382403790cade60b14324ae6b1d0c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\58d2682c-8eb0-4332-9c0f-750666c32a43.vbs

Filesize
730B

MD5
b78461eabbbf82d68aa149fd27ea83b6

SHA1
c262ce2488ec1a0f0e0585fafd8d5ade014bdd4e

SHA256
16ef8bb7833db1c482c93d85a244f1a7a997e089b645c744c3b1dd22e4a32a60

SHA512
f4a6a96e83a8b5dadca354052b84c494e641782a4925172e8afed67159b5a4db0a74e330effd7b82a90ad72cde64757c42411b472f2aec29510bc890dda4213e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dc03f34-e87d-4823-b025-dc57c06379aa.vbs

Filesize
730B

MD5
9c726bc8589701ceb0dd98f5bc36e25b

SHA1
4aa12f26ca69b4a1773741ee843378330a91187f

SHA256
bef41991b260fb19cb175372bd2c56dbf7aac0b13279828f4f0b96eec1e110df

SHA512
b6db1579d139b6e84add57f5109c1ad9c16e1912d233ddf4d35f58a4a79d2691ed91f18a382f7241dcaf8c2a5141e138d5022fb22135fdecd5fcbef35c13c67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8de8e239-d012-47c3-9769-385b89619351.vbs

Filesize
730B

MD5
a56ab24fbb0a62655be38d49c7245223

SHA1
69186357fdd68cc6783ddda1dabab6c14bbea642

SHA256
be5c3384b9e97217a7e8448541fad007624f51ac50c7fc37ae08751f0f38edd5

SHA512
7733ea4dbfc0d748f1ddc52a7da72c5bbebe0ac0d85ae4fb8f62dda66ed8c9ebdb17ce2dae40e18a26c0b4dde83944a4b4375f1b840ad5fa95c8749c89ddb860

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f98a09d-4696-4204-933d-46b0f0a60bb7.vbs

Filesize
730B

MD5
f96bed72eb7df9407763410cb95fb97d

SHA1
1c9a7a9f6d60cac541146f5e35262a793f34a30b

SHA256
301204252b41c589031d9e61e7968342b471cf9fb659be6c5b9dbbd548f9b7a0

SHA512
fc9fdc644995c4eabb53760e78b484a5c2a192693203534094dad487485707ef44d04a80877cf577dd8fdba89583342a74011e361b593be1cca83381368f696b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a01e1611-94d5-4f96-b8d7-071ea11fdfea.vbs

Filesize
730B

MD5
d5a2911a29ba1eca1754e1b21b2e7517

SHA1
3b65d0d258ba3d8ba321650baecc0a5bbb3a70e8

SHA256
fe735ac8cbd259206e70ae3f487f3007a15d14bc129269ac0b21d0d32eb7a15a

SHA512
83e4a4753fd1f93c53e33f7122d500c51107339835a140a764886831b0b0ca88a2b18da9f52a908e49b78e6fde2f7a4343903989e445985e961622fe4dda9965

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae55c203-389a-4535-b374-d778763182d0.vbs

Filesize
730B

MD5
9fd5e852dbc90a087b83e062a7f89c54

SHA1
fe8a2c59e0b05261b9cb9cd02797f18061705a76

SHA256
a05c0c39c7412e0faf6f0e1b1ed1e3b01eee84c261f6c6949908b8bac6866540

SHA512
85a289d4e19285d95bfc5575b402c566f1643c24ad54a73835bc347624abf399a27e8cf10d57d386608b34ad67b669b916159c94343cec5081b210ee47e8c187

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf723319f6fa5fabc239c0efb56d0f4869cb5646.exe

Filesize
1.6MB

MD5
7d6bea9103e7aa32dda593060da91a39

SHA1
9132a6501d7ad8a84e8d45155681d0048576e1ac

SHA256
f4bad5313a76465c285b0b82734e029807d1653d8a38383338fc34967631e020

SHA512
efec1e389817ff45df631045457fde961b009205a275a7b753f327fe01c8a49b803116c635f798a824a6cc22459b0c079fbaa1a8f6f45b008b4c7781df7105e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf723319f6fa5fabc239c0efb56d0f4869cb5646.exe

Filesize
1.1MB

MD5
6d4bbd781c86653979d26b805853b15e

SHA1
cbabf43d49579b9e80d7015f0ab6ac7fd7995f1e

SHA256
1b3afdfed8fff38ff6c98d2fb028cac047eaec2e61334197f5d82b930e47db14

SHA512
b315c677970130d7c7d825cffc9fc6d7331a85669231ae1eb14e169d5562b0a5b59b9ccd48ec9e513f4980202d7d0eb0c46ee97e3cabfa020d2cd434f9391187

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8ad8d2f-b6f7-4183-abff-a609a638710f.vbs

Filesize
506B

MD5
04e027b7557525b0cef5af71aa4a22fa

SHA1
0ce144524c28d7b82d90c8d61a0347a2201f58ce

SHA256
117f52a487ef1eefa8e01efb08decf2e2d803c58831d78effa3ea03251a63f96

SHA512
473dbc84ca8b89772d3a2d89a7bc3fcea641572fa1df305670c7190b2c394955f23dfb5e9c7c9d32c7ac6e338db1372e965a355df3520799c3ed6dff76b6d20d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5e7b11d-6383-4792-b7b3-eb41493e54c6.vbs

Filesize
730B

MD5
6df16403bda9e58ff1dc93fb70c7f5a1

SHA1
a0ec13447609cedc83f6c356b9c5dfb6e3d2795a

SHA256
3d711b4116a8ab52bdc9fba08ec609c0ae0405411e19e4b2f3cf014ab86c5edb

SHA512
3aaf8eed1987f92e4010734b5a26a524c8f13fcb5822bf7f2766d76eead9b62168dc859260abce5b0b9bb8647e5486de7558dfedda8428081cd5639467286d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\f67cd7fa-8ce2-4bc9-8c22-6316bea21f08.vbs

Filesize
730B

MD5
91c5d9155746a6ccdc584763939fbafb

SHA1
2e416f257474e2757f7a4c72220d628cd01109a7

SHA256
44d9ab4feb1ea3c05ed02e1d6ad08d3d24ffc4c857b5f8cc5aa43c0732f97534

SHA512
6668c0e2e6b4645028dd23442a88dfcea6df125ad0f770558f0c6db164df437cf97e1b0e1a4ce01efc8d4223687c82e7b9eeec963fff286496c65413ffe1ce28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
372ba4579a6cca0b178a915e8140747c

SHA1
1df1734582bbc027f05eef34805016dc22d0804f

SHA256
972ae00b68fb2fe38c538692eb45bc997217921c361a0dd78f8d8068c6d91e1b

SHA512
071015c007cd2bb820e30157a4c4e366c29376c948e8b77750f989d4035501ea78b47ba8daaf0bb60d1524a68641476759fa35f69abc49e4c1b931782027c327

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\dllhost.exe

Filesize
1.6MB

MD5
e1cbec445fe6b39f31c5beec3e8017d8

SHA1
00e7c7f378724350d0b9f75efcbf2a601f8a4633

SHA256
c04fb376ce68e3fc45da516c73c5799c3b942dad535250434f3e22d963e1b341

SHA512
d0a3806c5f0a0944f2968f44ea32271c91cfc2437d10f5ca925268781e4dc75698f4a82ec7d0df5845a03ad79ce73570e06e864e2eb559df45ec4a1ced33866e

Download Submit
C:\Windows\AppCompat\Programs\lsass.exe

Filesize
1.6MB

MD5
4202cc1a54d458c6b3a7579733cc35c1

SHA1
db3f6aee406b73fb0a831cf988b98282d7516918

SHA256
545876aff174a4c02160e0c1b7e3d513f9010daa140b1e287883e2387aca8a96

SHA512
b2423ec0ed40f7de79b0e8248858354e1d5fee95b66f72612048aace23e1e0d39945cd769ff7866adbc41cbb7f90983f438f8667ddff6fbc8445eb76ba2fac92

Download Submit
memory/576-205-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/576-210-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/1160-338-0x0000000000370000-0x0000000000512000-memory.dmp

Filesize
1.6MB

Download
memory/1840-374-0x00000000000B0000-0x0000000000252000-memory.dmp

Filesize
1.6MB

Download
memory/1964-326-0x0000000000020000-0x00000000001C2000-memory.dmp

Filesize
1.6MB

Download
memory/2260-350-0x0000000001390000-0x0000000001532000-memory.dmp

Filesize
1.6MB

Download
memory/2412-280-0x0000000000E30000-0x0000000000FD2000-memory.dmp

Filesize
1.6MB

Download
memory/2532-314-0x0000000001350000-0x00000000014F2000-memory.dmp

Filesize
1.6MB

Download
memory/2796-362-0x00000000001A0000-0x0000000000342000-memory.dmp

Filesize
1.6MB

Download
memory/2816-10-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

Filesize
48KB

Download
memory/2816-13-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2816-1-0x0000000000BD0000-0x0000000000D72000-memory.dmp

Filesize
1.6MB

Download
memory/2816-14-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/2816-15-0x00000000022B0000-0x00000000022BA000-memory.dmp

Filesize
40KB

Download
memory/2816-16-0x0000000002300000-0x000000000230C000-memory.dmp

Filesize
48KB

Download
memory/2816-269-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2816-8-0x0000000000790000-0x0000000000798000-memory.dmp

Filesize
32KB

Download
memory/2816-9-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/2816-0-0x000007FEF5FB3000-0x000007FEF5FB4000-memory.dmp

Filesize
4KB

Download
memory/2816-211-0x000007FEF5FB3000-0x000007FEF5FB4000-memory.dmp

Filesize
4KB

Download
memory/2816-4-0x0000000000560000-0x0000000000570000-memory.dmp

Filesize
64KB

Download
memory/2816-12-0x0000000000BC0000-0x0000000000BCE000-memory.dmp

Filesize
56KB

Download
memory/2816-5-0x0000000000A40000-0x0000000000A56000-memory.dmp

Filesize
88KB

Download
memory/2816-11-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

Filesize
40KB

Download
memory/2816-6-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/2816-7-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/2816-3-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/2816-2-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/3056-248-0x0000000000140000-0x00000000002E2000-memory.dmp

Filesize
1.6MB

Download