dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
Size

1.6MB
MD5

517861702fe0a89aa5e3af35d9f96661
SHA1

50101d8bff153320694baf54bc7b68e585720d4d
SHA256

1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4
SHA512

da7ee6a8120f6a874c3f018580c05d37412a3cf7ec4346ffcee861bd9a415937c89734864b7d9fc84f09c6262a66f7a945377cf589831a765a2b3d90a48ea488
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2548	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2548	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2548	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2548	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2548	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2548	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2548	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2548	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2548	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2548	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2548	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2548	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2548	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2548	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2548	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2548	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2548	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2548	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2548	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2548	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2548	schtasks.exe	30

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral11/memory/2664-1-0x0000000000DC0000-0x0000000000F62000-memory.dmp	dcrat
behavioral11/files/0x0005000000019244-25.dat	dcrat
behavioral11/files/0x00050000000194df-44.dat	dcrat
behavioral11/files/0x0009000000012119-55.dat	dcrat
behavioral11/files/0x0035000000015d1f-66.dat	dcrat
behavioral11/files/0x000a00000001903b-89.dat	dcrat
behavioral11/memory/2544-164-0x0000000000BC0000-0x0000000000D62000-memory.dmp	dcrat
behavioral11/memory/1380-175-0x00000000000F0000-0x0000000000292000-memory.dmp	dcrat
behavioral11/memory/2676-187-0x0000000000BA0000-0x0000000000D42000-memory.dmp	dcrat
behavioral11/memory/772-199-0x0000000000DD0000-0x0000000000F72000-memory.dmp	dcrat
behavioral11/memory/2668-211-0x0000000000340000-0x00000000004E2000-memory.dmp	dcrat
behavioral11/memory/1688-223-0x0000000000DE0000-0x0000000000F82000-memory.dmp	dcrat
behavioral11/memory/2332-235-0x0000000000080000-0x0000000000222000-memory.dmp	dcrat
behavioral11/files/0x0007000000019356-239.dat	dcrat
behavioral11/memory/2676-247-0x0000000000DA0000-0x0000000000F42000-memory.dmp	dcrat
behavioral11/memory/800-270-0x0000000001200000-0x00000000013A2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1584	powershell.exe
1960	powershell.exe
2256	powershell.exe
2268	powershell.exe
3048	powershell.exe
1784	powershell.exe
1532	powershell.exe
444	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2544	audiodg.exe
1380	audiodg.exe
2676	audiodg.exe
772	audiodg.exe
2668	audiodg.exe
1688	audiodg.exe
2332	audiodg.exe
2676	audiodg.exe
1600	audiodg.exe
800	audiodg.exe
2156	audiodg.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\taskhost.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\b75386f1303e64	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\RCX63D8.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\taskhost.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX6AE0.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\0a1fd5f707cd16	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\RCX6446.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX6B4E.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Registration\CRMLog\lsm.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Windows\Registration\CRMLog\101b941d020240	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCX6D52.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCX6D53.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\Registration\CRMLog\lsm.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
800	schtasks.exe
1804	schtasks.exe
2524	schtasks.exe
1632	schtasks.exe
2820	schtasks.exe
1092	schtasks.exe
2004	schtasks.exe
1952	schtasks.exe
1140	schtasks.exe
1424	schtasks.exe
2744	schtasks.exe
2544	schtasks.exe
304	schtasks.exe
1844	schtasks.exe
3040	schtasks.exe
2440	schtasks.exe
1724	schtasks.exe
2940	schtasks.exe
776	schtasks.exe
872	schtasks.exe
2624	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
1584	powershell.exe
1960	powershell.exe
1532	powershell.exe
444	powershell.exe
2256	powershell.exe
3048	powershell.exe
2268	powershell.exe
1784	powershell.exe
2544	audiodg.exe
1380	audiodg.exe
2676	audiodg.exe
772	audiodg.exe
2668	audiodg.exe
1688	audiodg.exe
2332	audiodg.exe
2676	audiodg.exe
1600	audiodg.exe
800	audiodg.exe
2156	audiodg.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	2544	audiodg.exe
Token: SeDebugPrivilege	1380	audiodg.exe
Token: SeDebugPrivilege	2676	audiodg.exe
Token: SeDebugPrivilege	772	audiodg.exe
Token: SeDebugPrivilege	2668	audiodg.exe
Token: SeDebugPrivilege	1688	audiodg.exe
Token: SeDebugPrivilege	2332	audiodg.exe
Token: SeDebugPrivilege	2676	audiodg.exe
Token: SeDebugPrivilege	1600	audiodg.exe
Token: SeDebugPrivilege	800	audiodg.exe
Token: SeDebugPrivilege	2156	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 1532	2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	52
PID 2664 wrote to memory of 1532	2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	52
PID 2664 wrote to memory of 1532	2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	52
PID 2664 wrote to memory of 444	2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	53
PID 2664 wrote to memory of 444	2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	53
PID 2664 wrote to memory of 444	2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	53
PID 2664 wrote to memory of 1584	2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	54
PID 2664 wrote to memory of 1584	2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	54
PID 2664 wrote to memory of 1584	2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	54
PID 2664 wrote to memory of 1960	2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	55
PID 2664 wrote to memory of 1960	2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	55
PID 2664 wrote to memory of 1960	2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	55
PID 2664 wrote to memory of 2256	2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	56
PID 2664 wrote to memory of 2256	2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	56
PID 2664 wrote to memory of 2256	2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	56
PID 2664 wrote to memory of 2268	2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	57
PID 2664 wrote to memory of 2268	2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	57
PID 2664 wrote to memory of 2268	2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	57
PID 2664 wrote to memory of 3048	2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	58
PID 2664 wrote to memory of 3048	2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	58
PID 2664 wrote to memory of 3048	2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	58
PID 2664 wrote to memory of 1784	2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	59
PID 2664 wrote to memory of 1784	2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	59
PID 2664 wrote to memory of 1784	2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	59
PID 2664 wrote to memory of 1860	2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	68
PID 2664 wrote to memory of 1860	2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	68
PID 2664 wrote to memory of 1860	2664	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	68
PID 1860 wrote to memory of 1600	1860	cmd.exe	70
PID 1860 wrote to memory of 1600	1860	cmd.exe	70
PID 1860 wrote to memory of 1600	1860	cmd.exe	70
PID 1860 wrote to memory of 2544	1860	cmd.exe	71
PID 1860 wrote to memory of 2544	1860	cmd.exe	71
PID 1860 wrote to memory of 2544	1860	cmd.exe	71
PID 2544 wrote to memory of 540	2544	audiodg.exe	72
PID 2544 wrote to memory of 540	2544	audiodg.exe	72
PID 2544 wrote to memory of 540	2544	audiodg.exe	72
PID 2544 wrote to memory of 2804	2544	audiodg.exe	73
PID 2544 wrote to memory of 2804	2544	audiodg.exe	73
PID 2544 wrote to memory of 2804	2544	audiodg.exe	73
PID 540 wrote to memory of 1380	540	WScript.exe	74
PID 540 wrote to memory of 1380	540	WScript.exe	74
PID 540 wrote to memory of 1380	540	WScript.exe	74
PID 1380 wrote to memory of 2428	1380	audiodg.exe	75
PID 1380 wrote to memory of 2428	1380	audiodg.exe	75
PID 1380 wrote to memory of 2428	1380	audiodg.exe	75
PID 1380 wrote to memory of 2328	1380	audiodg.exe	76
PID 1380 wrote to memory of 2328	1380	audiodg.exe	76
PID 1380 wrote to memory of 2328	1380	audiodg.exe	76
PID 2428 wrote to memory of 2676	2428	WScript.exe	78
PID 2428 wrote to memory of 2676	2428	WScript.exe	78
PID 2428 wrote to memory of 2676	2428	WScript.exe	78
PID 2676 wrote to memory of 1588	2676	audiodg.exe	79
PID 2676 wrote to memory of 1588	2676	audiodg.exe	79
PID 2676 wrote to memory of 1588	2676	audiodg.exe	79
PID 2676 wrote to memory of 2868	2676	audiodg.exe	80
PID 2676 wrote to memory of 2868	2676	audiodg.exe	80
PID 2676 wrote to memory of 2868	2676	audiodg.exe	80
PID 1588 wrote to memory of 772	1588	WScript.exe	81
PID 1588 wrote to memory of 772	1588	WScript.exe	81
PID 1588 wrote to memory of 772	1588	WScript.exe	81
PID 772 wrote to memory of 2580	772	audiodg.exe	82
PID 772 wrote to memory of 2580	772	audiodg.exe	82
PID 772 wrote to memory of 2580	772	audiodg.exe	82
PID 772 wrote to memory of 2720	772	audiodg.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
"C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oinIVsngqt.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1600
- - C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe
    "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d2ec300-d11e-43c0-bc76-aac7c6fe2011.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:540
    - - C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1380
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c4fb94b-bd74-45e9-9cf7-b560f1e767b9.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08108262-e32e-4529-96d9-a0d291f1f7a8.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b284d5b-989e-42bc-976e-248f43d39735.vbs"
        10⤵
        
        PID:2580
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe1b10b1-0a61-4257-96d7-4ed4f7d3b74a.vbs"
        12⤵
        
        PID:2816
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efa23a52-dc4f-4da1-8bca-eababb85d098.vbs"
        14⤵
        
        PID:376
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfc91507-9890-4555-b60d-cbb71cea34ed.vbs"
        16⤵
        
        PID:1276
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9f39674-d9f3-4301-a21e-34e23d522ae0.vbs"
        18⤵
        
        PID:1008
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a87cbfcc-82f1-4ebf-a0c6-b2b935135b04.vbs"
        20⤵
        
        PID:2384
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3e9345b-647f-4754-9f52-f67d491015d2.vbs"
        22⤵
        
        PID:1424
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ca3bcc4-da44-46a0-a9cf-e929b671e201.vbs"
        24⤵
        
        PID:2116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\108816ff-0317-48ad-a0e5-ca2e69a748ea.vbs"
        24⤵
        
        PID:2628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\061c883b-c4ff-4d96-8871-b27fd68ac923.vbs"
        22⤵
        
        PID:2148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63edc9cd-da63-4cc9-ac11-92cc30afd70f.vbs"
        20⤵
        
        PID:2004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a49024e2-bddb-49f3-9be1-86fee45cf551.vbs"
        18⤵
        
        PID:1680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fd6141b-ad34-4896-a11e-c92d0b6473c1.vbs"
        16⤵
        
        PID:580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\675c9fbc-aecc-47e0-9a72-cc30926c5d3c.vbs"
        14⤵
        
        PID:1936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bab0054a-a58d-4227-950f-84db2fe5ef6c.vbs"
        12⤵
        
        PID:1844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3115a549-ac45-47a0-980d-4d85ff1e15aa.vbs"
        10⤵
        
        PID:2720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46d10b92-18a2-4156-9f35-bebeb9163e44.vbs"
        8⤵
        
        PID:2868
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1999840-579e-4553-bb5b-135085d183d5.vbs"
        6⤵
        
        PID:2328
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42db9bef-c84f-4e8b-892b-fd25a3de5584.vbs"
      4⤵
      PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e41" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e41" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\CRMLog\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\CRMLog\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe

Filesize
1.6MB

MD5
85f855eb0b49a7f022af92321c0d65d9

SHA1
d2144c909e77415ff4f8517fdf013155d53354d9

SHA256
295fd15df9bc9f3857a5938bcee257b86f94f9ac8d50bde1fdc8af4de1e5ace1

SHA512
4736806535c2c07eb1b5d626c361b7a6a3d43e6d9c5c61016183f72441a882e0d507852c49a8bbf17a64866fb8c1810bc4d51852be72f3918201ab01f7028e51

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe

Filesize
1.6MB

MD5
726ef138d970cf34e90aef63339aa115

SHA1
d9ec23199468f8549b9e594a57fb28b9da7f2d3b

SHA256
eced7be4034460abb7ba06a994cc0bbb99f47c001ce29bfaeef3958fca184f02

SHA512
984c066f81c6d2596116d605695f0f466c98ef5755d299e35305d5608c80ef230a758a9f5ea5cb30e13dc526e78103056beef8f673f960e548386d20e0898c14

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\taskhost.exe

Filesize
1.6MB

MD5
f0b00fbf9da25af009bcbaadf43b717e

SHA1
30ef89f3af25c55f019100cc9b9a207e0c4c5216

SHA256
d583f48c21d3cbbc65d7075cb128852407cec7629173b92925d244f0ad389049

SHA512
2cda9dc0b557523c00995b1e06050a14e2884a392eb9673de907f8e2925fadef04f022facfdb1bfc0c5c9e2727021d7f9586ae5fa0d9967670aafc6900e3675b

Download Submit
C:\ProgramData\lsass.exe

Filesize
1.6MB

MD5
517861702fe0a89aa5e3af35d9f96661

SHA1
50101d8bff153320694baf54bc7b68e585720d4d

SHA256
1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4

SHA512
da7ee6a8120f6a874c3f018580c05d37412a3cf7ec4346ffcee861bd9a415937c89734864b7d9fc84f09c6262a66f7a945377cf589831a765a2b3d90a48ea488

Download Submit
C:\ProgramData\lsass.exe

Filesize
1.6MB

MD5
b79cb46e045c74500d1477a26ccdada1

SHA1
c2bca45f59003682886373ecc6268ac25c15df0d

SHA256
a79c6dab15cd559dd53b499744ef1f36994ed35aa63f2ce5897f8d490bac040a

SHA512
b20715f527822424f32110cf3aac9003d03ec914e5e42ce2ee602201fa5263a155463291a061ab37c967f76c10d558a17dc9b982e342efc61f9e770580d219be

Download Submit
C:\Users\Admin\AppData\Local\Temp\08108262-e32e-4529-96d9-a0d291f1f7a8.vbs

Filesize
759B

MD5
043c4ea6e303093686027b1da05124dd

SHA1
eff0b98e24582ccf212bbb2b8bbb49588d2177dd

SHA256
9f3daa71f6a810b10d18169de361357d0b85efbd62c5323d1376c11d86ab7187

SHA512
bc32c306a8eaa7fc4f6a2e22d5d6efa76a862415a7f29a27200d1149f05f5b3a4b1985365e5cb4d82b38a32c427e1716f835ddb3ea9c5c480cea1848a94dedd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d2ec300-d11e-43c0-bc76-aac7c6fe2011.vbs

Filesize
759B

MD5
25b60f620dfe72d2463170eb5940610e

SHA1
d4c7e9833e40acf5da67fcc7552a09c5890b24fd

SHA256
936d94d150eb2c4ca85b777b6a496a06b45f3e9f5e31968215764000094f8285

SHA512
19eccc9bc807cda5102aef0a318a5b8dcb10b034555bbc181be4d609a109ce27217341bfe5bced86b88e1517d90dac0b4c261e542a8fce6300995fe6633e2e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ca3bcc4-da44-46a0-a9cf-e929b671e201.vbs

Filesize
759B

MD5
aa12649f415076c25c32e69317662dd6

SHA1
200cb57385ae278cf61d7b610b51540a25fb41d9

SHA256
0b2ff0360f2393487a424ebc9535fe91efd81a6ac8d6e18a8946e5df0eff578c

SHA512
23cc4c08154a345d3368789ebead131033483bc1e619ac50e74cf951934d6aacbe306429d8aec344bc8a5142e7bf4c55e959a3e81bc03066f784304c9cbed44d

Download Submit
C:\Users\Admin\AppData\Local\Temp\42db9bef-c84f-4e8b-892b-fd25a3de5584.vbs

Filesize
535B

MD5
950dbf7507bc2cb60752accb93b53c17

SHA1
b30858aeeb4213f30edb8c1fe56132f33ce74f52

SHA256
ee590f162f5530f542ac1130fc6b2a53489b172f2895ad967544f823a590a3e2

SHA512
7cdda94012add35c7ba48cbae56b5a2dd81d218decd245ce831920632fc3ed54f903f280187d495ecfdd7064e5b9df47e6554abd16215e7d844868bca1fe2991

Download Submit
C:\Users\Admin\AppData\Local\Temp\433c307c84d6debf07c9320743b8837718339cb7.exe

Filesize
1.6MB

MD5
21a23ceec40ad9b15937403aa82802b7

SHA1
d5f2c6c9f08bdf7f0b6d6e58584c53fecd31282b

SHA256
e1f25e5de9495ad5fff93fc0279e1b9a37698fed280269bf0e589c6f21b3f3d3

SHA512
255a51773adaa0d054513581aca8552059788899a0eb5a8692f33c5ce7cba33a690bb3a706e32a73a4da381db2e795ca86556a22db32f7a7dd257efcf7285b3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b284d5b-989e-42bc-976e-248f43d39735.vbs

Filesize
758B

MD5
b161cf0d7427f1f9c73aaa4f93e4a830

SHA1
7038746c05908ccffa78f08d096dede302da2224

SHA256
d02367b33b86a2db0a47b440f856700dbf50a8c861add72f46e6ad19cbc0ecbf

SHA512
863fa4eca7541fb80d89f8a6032c6c74d4239b5b5a0183b0e173959934f936df147a95069a3ca79d1ca0f40fc0d8c563c1f621dc0128765ef4ae073da39cc751

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c4fb94b-bd74-45e9-9cf7-b560f1e767b9.vbs

Filesize
759B

MD5
4b8caa38c8f663640e4bdb8ab92cc659

SHA1
d8edbc32838f909fd9ef4749d51d03fab22c7a9d

SHA256
7d4fd1036c1be25c6849485619e90b1571c81565b5ea138e0823a82114da6a92

SHA512
d014d316f72dd0cc96dcfac3b85a8858f6a1fdbeec92890119c89f0093dface126200dce6c4e13a0f258633b8626809f7426f9c38ae8a6e8890c681d04c13e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a87cbfcc-82f1-4ebf-a0c6-b2b935135b04.vbs

Filesize
759B

MD5
e649c5e9b7064868234b66e594591728

SHA1
ff006c4497e54da7146587b4d31d2066865a7fdb

SHA256
c4ff86263f105a54bc3db0243cea999000567c2ebd70fb7bbbb67e1feb312697

SHA512
4529403fe326dc1f6ccb108af40cc87d2b93bd485269a59ad3703b178318c406ad1e979fd7fa07ac3db28cb29b804c0ea0568e86d3223b441bc51a83549c9d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfc91507-9890-4555-b60d-cbb71cea34ed.vbs

Filesize
759B

MD5
0126f6c0e4debd142a53ae78488e94de

SHA1
34d1e9b250dd33f38076bba2455a536f87134c00

SHA256
49c0cf22b4c9f53e85bd89e10198e7c55e24c7eb78285fd240e9108fe31743d3

SHA512
f7754a475027fbeee991e3c1f423db7d69c43b296e168f9ab9e3b8c919b5d823c1e8e7f65923a5ccda15a69fc629d51f75cece5ba79233e25cc3e33ea6c7e1c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\efa23a52-dc4f-4da1-8bca-eababb85d098.vbs

Filesize
759B

MD5
af3c82a1b15bab8f40385d752ee7bc5c

SHA1
8f1e47b8316fcdcb50f86cb033c976084a0fe3f5

SHA256
e65ad24ab82e06760d2887f34ce9038a4ef539eace24888acaaf1dc015260867

SHA512
fc00404765ff963fa7ac69e6899232825a52c6204e0e3cad5bf8321d08594fd9317f6c22d088cecc1c06e69af04c87c54fa710b3ef7955608a2634666dff8b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3e9345b-647f-4754-9f52-f67d491015d2.vbs

Filesize
758B

MD5
2ab5a0a04a1c20a3a567f5a512d73fce

SHA1
8f85d15d0c48b37812d2c89c9fee7e0b9d4171a5

SHA256
10fd1036324b05a6d92a52d8455ae9f7c11e5c4b6d36a7917846dddbc699a771

SHA512
72141a1eaac2b00165783839be2f4edcecb980d9aa633bc8586aac8212b43b19e9994d234a01fda76e101642ab8f6142d5b4012da5287f6f953ce1410cb8698b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe1b10b1-0a61-4257-96d7-4ed4f7d3b74a.vbs

Filesize
759B

MD5
46b80b3588e26ba2a4a834552c6c55ea

SHA1
4932382d84efe234c4e51bf032718b3c26a35ee9

SHA256
5647d74267e34a1cb2b60338360d5ab212387dabe9d3a6de7098cfc767d40247

SHA512
59226237ce0c33845d5234dd557a09aac1c8cafba2c2dcdd4cede7b86caa584a41f66689764f506a4eb52179965da72982d7ec1cd94ca549c92b969b87ebf310

Download Submit
C:\Users\Admin\AppData\Local\Temp\oinIVsngqt.bat

Filesize
248B

MD5
19a28b070e6092507862738bc546ecae

SHA1
96fb751ebaf9376b42dda9bd25fffde76bc27667

SHA256
f876d73b7f680af28f5248471c2e32646ffeceaef78353a718c6229dcc0b3bcf

SHA512
d3150ee8477c2d72226b7e5f26d80f1fc2a425dee8f45af5d96d79567bb70cd4ec65267b26d8a94d0f77907a8841bc575695a9f665a4f9bbc08bb32eb623d2fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
70acae1a58c5bad4ca37c36c10541ae7

SHA1
10f3462fee5d34ddb3e1de857b461ef7e9d64b29

SHA256
731fd565dd9969e39f3eac9aadad7455a390a14e49273aca8310af62aeb1d658

SHA512
5acd29f6860e230ad486e8ae7444059d0bba3d42a6c2d8c82e97b7f3b9abb5009ea139d7d852f7c700fce7fde689f198d24ed90fd3a8ad43b820bc8c73ccd50e

Download Submit
memory/772-199-0x0000000000DD0000-0x0000000000F72000-memory.dmp

Filesize
1.6MB

Download
memory/800-270-0x0000000001200000-0x00000000013A2000-memory.dmp

Filesize
1.6MB

Download
memory/1380-175-0x00000000000F0000-0x0000000000292000-memory.dmp

Filesize
1.6MB

Download
memory/1532-140-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download
memory/1584-139-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/1688-223-0x0000000000DE0000-0x0000000000F82000-memory.dmp

Filesize
1.6MB

Download
memory/2332-235-0x0000000000080000-0x0000000000222000-memory.dmp

Filesize
1.6MB

Download
memory/2544-164-0x0000000000BC0000-0x0000000000D62000-memory.dmp

Filesize
1.6MB

Download
memory/2664-13-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/2664-9-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/2664-16-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/2664-15-0x00000000005C0000-0x00000000005CA000-memory.dmp

Filesize
40KB

Download
memory/2664-11-0x0000000000580000-0x000000000058A000-memory.dmp

Filesize
40KB

Download
memory/2664-1-0x0000000000DC0000-0x0000000000F62000-memory.dmp

Filesize
1.6MB

Download
memory/2664-14-0x00000000005B0000-0x00000000005B8000-memory.dmp

Filesize
32KB

Download
memory/2664-0-0x000007FEF5A23000-0x000007FEF5A24000-memory.dmp

Filesize
4KB

Download
memory/2664-12-0x0000000000590000-0x000000000059E000-memory.dmp

Filesize
56KB

Download
memory/2664-2-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2664-10-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2664-119-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2664-8-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/2664-6-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/2664-7-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/2664-5-0x0000000000470000-0x0000000000486000-memory.dmp

Filesize
88KB

Download
memory/2664-3-0x00000000002C0000-0x00000000002DC000-memory.dmp

Filesize
112KB

Download
memory/2664-4-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/2668-211-0x0000000000340000-0x00000000004E2000-memory.dmp

Filesize
1.6MB

Download
memory/2676-247-0x0000000000DA0000-0x0000000000F42000-memory.dmp

Filesize
1.6MB

Download
memory/2676-187-0x0000000000BA0000-0x0000000000D42000-memory.dmp

Filesize
1.6MB

Download