dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
Size

1.6MB
MD5

7fbc72dcc67b2b7366c90f81051bd68a
SHA1

bdd22f70686afb5bf32d638eee6fdd0891ec3248
SHA256

1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82
SHA512

e06c18cc9823741d8eea0ff78ad38ae88125fb5c795661107f09aaf977786fe420323d5be0990bc9cb1138e1cbe21d7cb21ce826f6e18df71354e710836b7025
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2604	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2604	schtasks.exe	30

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral17/memory/2780-1-0x0000000001070000-0x0000000001212000-memory.dmp	dcrat
behavioral17/files/0x000500000001a42d-25.dat	dcrat
behavioral17/files/0x000800000001a434-86.dat	dcrat
behavioral17/memory/2176-194-0x0000000000B30000-0x0000000000CD2000-memory.dmp	dcrat
behavioral17/memory/2668-237-0x0000000001300000-0x00000000014A2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2576	powershell.exe
1236	powershell.exe
2052	powershell.exe
2600	powershell.exe
2800	powershell.exe
2788	powershell.exe
2760	powershell.exe
2880	powershell.exe
1156	powershell.exe
2044	powershell.exe
2720	powershell.exe
2936	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
2176	dllhost.exe
2668	dllhost.exe
928	dllhost.exe
2368	dllhost.exe
2828	dllhost.exe
2592	dllhost.exe
2888	dllhost.exe
2624	dllhost.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\de-DE\winlogon.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files\Windows Sidebar\de-DE\cc11b995f2a76d	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\RCX86E.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\1610b97d3ab4a7	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\RCX1302.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX1508.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\RCX86F.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\RCX1303.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\27d1bcfc3c54e0	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\winlogon.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX1507.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\DigitalLocker\en-US\dllhost.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\dllhost.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Windows\DigitalLocker\en-US\5940a34987c991	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\RCX669.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\RCX66A.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1980	schtasks.exe
2224	schtasks.exe
2624	schtasks.exe
2920	schtasks.exe
2956	schtasks.exe
864	schtasks.exe
852	schtasks.exe
1360	schtasks.exe
2784	schtasks.exe
1756	schtasks.exe
2216	schtasks.exe
2640	schtasks.exe
2080	schtasks.exe
2580	schtasks.exe
1160	schtasks.exe
1432	schtasks.exe
444	schtasks.exe
2288	schtasks.exe
2912	schtasks.exe
2860	schtasks.exe
3056	schtasks.exe
1760	schtasks.exe
2184	schtasks.exe
2380	schtasks.exe
2332	schtasks.exe
2620	schtasks.exe
588	schtasks.exe
2384	schtasks.exe
2164	schtasks.exe
2612	schtasks.exe
448	schtasks.exe
2924	schtasks.exe
532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
2760	powershell.exe
2576	powershell.exe
2800	powershell.exe
1236	powershell.exe
2600	powershell.exe
2720	powershell.exe
1156	powershell.exe
2936	powershell.exe
2880	powershell.exe
2788	powershell.exe
2052	powershell.exe
2044	powershell.exe
2176	dllhost.exe
2668	dllhost.exe
928	dllhost.exe
2368	dllhost.exe
2828	dllhost.exe
2592	dllhost.exe
2888	dllhost.exe
2624	dllhost.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2176	dllhost.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	2668	dllhost.exe
Token: SeDebugPrivilege	928	dllhost.exe
Token: SeDebugPrivilege	2368	dllhost.exe
Token: SeDebugPrivilege	2828	dllhost.exe
Token: SeDebugPrivilege	2592	dllhost.exe
Token: SeDebugPrivilege	2888	dllhost.exe
Token: SeDebugPrivilege	2624	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2576	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	64
PID 2780 wrote to memory of 2576	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	64
PID 2780 wrote to memory of 2576	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	64
PID 2780 wrote to memory of 2760	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	65
PID 2780 wrote to memory of 2760	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	65
PID 2780 wrote to memory of 2760	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	65
PID 2780 wrote to memory of 2720	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	66
PID 2780 wrote to memory of 2720	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	66
PID 2780 wrote to memory of 2720	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	66
PID 2780 wrote to memory of 1236	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	67
PID 2780 wrote to memory of 1236	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	67
PID 2780 wrote to memory of 1236	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	67
PID 2780 wrote to memory of 2600	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	68
PID 2780 wrote to memory of 2600	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	68
PID 2780 wrote to memory of 2600	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	68
PID 2780 wrote to memory of 2052	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	70
PID 2780 wrote to memory of 2052	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	70
PID 2780 wrote to memory of 2052	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	70
PID 2780 wrote to memory of 2880	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	72
PID 2780 wrote to memory of 2880	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	72
PID 2780 wrote to memory of 2880	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	72
PID 2780 wrote to memory of 1156	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	73
PID 2780 wrote to memory of 1156	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	73
PID 2780 wrote to memory of 1156	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	73
PID 2780 wrote to memory of 2044	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	75
PID 2780 wrote to memory of 2044	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	75
PID 2780 wrote to memory of 2044	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	75
PID 2780 wrote to memory of 2788	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	76
PID 2780 wrote to memory of 2788	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	76
PID 2780 wrote to memory of 2788	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	76
PID 2780 wrote to memory of 2936	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	78
PID 2780 wrote to memory of 2936	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	78
PID 2780 wrote to memory of 2936	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	78
PID 2780 wrote to memory of 2800	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	79
PID 2780 wrote to memory of 2800	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	79
PID 2780 wrote to memory of 2800	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	79
PID 2780 wrote to memory of 2176	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	88
PID 2780 wrote to memory of 2176	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	88
PID 2780 wrote to memory of 2176	2780	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	88
PID 2176 wrote to memory of 2008	2176	dllhost.exe	89
PID 2176 wrote to memory of 2008	2176	dllhost.exe	89
PID 2176 wrote to memory of 2008	2176	dllhost.exe	89
PID 2176 wrote to memory of 1960	2176	dllhost.exe	90
PID 2176 wrote to memory of 1960	2176	dllhost.exe	90
PID 2176 wrote to memory of 1960	2176	dllhost.exe	90
PID 2008 wrote to memory of 2668	2008	WScript.exe	91
PID 2008 wrote to memory of 2668	2008	WScript.exe	91
PID 2008 wrote to memory of 2668	2008	WScript.exe	91
PID 2668 wrote to memory of 1956	2668	dllhost.exe	92
PID 2668 wrote to memory of 1956	2668	dllhost.exe	92
PID 2668 wrote to memory of 1956	2668	dllhost.exe	92
PID 2668 wrote to memory of 2080	2668	dllhost.exe	93
PID 2668 wrote to memory of 2080	2668	dllhost.exe	93
PID 2668 wrote to memory of 2080	2668	dllhost.exe	93
PID 1956 wrote to memory of 928	1956	WScript.exe	94
PID 1956 wrote to memory of 928	1956	WScript.exe	94
PID 1956 wrote to memory of 928	1956	WScript.exe	94
PID 928 wrote to memory of 2648	928	dllhost.exe	95
PID 928 wrote to memory of 2648	928	dllhost.exe	95
PID 928 wrote to memory of 2648	928	dllhost.exe	95
PID 928 wrote to memory of 2476	928	dllhost.exe	96
PID 928 wrote to memory of 2476	928	dllhost.exe	96
PID 928 wrote to memory of 2476	928	dllhost.exe	96
PID 2648 wrote to memory of 2368	2648	WScript.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
"C:\Users\Admin\AppData\Local\Temp\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\en-US\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\de-DE\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Windows\DigitalLocker\en-US\dllhost.exe
  "C:\Windows\DigitalLocker\en-US\dllhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0174fb6-6b13-484c-8741-9ffc03fbf09a.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\DigitalLocker\en-US\dllhost.exe
      C:\Windows\DigitalLocker\en-US\dllhost.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9ea501b-de06-4c1b-8775-60014a17a5bb.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1956
      - C:\Windows\DigitalLocker\en-US\dllhost.exe
        
        C:\Windows\DigitalLocker\en-US\dllhost.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81774615-05ee-4abb-9e66-9529e720acf9.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\DigitalLocker\en-US\dllhost.exe
        
        C:\Windows\DigitalLocker\en-US\dllhost.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c474181-e05a-4640-8e2a-7e5e32774d07.vbs"
        9⤵
        
        PID:1676
        
        C:\Windows\DigitalLocker\en-US\dllhost.exe
        
        C:\Windows\DigitalLocker\en-US\dllhost.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\771ce48d-ab00-4119-aa5f-467d3cad5dbb.vbs"
        11⤵
        
        PID:2468
        
        C:\Windows\DigitalLocker\en-US\dllhost.exe
        
        C:\Windows\DigitalLocker\en-US\dllhost.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99d47cbb-5f62-4543-b716-6554a0c59c8a.vbs"
        13⤵
        
        PID:2932
        
        C:\Windows\DigitalLocker\en-US\dllhost.exe
        
        C:\Windows\DigitalLocker\en-US\dllhost.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d85042ba-d05b-43fc-a296-b4fb64e31f88.vbs"
        15⤵
        
        PID:2864
        
        C:\Windows\DigitalLocker\en-US\dllhost.exe
        
        C:\Windows\DigitalLocker\en-US\dllhost.exe
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f94c1ff-1e58-4b32-b87d-894f2e7df1e1.vbs"
        17⤵
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39fbfaa7-e5ac-4c41-9c9b-174cfc36edc4.vbs"
        17⤵
        
        PID:2964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89323c95-5409-44d0-92ee-98684636a88a.vbs"
        15⤵
        
        PID:1656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f3379ee-4b08-4c25-995f-4295bc9c5782.vbs"
        13⤵
        
        PID:2356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af41a440-8f1f-4680-acbf-8949d479dd8a.vbs"
        11⤵
        
        PID:320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5287f82-2766-4258-b032-5729f6e9bd08.vbs"
        9⤵
        
        PID:2244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\195003c4-c057-4efd-af28-b27ad50de316.vbs"
        7⤵
        
        PID:2476
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00488e71-2198-45a1-a31d-542c2ee65cbe.vbs"
        5⤵
        
        PID:2080
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e68c40b-fadb-41de-aa5d-e20fc0819c89.vbs"
    3⤵
    PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\DigitalLocker\en-US\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\DigitalLocker\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\de-DE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Downloads\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\NetHood\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\NetHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee821" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee821" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe

Filesize
1.6MB

MD5
02b6a89dcf275e4ecba531bc3b2bc7b2

SHA1
acfbe9c7c751c52981e2242c2ebd13795070964c

SHA256
c79bfba5c276e03366051535d0fa06bfd4daa57190760b7d81d845bc222bc33f

SHA512
cd571dcf086f3a20baba1a81fa0a7f6cfec89977b58245f43ee5b0f6ddfa0137493b0120d2ccad9ad8965ba35e8c71a650163404458294d9ce42a9d8f34652b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f94c1ff-1e58-4b32-b87d-894f2e7df1e1.vbs

Filesize
718B

MD5
df192ed09c2f42c045e4ecd83c61e42b

SHA1
e762f5a54f1be58ce3152b05c0b2bdc391326409

SHA256
f55fd1b2922aef293a693166cdecf0c7a044cb72f6a6c1e4cdaca94c8cea7b1c

SHA512
10d1c67e2a4a17ab0ad1ecee625ab2f2eb57ae3113bfb720d78344785eb8cd6b3151e1b1c020519073eff53268792e66d0a5481507ada9a424aaac258b730f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e68c40b-fadb-41de-aa5d-e20fc0819c89.vbs

Filesize
494B

MD5
15fd14b0f79372389c6e1d76989e4509

SHA1
73e916a4b111ff63673152f9cb0e12b40db7d134

SHA256
3112e4c0c968069a7efc5d4d5f9d3271155c46bfa382f9e493884e4a50459680

SHA512
d59a62865d9d74311fba0736b81d681cb6b155023d961a3636713de2040f840d3c862bc2198955f50022776e681855bb97577ac81f040c896ca29f0aa8fe208c

Download Submit
C:\Users\Admin\AppData\Local\Temp\771ce48d-ab00-4119-aa5f-467d3cad5dbb.vbs

Filesize
718B

MD5
c37a69ad85714717bbb0e653486c5200

SHA1
f272f86e1c43e5f4c60207bdbce1e4c8ed777c65

SHA256
23b5eb408d3531fd6db2ca5e2cea41797064989dbb80c452f6abad814f6eb56b

SHA512
de760621965b69028699beeab7ef425ae1680c316e345fcd765373df0ad9c9667c75ce19bf2d1150c1aed98e04d33453896976b4e5f6b01ca62db07ba43a2738

Download Submit
C:\Users\Admin\AppData\Local\Temp\81774615-05ee-4abb-9e66-9529e720acf9.vbs

Filesize
717B

MD5
4b58e9427d97b79dfb1778f7e87dc29c

SHA1
dc1991fa4270a2b32abb7279ea6736def19d6a66

SHA256
786c1dcde3e0f12d2b4890b42b6a5ebe07a762d1a0d7c6c1d91ea0015f1d6c92

SHA512
72e9e2ba819ce0148ab69c67f88e270739c0ff0205c9c4b6b6b9f28891841fd85d5538ee1cc22e106ac5518843df5b26d6f2ff81483977d623a8c6a499060a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c474181-e05a-4640-8e2a-7e5e32774d07.vbs

Filesize
718B

MD5
cf82442d81058f54c8891c0b478548b5

SHA1
75cb3e7b059c45c8167779fcd460bf9941a686a3

SHA256
4f1e8cfd54ebe7fca764f958c7347f20d1997042052e6b5091bbe8ae7b1120d8

SHA512
26d9be9dc36474ecee4342feab5ec07a5b5ae37c918210aa5db93774f6291fbecc1a00c21da6418728185821aa258f21349fd9fff4633119d43c270c149591c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\99d47cbb-5f62-4543-b716-6554a0c59c8a.vbs

Filesize
718B

MD5
eeaca5185a10e67c084c207407d79b03

SHA1
44353381e42a4a514314f536197871ca3d5ee576

SHA256
81a4dc46c25262256bd6d1d3c5374960718f7947d378fa621df8be3f773e5eb2

SHA512
b58d35762c50f4825830f647528796478d591e6272fa3fe9e2f5f0ff20b951b552587e26c584d88dbf15bfa7729bea386ea53c70633a0cdeda5d7a265f560bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0174fb6-6b13-484c-8741-9ffc03fbf09a.vbs

Filesize
718B

MD5
e1a5b380f3a2a3377234e6941abb7506

SHA1
ce3d51477aea0b9c6fc38fc527193ec2fe9046f8

SHA256
087b38c08bf6fa3f49756dd67456db208616a7564cce442683352225f7d7d5a1

SHA512
ae4ac352ddc45ca9bc694167d10e0b67f00f8852d08a45cef3af1de8ca4c24f7252900e98182fda49ecd731884d9d5f77d1cda0c514c717d79ded5313680fef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d85042ba-d05b-43fc-a296-b4fb64e31f88.vbs

Filesize
718B

MD5
a159afedbd383766f90012515d9d06a1

SHA1
d7ffc4ce8d11f1bb5380ed9daab455996beb3cb0

SHA256
638129a215eecce6876e35858710cf0147a5f014dbd5d369941777760f4efab6

SHA512
881d511a983ddaa3397c4ea42b1336c387bfe0a38051e3d04ddf8cd8b115123f9ac3ace17a4258be1ee3c0f3eb425f57b4bbe7fc31e5abd562c6162d664da459

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9ea501b-de06-4c1b-8775-60014a17a5bb.vbs

Filesize
718B

MD5
c16d1a87e1a09ed1138c0c0b595373c2

SHA1
106980d5ad156e96632162130d1ca898fa0a8ede

SHA256
f99fad2a97433a5091d02c634836f042c38885714a293a2052d15881a97a87a4

SHA512
a481603e04335dea07d938e7684ed31c8e134947107bc5de9ce8a343e3b968f583d2be05c3f0f8d1cb339a2f4fbdd11371b0542eebc4353164c871f479bfd623

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5db8f20f4e7093c6a16b55432eac2274

SHA1
77e9d80bf770f1ee9641692db0087988f9d1bf09

SHA256
4e86f2196572a5211d14bb147737f71ada2a1675602de3f05090360f81d93f10

SHA512
f03ea7e7c9383baedf2b18f2a2cd5866dfcacb6ee81cb8750c197b4ac24584839dafdd0dafc13c0c7bb2f0b2ed93b9b738b5523c51f692abc801ec2f4e518390

Download Submit
C:\Users\Public\Downloads\spoolsv.exe

Filesize
1.6MB

MD5
7fbc72dcc67b2b7366c90f81051bd68a

SHA1
bdd22f70686afb5bf32d638eee6fdd0891ec3248

SHA256
1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82

SHA512
e06c18cc9823741d8eea0ff78ad38ae88125fb5c795661107f09aaf977786fe420323d5be0990bc9cb1138e1cbe21d7cb21ce826f6e18df71354e710836b7025

Download Submit
memory/1236-202-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2176-194-0x0000000000B30000-0x0000000000CD2000-memory.dmp

Filesize
1.6MB

Download
memory/2576-195-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2668-237-0x0000000001300000-0x00000000014A2000-memory.dmp

Filesize
1.6MB

Download
memory/2780-8-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/2780-9-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/2780-15-0x0000000000D50000-0x0000000000D5A000-memory.dmp

Filesize
40KB

Download
memory/2780-13-0x0000000000C30000-0x0000000000C38000-memory.dmp

Filesize
32KB

Download
memory/2780-14-0x0000000000C40000-0x0000000000C48000-memory.dmp

Filesize
32KB

Download
memory/2780-12-0x0000000000C20000-0x0000000000C2E000-memory.dmp

Filesize
56KB

Download
memory/2780-11-0x0000000000C10000-0x0000000000C1A000-memory.dmp

Filesize
40KB

Download
memory/2780-221-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2780-10-0x0000000000C00000-0x0000000000C0C000-memory.dmp

Filesize
48KB

Download
memory/2780-16-0x0000000000D60000-0x0000000000D6C000-memory.dmp

Filesize
48KB

Download
memory/2780-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

Filesize
4KB

Download
memory/2780-7-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/2780-6-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/2780-5-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2780-4-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2780-3-0x0000000000250000-0x000000000026C000-memory.dmp

Filesize
112KB

Download
memory/2780-2-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2780-1-0x0000000001070000-0x0000000001212000-memory.dmp

Filesize
1.6MB

Download