dcrat | 5656064ae4d3c302be4f376131bce57fa83ba30e94c329f33adb91836d7f4bf8

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
Size

1.6MB
MD5

43460cdfde5083d6f692f08813ef6dd1
SHA1

55756e184df04ffe1c502a40f8f859de16d19003
SHA256

33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b
SHA512

23dc4dc7bfa6f60da960b314c940e3e17e15e5719d5453a5ad1ca6f2c7f034357ad71a1a3a46b16b508076af878d7972c2d24cc3a6a7721a12bd851ff63c6e66
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2868	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2868	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2868	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2868	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2868	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2868	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2868	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2868	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2868	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2868	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2868	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2868	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2868	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2868	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	2868	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2868	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2868	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2868	schtasks.exe	31

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral11/memory/2388-1-0x00000000000D0000-0x0000000000272000-memory.dmp	dcrat
behavioral11/files/0x000500000001a4e2-27.dat	dcrat
behavioral11/files/0x000500000001a4e8-36.dat	dcrat
behavioral11/memory/2336-127-0x0000000000010000-0x00000000001B2000-memory.dmp	dcrat
behavioral11/memory/2644-138-0x00000000001B0000-0x0000000000352000-memory.dmp	dcrat
behavioral11/memory/592-150-0x0000000001160000-0x0000000001302000-memory.dmp	dcrat
behavioral11/memory/2816-173-0x0000000000220000-0x00000000003C2000-memory.dmp	dcrat
behavioral11/memory/2916-185-0x0000000000150000-0x00000000002F2000-memory.dmp	dcrat
behavioral11/memory/2116-197-0x0000000001010000-0x00000000011B2000-memory.dmp	dcrat
behavioral11/memory/1904-220-0x00000000011E0000-0x0000000001382000-memory.dmp	dcrat
behavioral11/memory/2088-243-0x00000000013B0000-0x0000000001552000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2900	powershell.exe
3032	powershell.exe
2924	powershell.exe
2940	powershell.exe
2344	powershell.exe
2256	powershell.exe
2512	powershell.exe
2340	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2080	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
2336	WMIADAP.exe
2644	WMIADAP.exe
592	WMIADAP.exe
1332	WMIADAP.exe
2816	WMIADAP.exe
2916	WMIADAP.exe
2116	WMIADAP.exe
2696	WMIADAP.exe
1904	WMIADAP.exe
2796	WMIADAP.exe
2088	WMIADAP.exe
1584	WMIADAP.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\cc11b995f2a76d	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\RCXE1CD.tmp	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\RCXE1CE.tmp	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2316	schtasks.exe
2300	schtasks.exe
2572	schtasks.exe
2184	schtasks.exe
2732	schtasks.exe
2768	schtasks.exe
2004	schtasks.exe
2780	schtasks.exe
1044	schtasks.exe
1688	schtasks.exe
2676	schtasks.exe
652	schtasks.exe
2252	schtasks.exe
2620	schtasks.exe
1824	schtasks.exe
812	schtasks.exe
1532	schtasks.exe
3000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2388	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
3032	powershell.exe
2924	powershell.exe
2940	powershell.exe
2900	powershell.exe
2080	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
2344	powershell.exe
2340	powershell.exe
2512	powershell.exe
2256	powershell.exe
2336	WMIADAP.exe
2644	WMIADAP.exe
592	WMIADAP.exe
1332	WMIADAP.exe
2816	WMIADAP.exe
2916	WMIADAP.exe
2116	WMIADAP.exe
2696	WMIADAP.exe
1904	WMIADAP.exe
2796	WMIADAP.exe
2088	WMIADAP.exe
1584	WMIADAP.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2388	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	2080	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2336	WMIADAP.exe
Token: SeDebugPrivilege	2644	WMIADAP.exe
Token: SeDebugPrivilege	592	WMIADAP.exe
Token: SeDebugPrivilege	1332	WMIADAP.exe
Token: SeDebugPrivilege	2816	WMIADAP.exe
Token: SeDebugPrivilege	2916	WMIADAP.exe
Token: SeDebugPrivilege	2116	WMIADAP.exe
Token: SeDebugPrivilege	2696	WMIADAP.exe
Token: SeDebugPrivilege	1904	WMIADAP.exe
Token: SeDebugPrivilege	2796	WMIADAP.exe
Token: SeDebugPrivilege	2088	WMIADAP.exe
Token: SeDebugPrivilege	1584	WMIADAP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2900	2388	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	41
PID 2388 wrote to memory of 2900	2388	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	41
PID 2388 wrote to memory of 2900	2388	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	41
PID 2388 wrote to memory of 2940	2388	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	42
PID 2388 wrote to memory of 2940	2388	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	42
PID 2388 wrote to memory of 2940	2388	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	42
PID 2388 wrote to memory of 2924	2388	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	43
PID 2388 wrote to memory of 2924	2388	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	43
PID 2388 wrote to memory of 2924	2388	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	43
PID 2388 wrote to memory of 3032	2388	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	45
PID 2388 wrote to memory of 3032	2388	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	45
PID 2388 wrote to memory of 3032	2388	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	45
PID 2388 wrote to memory of 2080	2388	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	49
PID 2388 wrote to memory of 2080	2388	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	49
PID 2388 wrote to memory of 2080	2388	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	49
PID 2080 wrote to memory of 2344	2080	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	59
PID 2080 wrote to memory of 2344	2080	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	59
PID 2080 wrote to memory of 2344	2080	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	59
PID 2080 wrote to memory of 2340	2080	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	60
PID 2080 wrote to memory of 2340	2080	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	60
PID 2080 wrote to memory of 2340	2080	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	60
PID 2080 wrote to memory of 2512	2080	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	61
PID 2080 wrote to memory of 2512	2080	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	61
PID 2080 wrote to memory of 2512	2080	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	61
PID 2080 wrote to memory of 2256	2080	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	64
PID 2080 wrote to memory of 2256	2080	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	64
PID 2080 wrote to memory of 2256	2080	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	64
PID 2080 wrote to memory of 1552	2080	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	67
PID 2080 wrote to memory of 1552	2080	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	67
PID 2080 wrote to memory of 1552	2080	33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe	67
PID 1552 wrote to memory of 2648	1552	cmd.exe	69
PID 1552 wrote to memory of 2648	1552	cmd.exe	69
PID 1552 wrote to memory of 2648	1552	cmd.exe	69
PID 1552 wrote to memory of 2336	1552	cmd.exe	70
PID 1552 wrote to memory of 2336	1552	cmd.exe	70
PID 1552 wrote to memory of 2336	1552	cmd.exe	70
PID 2336 wrote to memory of 2904	2336	WMIADAP.exe	71
PID 2336 wrote to memory of 2904	2336	WMIADAP.exe	71
PID 2336 wrote to memory of 2904	2336	WMIADAP.exe	71
PID 2336 wrote to memory of 3016	2336	WMIADAP.exe	72
PID 2336 wrote to memory of 3016	2336	WMIADAP.exe	72
PID 2336 wrote to memory of 3016	2336	WMIADAP.exe	72
PID 2904 wrote to memory of 2644	2904	WScript.exe	73
PID 2904 wrote to memory of 2644	2904	WScript.exe	73
PID 2904 wrote to memory of 2644	2904	WScript.exe	73
PID 2644 wrote to memory of 1080	2644	WMIADAP.exe	74
PID 2644 wrote to memory of 1080	2644	WMIADAP.exe	74
PID 2644 wrote to memory of 1080	2644	WMIADAP.exe	74
PID 2644 wrote to memory of 1200	2644	WMIADAP.exe	75
PID 2644 wrote to memory of 1200	2644	WMIADAP.exe	75
PID 2644 wrote to memory of 1200	2644	WMIADAP.exe	75
PID 1080 wrote to memory of 592	1080	WScript.exe	76
PID 1080 wrote to memory of 592	1080	WScript.exe	76
PID 1080 wrote to memory of 592	1080	WScript.exe	76
PID 592 wrote to memory of 832	592	WMIADAP.exe	77
PID 592 wrote to memory of 832	592	WMIADAP.exe	77
PID 592 wrote to memory of 832	592	WMIADAP.exe	77
PID 592 wrote to memory of 2200	592	WMIADAP.exe	78
PID 592 wrote to memory of 2200	592	WMIADAP.exe	78
PID 592 wrote to memory of 2200	592	WMIADAP.exe	78
PID 832 wrote to memory of 1332	832	WScript.exe	79
PID 832 wrote to memory of 1332	832	WScript.exe	79
PID 832 wrote to memory of 1332	832	WScript.exe	79
PID 1332 wrote to memory of 2844	1332	WMIADAP.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
"C:\Users\Admin\AppData\Local\Temp\33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Users\Admin\AppData\Local\Temp\33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
  "C:\Users\Admin\AppData\Local\Temp\33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2340
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\WMIADAP.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cJcUuQgjui.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:2648
  - - C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe
      "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2336
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95f73c63-0c9f-4c98-b492-7d3f4ead1bf2.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2904
      - C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bb9650a-cdae-45e5-afe8-54590b6c4ccf.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09a86ac3-32bc-45ef-a990-6265af93e108.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18d095f0-0d7e-4107-8391-28166ad7ec1f.vbs"
        11⤵
        
        PID:2844
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43f64ac0-d955-458a-9069-ea1277c39b6a.vbs"
        13⤵
        
        PID:2776
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\415fabd9-d03d-4e99-8cd8-4dd0921a1b97.vbs"
        15⤵
        
        PID:1440
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ccc5b3c6-b99a-49f4-b320-36ed32c9ea1b.vbs"
        17⤵
        
        PID:1376
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6deb9314-0df7-4f2e-a157-aff6db465ca6.vbs"
        19⤵
        
        PID:1988
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df2505cc-5a6f-414b-8bd3-113eb0fa2145.vbs"
        21⤵
        
        PID:1640
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8c43139-82dc-4f0e-a6b2-2066b2fc941d.vbs"
        23⤵
        
        PID:2952
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16031e7c-1b22-42b6-a06a-24994b5ca14e.vbs"
        25⤵
        
        PID:1040
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5225ca94-b969-4ab7-be8e-19216903de98.vbs"
        25⤵
        
        PID:316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5322a8f-0a24-41ff-9f09-887850b286d2.vbs"
        23⤵
        
        PID:2912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e26fcff3-2768-4d08-ac30-cc25638fbf55.vbs"
        21⤵
        
        PID:1504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fb4839e-9b07-40b5-8bc7-b129d9494162.vbs"
        19⤵
        
        PID:1332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4e319ab-cf9b-4418-8baf-06e2d5da7f4b.vbs"
        17⤵
        
        PID:1352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd78aab8-7c7b-41d3-8dcf-656cbbd2d5cc.vbs"
        15⤵
        
        PID:480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa3ac62f-59fa-4ba6-9fc3-9fff794f866b.vbs"
        13⤵
        
        PID:1764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e659edd-4b0d-4ffe-a69b-7af0babcbc6c.vbs"
        11⤵
        
        PID:576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa0728b5-b639-40b6-90d9-1c12eaf31675.vbs"
        9⤵
        
        PID:2200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f288a30-101d-4988-9849-abe38ae06a4d.vbs"
        7⤵
        
        PID:1200
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\284f2b21-f65d-48eb-9c32-4fb644c109b9.vbs"
        5⤵
        
        PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b3" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b3" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\Sample Pictures\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\Sample Pictures\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b3" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b3" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe

Filesize
1.6MB

MD5
7387e649efafa7f2c67100f09e2bc001

SHA1
b6aeac6afd7bd6cf9fb6303fb725d8a7bbc2be53

SHA256
5030b206bfa07e67803687b27af710f4cd952286e22b4f4d758e790a6c1db5a1

SHA512
642f1096ae85081eee882f6c539d364fb64ddc58a86bc5f04b837eb2e3590249b71bdfe37a8a28c4d2e936ea126219b7267ed88eda94f216ef347ec8e662c8ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\09a86ac3-32bc-45ef-a990-6265af93e108.vbs

Filesize
735B

MD5
55d4cdb922b27c1b5536faf7539f636f

SHA1
0d87293ca506c79f7db32e62c4576658b45a743e

SHA256
cac1748fbeb0dede39a84cb695c9f80ddbcebf62c4baeb5d579c43bdd3df7029

SHA512
c24d9f156ef67f6e7f8de7900a99a0e3c8f22e9ff0aa6f904587eb8b30af8d7499b5d20f26a75ba1ad16d2cbcd0f6e00f1aa17815c35f9bf0d98e5bc504c192f

Download Submit
C:\Users\Admin\AppData\Local\Temp\16031e7c-1b22-42b6-a06a-24994b5ca14e.vbs

Filesize
736B

MD5
76dd0e8f48a1516637d96a2b22e78fb4

SHA1
62f965a8a5ebd7de6824ef278b0e4dc107414ad6

SHA256
1991b2a179585ef7421016131cc27a0a4a24684a9075ed2d91c5951b15bdad64

SHA512
88430be5693532720a913393b51d1c0b56529ec29fc36f133178ba5cec18555d510971244cfe36645f8f3cd48c3efc31acd5436ffa803c74cdf841fdc649c1c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\18d095f0-0d7e-4107-8391-28166ad7ec1f.vbs

Filesize
736B

MD5
1f2c67b8433df93362fc360838923cb7

SHA1
a622f22cebf328de8e8ffac5198100e12533b774

SHA256
86dedf158e0e6ebe8e5bd0eb1df8797dd37f6c89d8703e3d53a8ddd2d63285af

SHA512
c8defbb5394747802343186389d780f04c12e13c63e297892166e61137da0ba60c1fb1f63ae067fa2082222634ae009bfb1b985fc2a78c17eab944e23cd52d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\284f2b21-f65d-48eb-9c32-4fb644c109b9.vbs

Filesize
512B

MD5
ed59188bd701c4a43638c5f16a7d33c3

SHA1
4f6007b28c88975ddc1ff796cdbd681c64b1eb5a

SHA256
8c65b0ffffb3f49ce65ed71c1b0881aea3ea588ff99950bf017b7f6e4bd0f2d3

SHA512
0a38459f37da4fdbd2282d76c0e2155c0bf84ba22956ec5395751bdd31c6be86870e110bd8145e06835d1edcbd6a544d58c56e04571fdfa92c6efdc96cf0dc58

Download Submit
C:\Users\Admin\AppData\Local\Temp\415fabd9-d03d-4e99-8cd8-4dd0921a1b97.vbs

Filesize
736B

MD5
44d0a23c53fce03e87d8aac870b0342b

SHA1
a54f683f33e21beb857c7125c444bab89741fc7d

SHA256
63e3dd411646c81fa32404a0f0ce0756a8567eb2a191fb5d168869831645e4fc

SHA512
768887db54ac003638c0481e3ee2c1d61cba489d940add49520405ef70cfbd0c7c5875caa7e9045d7b0ac4b34298ce73d948e7a5fe864edec43efb41527866d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\43f64ac0-d955-458a-9069-ea1277c39b6a.vbs

Filesize
736B

MD5
c453d244565afb18ba504f89f001a8a2

SHA1
0141020523efceeb79380edddf9f9a3d7d6f11ef

SHA256
4208342a53e7e5a2e2d9473bddb5b595068b0e67bb37efc49bec6e2db7b7dd13

SHA512
b20a9ba52dabe902fe995895d8f406875de9372a03297ba802a5f35aa5a97b38450f1929754ab5e9d6b6ef000644f6d2d736737a6254c65510a32437737db0bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bb9650a-cdae-45e5-afe8-54590b6c4ccf.vbs

Filesize
736B

MD5
5903280c358b8125f078b72557265c60

SHA1
ae3843dea4c29ef3466e00d11debd861e1001479

SHA256
b9cd88a78716efebdca593f0bdd8ed34a8acf9be154522fa9795aab4236731b4

SHA512
d5b6c52e5af029854e6bc04658299df8795be17f1548baa108e6a957a3e785bcd1934344a7812718d1601aebcd0f1acdfd1bc71a02d902ea4699448571f3d075

Download Submit
C:\Users\Admin\AppData\Local\Temp\6deb9314-0df7-4f2e-a157-aff6db465ca6.vbs

Filesize
736B

MD5
82eb75f3275f65fe8e4b59304291e2a7

SHA1
1bbedd2a06e6edc0deca83e47f8a7d2bdbc80dde

SHA256
b2a9278da66ab70d2893d427f02f0cb0e25ab03ee07c53f0bd76d6d2e1907f51

SHA512
951244cd6c93c0ca585ae3c415fdb247353b7142813657fe5d7a46fdaa764ed5644cba65dc228a4b0b864480f54e9a28c07a20225d8be6f11fee41552a99fd2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\95f73c63-0c9f-4c98-b492-7d3f4ead1bf2.vbs

Filesize
736B

MD5
d6726ab01f1ed9bdcdd562c03eff0785

SHA1
664c19552bb7dce2fe58aa714f5f7b7d8a527530

SHA256
0a402b866f6a02937cb8cdc089a403330d293f615064a52ccb4f63996a2b41a3

SHA512
b2ad49fc424b4ea1c1608ff133ac7090b6b53253d5cf628d735afd700d8f92a3a54ffc351485ab72560996c23e13d97a9549981ad565d802b8cb318ea5866209

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXDAC6.tmp

Filesize
1.6MB

MD5
43460cdfde5083d6f692f08813ef6dd1

SHA1
55756e184df04ffe1c502a40f8f859de16d19003

SHA256
33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b

SHA512
23dc4dc7bfa6f60da960b314c940e3e17e15e5719d5453a5ad1ca6f2c7f034357ad71a1a3a46b16b508076af878d7972c2d24cc3a6a7721a12bd851ff63c6e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\cJcUuQgjui.bat

Filesize
225B

MD5
82e639370e562855d3036951631c75c8

SHA1
762feba80cb2d950c5a2d6fad5d32c995605fbef

SHA256
8586c8e6133d1a52805cf1cca0d3ab0526691ccec63b0a908224cca249f8bc0b

SHA512
a8759892882b341d0bbe3d70b559b0056e7786f94f3243d106fda724f54f1e43913a3cb3d6a13aefec8326bf5576a58a070bc0ee799c03d9fb9d25308f24e634

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccc5b3c6-b99a-49f4-b320-36ed32c9ea1b.vbs

Filesize
736B

MD5
da66d0be1d2323073f3b7c2445c9b860

SHA1
5cd48c7937f767d2278de25f3bea147c92fbd1dc

SHA256
d90bd3b9619ad856fedc5763da0afb3f422384f2b0ba37d5dfbe03478d73d258

SHA512
a64aef0fed8f069ed94ef0ce1fca8bebb690857fb9e73cc35ba792ae1d2edcd79253923dda9c7f1e964063302b23f2f9da93f7daba2158545f5736b37c9313cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\df2505cc-5a6f-414b-8bd3-113eb0fa2145.vbs

Filesize
736B

MD5
ad80c07486ff29f5e8d782e781117fd2

SHA1
5ec2eca6a731318678c40e1e88e8bf2f9543e1f2

SHA256
6fdf5af444bdaf39c4122507a1dc01916d0fd840452d96aa8e217fcc0840402e

SHA512
8ffe9185a27bd44afeacf0c323ce3e67b8c8dc15e1956ea7b73d108e4330ed973f7286e28ee4ae0a8415098b84c2e003a27e400594bdedd3b849d8ab8f799abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8c43139-82dc-4f0e-a6b2-2066b2fc941d.vbs

Filesize
736B

MD5
22a2bdd68fb0d9794b57fa0950ac8626

SHA1
518a0c4aa1a29dcd4830c23bf781cc32395762a1

SHA256
cdb0f3e341ad4bb4d30822ec34106fa1398dae580531eb48da3e261d45181fe4

SHA512
2815767761b42a477fcea5e2afc422998705c72e0654dc7fbd1d5d5871e8dcd35934724d008d152fbe975ff263c09b016fe91283a943defc94f52a711a52ef25

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3caea0ade7c731e618d83016d0204543

SHA1
e7de75ecd433e07d4ca46dc48a30413ebd93dfc2

SHA256
900122a21c2c9b6e096e71b12331410b5a5f3740f8fdcda40efacaaae5b2319f

SHA512
b306077f7b44360020101cbb2f055aac6794dba124e6ef6d3a331e2f9d6e2c8d74056df1326e945f7d0a949de802b651386c5a2aa25dbed0ec20d2e799829cbf

Download Submit
memory/592-150-0x0000000001160000-0x0000000001302000-memory.dmp

Filesize
1.6MB

Download
memory/1904-220-0x00000000011E0000-0x0000000001382000-memory.dmp

Filesize
1.6MB

Download
memory/2088-243-0x00000000013B0000-0x0000000001552000-memory.dmp

Filesize
1.6MB

Download
memory/2116-197-0x0000000001010000-0x00000000011B2000-memory.dmp

Filesize
1.6MB

Download
memory/2336-127-0x0000000000010000-0x00000000001B2000-memory.dmp

Filesize
1.6MB

Download
memory/2344-113-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2344-108-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/2388-11-0x0000000002160000-0x000000000216A000-memory.dmp

Filesize
40KB

Download
memory/2388-12-0x0000000002170000-0x000000000217E000-memory.dmp

Filesize
56KB

Download
memory/2388-1-0x00000000000D0000-0x0000000000272000-memory.dmp

Filesize
1.6MB

Download
memory/2388-2-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2388-16-0x000000001A740000-0x000000001A74C000-memory.dmp

Filesize
48KB

Download
memory/2388-15-0x000000001A730000-0x000000001A73A000-memory.dmp

Filesize
40KB

Download
memory/2388-85-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2388-14-0x000000001A720000-0x000000001A728000-memory.dmp

Filesize
32KB

Download
memory/2388-13-0x000000001A710000-0x000000001A718000-memory.dmp

Filesize
32KB

Download
memory/2388-5-0x0000000002070000-0x0000000002086000-memory.dmp

Filesize
88KB

Download
memory/2388-0-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp

Filesize
4KB

Download
memory/2388-3-0x00000000007B0000-0x00000000007CC000-memory.dmp

Filesize
112KB

Download
memory/2388-10-0x0000000002150000-0x000000000215C000-memory.dmp

Filesize
48KB

Download
memory/2388-4-0x0000000000600000-0x0000000000610000-memory.dmp

Filesize
64KB

Download
memory/2388-9-0x0000000002090000-0x000000000209C000-memory.dmp

Filesize
48KB

Download
memory/2388-8-0x0000000001FE0000-0x0000000001FE8000-memory.dmp

Filesize
32KB

Download
memory/2388-7-0x00000000020A0000-0x00000000020B0000-memory.dmp

Filesize
64KB

Download
memory/2388-6-0x0000000000620000-0x0000000000628000-memory.dmp

Filesize
32KB

Download
memory/2644-138-0x00000000001B0000-0x0000000000352000-memory.dmp

Filesize
1.6MB

Download
memory/2816-173-0x0000000000220000-0x00000000003C2000-memory.dmp

Filesize
1.6MB

Download
memory/2916-185-0x0000000000150000-0x00000000002F2000-memory.dmp

Filesize
1.6MB

Download
memory/2924-83-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/3032-82-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download