dcrat | 5b1a883fc342ab1654912c119190f04771ae47477f1a006b932150129675134c

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe
Size

1.6MB
MD5

38f861dde9adcb292ab747d998438b20
SHA1

0ace12fd6fda2f2663b5b2c83c9451ad439436e0
SHA256

38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0
SHA512

3ce0f60b7031d2e5d3e108663d1c7b3d07bb467be1ec0b02e61e2e49161593e2700fec12d144ffaa7e2d1401b5adeb53bb3c1d8a3d48e711c1e5f9ecaa96513a
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	344	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	344	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	344	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	344	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	344	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	344	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	344	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	344	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	344	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	344	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	344	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	344	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	344	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	344	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	344	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	344	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	344	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	344	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	344	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	344	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	344	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	344	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	344	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	344	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	344	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	344	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	344	schtasks.exe	30

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral15/memory/1836-1-0x0000000001120000-0x00000000012C2000-memory.dmp	dcrat
behavioral15/files/0x000500000001a41b-25.dat	dcrat
behavioral15/files/0x000800000001a061-82.dat	dcrat
behavioral15/files/0x000700000001a325-93.dat	dcrat
behavioral15/files/0x000600000001a4af-127.dat	dcrat
behavioral15/files/0x000700000001a4a0-138.dat	dcrat
behavioral15/memory/2580-201-0x0000000000E10000-0x0000000000FB2000-memory.dmp	dcrat
behavioral15/memory/840-223-0x0000000001100000-0x00000000012A2000-memory.dmp	dcrat
behavioral15/memory/1708-235-0x0000000001240000-0x00000000013E2000-memory.dmp	dcrat
behavioral15/memory/2668-247-0x00000000013A0000-0x0000000001542000-memory.dmp	dcrat
behavioral15/memory/2400-259-0x00000000000B0000-0x0000000000252000-memory.dmp	dcrat
behavioral15/memory/768-271-0x0000000000A00000-0x0000000000BA2000-memory.dmp	dcrat
behavioral15/memory/2860-283-0x0000000000A90000-0x0000000000C32000-memory.dmp	dcrat
behavioral15/memory/2468-295-0x0000000000140000-0x00000000002E2000-memory.dmp	dcrat
behavioral15/memory/1244-307-0x0000000000CB0000-0x0000000000E52000-memory.dmp	dcrat
behavioral15/memory/2924-319-0x0000000001260000-0x0000000001402000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
876	powershell.exe
880	powershell.exe
2264	powershell.exe
3052	powershell.exe
2052	powershell.exe
2360	powershell.exe
3040	powershell.exe
2212	powershell.exe
1604	powershell.exe
2928	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2580	spoolsv.exe
2416	spoolsv.exe
840	spoolsv.exe
1708	spoolsv.exe
2668	spoolsv.exe
2400	spoolsv.exe
768	spoolsv.exe
2860	spoolsv.exe
2468	spoolsv.exe
1244	spoolsv.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\RCXC80D.tmp	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dwm.exe	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\spoolsv.exe	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\f3b6ecef712a24	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\wininit.exe	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\56085415360792	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe
File created	C:\Program Files\DVD Maker\b75386f1303e64	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RCXBEB2.tmp	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\spoolsv.exe	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RCXC123.tmp	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RCXC124.tmp	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\wininit.exe	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe
File opened for modification	C:\Program Files\DVD Maker\taskhost.exe	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe
File created	C:\Program Files\Mozilla Firefox\6cb0b6c459d5d3	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe
File created	C:\Program Files\DVD Maker\taskhost.exe	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe
File opened for modification	C:\Program Files\DVD Maker\RCXCEF5.tmp	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe
File opened for modification	C:\Program Files\DVD Maker\RCXCF63.tmp	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe
File created	C:\Program Files\Mozilla Firefox\dwm.exe	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RCXBEB1.tmp	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe
File opened for modification	C:\Program Files\Mozilla Firefox\RCXC80C.tmp	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2832	schtasks.exe
2532	schtasks.exe
1036	schtasks.exe
2988	schtasks.exe
2768	schtasks.exe
2292	schtasks.exe
2256	schtasks.exe
1356	schtasks.exe
3012	schtasks.exe
828	schtasks.exe
2776	schtasks.exe
2656	schtasks.exe
2668	schtasks.exe
1672	schtasks.exe
1364	schtasks.exe
2444	schtasks.exe
1972	schtasks.exe
2724	schtasks.exe
1664	schtasks.exe
2612	schtasks.exe
2828	schtasks.exe
1868	schtasks.exe
1716	schtasks.exe
1988	schtasks.exe
2420	schtasks.exe
1968	schtasks.exe
2792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe
1604	powershell.exe
2928	powershell.exe
2212	powershell.exe
2360	powershell.exe
876	powershell.exe
3052	powershell.exe
880	powershell.exe
2052	powershell.exe
3040	powershell.exe
2264	powershell.exe
2580	spoolsv.exe
2416	spoolsv.exe
840	spoolsv.exe
1708	spoolsv.exe
2668	spoolsv.exe
2400	spoolsv.exe
768	spoolsv.exe
2860	spoolsv.exe
2468	spoolsv.exe
1244	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2580	spoolsv.exe
Token: SeDebugPrivilege	2416	spoolsv.exe
Token: SeDebugPrivilege	840	spoolsv.exe
Token: SeDebugPrivilege	1708	spoolsv.exe
Token: SeDebugPrivilege	2668	spoolsv.exe
Token: SeDebugPrivilege	2400	spoolsv.exe
Token: SeDebugPrivilege	768	spoolsv.exe
Token: SeDebugPrivilege	2860	spoolsv.exe
Token: SeDebugPrivilege	2468	spoolsv.exe
Token: SeDebugPrivilege	1244	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 2928	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	59
PID 1836 wrote to memory of 2928	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	59
PID 1836 wrote to memory of 2928	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	59
PID 1836 wrote to memory of 1604	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	60
PID 1836 wrote to memory of 1604	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	60
PID 1836 wrote to memory of 1604	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	60
PID 1836 wrote to memory of 2212	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	61
PID 1836 wrote to memory of 2212	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	61
PID 1836 wrote to memory of 2212	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	61
PID 1836 wrote to memory of 2360	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	62
PID 1836 wrote to memory of 2360	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	62
PID 1836 wrote to memory of 2360	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	62
PID 1836 wrote to memory of 2052	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	63
PID 1836 wrote to memory of 2052	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	63
PID 1836 wrote to memory of 2052	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	63
PID 1836 wrote to memory of 3052	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	65
PID 1836 wrote to memory of 3052	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	65
PID 1836 wrote to memory of 3052	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	65
PID 1836 wrote to memory of 2264	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	67
PID 1836 wrote to memory of 2264	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	67
PID 1836 wrote to memory of 2264	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	67
PID 1836 wrote to memory of 880	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	68
PID 1836 wrote to memory of 880	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	68
PID 1836 wrote to memory of 880	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	68
PID 1836 wrote to memory of 876	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	69
PID 1836 wrote to memory of 876	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	69
PID 1836 wrote to memory of 876	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	69
PID 1836 wrote to memory of 3040	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	71
PID 1836 wrote to memory of 3040	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	71
PID 1836 wrote to memory of 3040	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	71
PID 1836 wrote to memory of 1232	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	79
PID 1836 wrote to memory of 1232	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	79
PID 1836 wrote to memory of 1232	1836	38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe	79
PID 1232 wrote to memory of 816	1232	cmd.exe	81
PID 1232 wrote to memory of 816	1232	cmd.exe	81
PID 1232 wrote to memory of 816	1232	cmd.exe	81
PID 1232 wrote to memory of 2580	1232	cmd.exe	82
PID 1232 wrote to memory of 2580	1232	cmd.exe	82
PID 1232 wrote to memory of 2580	1232	cmd.exe	82
PID 2580 wrote to memory of 960	2580	spoolsv.exe	83
PID 2580 wrote to memory of 960	2580	spoolsv.exe	83
PID 2580 wrote to memory of 960	2580	spoolsv.exe	83
PID 2580 wrote to memory of 1456	2580	spoolsv.exe	84
PID 2580 wrote to memory of 1456	2580	spoolsv.exe	84
PID 2580 wrote to memory of 1456	2580	spoolsv.exe	84
PID 960 wrote to memory of 2416	960	WScript.exe	85
PID 960 wrote to memory of 2416	960	WScript.exe	85
PID 960 wrote to memory of 2416	960	WScript.exe	85
PID 2416 wrote to memory of 1616	2416	spoolsv.exe	86
PID 2416 wrote to memory of 1616	2416	spoolsv.exe	86
PID 2416 wrote to memory of 1616	2416	spoolsv.exe	86
PID 2416 wrote to memory of 2136	2416	spoolsv.exe	87
PID 2416 wrote to memory of 2136	2416	spoolsv.exe	87
PID 2416 wrote to memory of 2136	2416	spoolsv.exe	87
PID 1616 wrote to memory of 840	1616	WScript.exe	88
PID 1616 wrote to memory of 840	1616	WScript.exe	88
PID 1616 wrote to memory of 840	1616	WScript.exe	88
PID 840 wrote to memory of 1556	840	spoolsv.exe	89
PID 840 wrote to memory of 1556	840	spoolsv.exe	89
PID 840 wrote to memory of 1556	840	spoolsv.exe	89
PID 840 wrote to memory of 2644	840	spoolsv.exe	90
PID 840 wrote to memory of 2644	840	spoolsv.exe	90
PID 840 wrote to memory of 2644	840	spoolsv.exe	90
PID 1556 wrote to memory of 1708	1556	WScript.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe
"C:\Users\Admin\AppData\Local\Temp\38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SqGJyhfLcw.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:816
- - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\spoolsv.exe
    "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\spoolsv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc59324e-5014-4431-9f71-423174004022.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:960
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\spoolsv.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2416
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fdb1cad-089d-4fb3-b369-2ae6c06e48d1.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25a0246d-a8b5-4896-bacb-363a64e9d1d7.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\spoolsv.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\191e959e-ac2c-4a09-999f-98ee848d27c2.vbs"
        10⤵
        
        PID:2488
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\spoolsv.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4a0b72e-2baa-4531-a6da-40d88a8286ea.vbs"
        12⤵
        
        PID:1224
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\spoolsv.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca2f810f-a12d-4aab-8145-d0294d7b1d9b.vbs"
        14⤵
        
        PID:1560
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\spoolsv.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a41ee0fa-390a-4405-9c44-43bd209e2083.vbs"
        16⤵
        
        PID:2448
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\spoolsv.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72152d64-fd4f-4288-9433-47009ed991e2.vbs"
        18⤵
        
        PID:2264
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\spoolsv.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7813a4c2-8ddf-403e-89b2-2dd3e2192916.vbs"
        20⤵
        
        PID:932
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\spoolsv.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb97e09f-3451-425d-992b-787449f01710.vbs"
        22⤵
        
        PID:1872
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\spoolsv.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\spoolsv.exe"
        23⤵
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3c2a538-f5fc-4cb6-9534-e87abc6e11b6.vbs"
        22⤵
        
        PID:2888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd7003df-2f70-4763-91be-901f9c995227.vbs"
        20⤵
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c66e2a1e-702c-41fa-908c-b4158520cddd.vbs"
        18⤵
        
        PID:2340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdfcf52f-574c-4c5e-8daa-f374bf270372.vbs"
        16⤵
        
        PID:1272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\036e552e-6d15-42a5-b8ea-d32097fe1100.vbs"
        14⤵
        
        PID:2976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01e24af8-adc4-48c8-af3b-382296671094.vbs"
        12⤵
        
        PID:1688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ced71b6-6365-4517-a977-d95c147078aa.vbs"
        10⤵
        
        PID:2852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ae55061-6e96-4859-ac42-1f30afd80a85.vbs"
        8⤵
        
        PID:2644
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e13c3c12-aa68-4b40-846e-6e518e8627a3.vbs"
        6⤵
        
        PID:2136
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cac5617-ec40-443f-818e-d97229d50af3.vbs"
      4⤵
      PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DVD Maker\taskhost.exe

Filesize
1.6MB

MD5
111f5ca391dbb6975bda4499637dfc40

SHA1
be37695873510779ed02a9eff7c0676c4bcbd4f3

SHA256
f2dee37daa62e759f43205a4eb2820dc341daeed023b114c5901dedb0356f2f9

SHA512
04157d39a315cb360b0f57d28366794d317282067846a2876bf80fbd66c0a892294751e46ff85c307e583fb9062f6f48ecfb3378066e3339d6ba2ad7874962ab

Download Submit
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe

Filesize
1.6MB

MD5
38f861dde9adcb292ab747d998438b20

SHA1
0ace12fd6fda2f2663b5b2c83c9451ad439436e0

SHA256
38f5cbcb2feac76366e60af6e81dddb0732c39c03b973fcc158b0838fa545ba0

SHA512
3ce0f60b7031d2e5d3e108663d1c7b3d07bb467be1ec0b02e61e2e49161593e2700fec12d144ffaa7e2d1401b5adeb53bb3c1d8a3d48e711c1e5f9ecaa96513a

Download Submit
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe

Filesize
1.6MB

MD5
09cbbb5ee9bdffd6a4a604c4cdde0b8b

SHA1
f77aadf0e889d819ca2ae8d7e0056d6759db9a73

SHA256
5e3eb47b63189930347aea35bc758c52d135cc6c2f28d957539cc2b3ca290d98

SHA512
d9921a490a6367221d82cd30a5dc5b70e169e5fedeaeffc96cfa41be7eac8c7388d61216a67347c1a4bf7d2b411e777462bf8109a66c41990ca9a53b3ae4f0c4

Download Submit
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe

Filesize
1.6MB

MD5
0bb3fba6dcf5003138064417bb482378

SHA1
e840c10af49bfd70819ae9f46dedec09ff0f44a1

SHA256
b0f2076b6fa4e300e45611a20770c5cb1bd0e3b269eef56ab8980f43d7341357

SHA512
53f69bb91821e03b867a5110977d9994009f02a2d1eda3fc6e051a4777ea21dd54f5cfed8bdae3051939c6accb82b2a245683eee0d0456621aeae235dd6c12b5

Download Submit
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe

Filesize
1.6MB

MD5
6bbb7a22a0cc1d0981a70b67ff42e23a

SHA1
25b8b7d5829222e70a780ca81aa757f69a94b29a

SHA256
ca18e438d98da09feb39640fea8bc9fad8855268f0d2a84f58f5b330aee713c1

SHA512
e96fd4bd38a784d077109c9464a9b5e2b91ad74893499660501fc099a8f1635b06cd91c6e0ccb9804100de2a62c26b84e22a7432405f660f0c36d3800c821f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\191e959e-ac2c-4a09-999f-98ee848d27c2.vbs

Filesize
752B

MD5
6d60f2e1eec3e11722503d9cd166160e

SHA1
28696a422b43efda1c4b2aee4a577d6815bd4028

SHA256
77b52ac25a62ebc6b751e449b8620cc761f8642a59cdaf044eeff67bb802db3a

SHA512
aae98d4f7393caac9e81ddeaa2e7907e2e0c3418f97d976fd156420f9bef6d7d4f6eea9a495f96022476c645f593eb9744f45c396cb3a739ec5c339868e83890

Download Submit
C:\Users\Admin\AppData\Local\Temp\25a0246d-a8b5-4896-bacb-363a64e9d1d7.vbs

Filesize
751B

MD5
359346ac5ebb9aa3456293fab0e50087

SHA1
6cb46ddc4bd6178efff27c7e9083c1dcdfd974b9

SHA256
c32b860ccdc63de0c0aca000e7e05285925c003ee91b8d8aacb32a53eb229e80

SHA512
5e90d4f594f2c268de1a4d0f26469dc7d2800bcb96f5e1f69aeb86c10866c59d4a48c7daf4ea83ded18aafc97b446445a58a3eba5342d139118c9856b69d0ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fdb1cad-089d-4fb3-b369-2ae6c06e48d1.vbs

Filesize
752B

MD5
4440fb8f5a10852f92dd028fb44c2402

SHA1
2cf0c44b35490a649a82216d152d72be9e0d19cb

SHA256
306e935c36b731bab62881259faa3424d5ce267536f286ef3df331931d747b9c

SHA512
e19c5fb41da0204ee3663710017e3e96d8bc5cb6d0d4580c9e4fe8bcb05f66a440236c712882b7664044a8371dd449bd412e7d186e708d3db6be40ac025a6564

Download Submit
C:\Users\Admin\AppData\Local\Temp\72152d64-fd4f-4288-9433-47009ed991e2.vbs

Filesize
752B

MD5
1e79bc1f35722cb91157e992236e59de

SHA1
ff61882f338cbc2b3cd78972093453a9c933bcb4

SHA256
f139d95f632560ab8f71d2fbb32106c0418064b0c45808925ffdf7144f9d8660

SHA512
d78f122ffccdc8ae82cfbc7d38171930a2029d81e21fb0224ddc3cda6b1042ec6ab7de09f4e5adc2988314b05e05a49d85fc880fcc9c069a288b391d3f32cb61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7813a4c2-8ddf-403e-89b2-2dd3e2192916.vbs

Filesize
752B

MD5
e6769bff330653ef1045b360e27b37a3

SHA1
3548eb109c09ac7c52000cf5d65d93fb6074c28a

SHA256
f63ee131c6175b4d4e6af63eeb68c4807900f9d5d81853900ee22eff231a42bc

SHA512
8e52787bda34a4e15e9f8dfafa859a58cddfcbbd6dfa26bcea5f4d04a2e18c26188c54ca1ed2007f4df6c7eaea267d8cbdb449319b6435c3a7227a191e553f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\8cac5617-ec40-443f-818e-d97229d50af3.vbs

Filesize
528B

MD5
41af6d46aabfefa674e4266b9a352520

SHA1
136912052549ddcce5d5e169ab49d7beb35951a0

SHA256
d5f88f293d9a5cd7e244605faf0f9527401945e42985dcc8ac5fcb8a0bad3014

SHA512
a442cc550ff0a40d8360fe2ed6586f2601e805188ded6e268227486961d997d9d71ea76ec8bd1de37e5548f29e0564afa481f2132e9595b38d3f0cb521cd0e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SqGJyhfLcw.bat

Filesize
241B

MD5
5c1f969a7d01e631c9398afbda89369f

SHA1
82ca35774fc73771bf42aea602f55047c624f0aa

SHA256
d3d39e7bd74672843a83f72bce7c0db9ccf0704f3a68314e32c7d5b8c156fc50

SHA512
b98ed990db10cc50c5d85a830a4e800aa5858cbaed88d47c70548ede1493cf51316199c599fa2fd3ebcc67db7de74d86b8e5c908bc50d4003ea94404285c8418

Download Submit
C:\Users\Admin\AppData\Local\Temp\a41ee0fa-390a-4405-9c44-43bd209e2083.vbs

Filesize
751B

MD5
a85d41a4c5e9ea26425891767ede6672

SHA1
a235a45ce497d0b946a0e8318b9da6134fa155d2

SHA256
6eb4d3c307efbb4b885735d2065feed657be84bdfbac7c6fe8d3281612ce5a54

SHA512
36186fbf7cf06491c4311bbb0d827e43e7d9f33db745eabf9bd8bc9ae9e556286822234d57be8bb409f7b0baad38e2a8e4499866bd5174f43e59ebf7ffd589ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb97e09f-3451-425d-992b-787449f01710.vbs

Filesize
752B

MD5
a5aab0c1c1bfd6d9c8e338fd44518895

SHA1
dd12187764bb879e4d46cfcb8a4f2608549ddbeb

SHA256
f337d44d2b63addde19a40e07b01e17fa306d92838af933078e7710a7f05e9c9

SHA512
1be56cd10152365d7148e46ded2b4992c1cc5e8497da60d98eaa89e135b56bf21338ff600a62007bcc21d6db822af1e47412e19c320e78898dd5e8023bff05f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4a0b72e-2baa-4531-a6da-40d88a8286ea.vbs

Filesize
752B

MD5
ddf33fbd619462347b314af1de3f9309

SHA1
1697df5ddeb4f4dd5dd57ecefe7e868ed9fd1ed0

SHA256
64e2f492942725c64ceef75ccd2e196c809edae2c0b42ed24bafb936f8852124

SHA512
6da6be998e45ff3e4f82cface7212512d28b63c4f5c5e29d78e15ed92458c07384358c60885124161993b7d660ab86c1923da76bff04fa41cee8451c78c432d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca2f810f-a12d-4aab-8145-d0294d7b1d9b.vbs

Filesize
752B

MD5
593ab5abf511afe4097d63324c4f5e99

SHA1
db4c3f34ef595708ca97d51f0aa99ae525a15375

SHA256
11a7736b74bc718d2f6e1a3d5fcba0e2e2facb55462383afe3c256403a0be0ad

SHA512
11121229ea4958e245a952c85bb6a9b19906fa74b389cd2d87376abc82d4ddc463a1a7416fd7e8041de28a938c437466ec9cddd29c2d7527a7c1baeb20bda417

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc59324e-5014-4431-9f71-423174004022.vbs

Filesize
752B

MD5
f60697a8449f2294c5d4a1e4daf1a8ea

SHA1
8b3820f92718c15e882efe912e6add018ca8ce88

SHA256
8ba1cac2e2243e8855ad362e9a755a8e89ee7b66b608fc158628272d9932dee1

SHA512
fa9dd6dd15fe967aa418577dc416a7369cf7fc6415609323ecec4b09440e840b19d413bf652e866e13ef8879d07092d5573e76e1a29219ff47a77699ae9bc7cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3cc04d7501b4c557be00953e0067d8f5

SHA1
2fcab1df6f6880fed8fa36a828086e7123f9fc8f

SHA256
fa1d27a2a03c922201d51d35487f5a3609cf1c2073882b938b9e1263dfff316c

SHA512
07ad9886fd718fa5dbaeaca51a054a9b07de562c356cefe3756b757e51c497889b64677420477d945256674a95d57e8095758efbd5e31cfc72a417bf69880fbe

Download Submit
memory/768-271-0x0000000000A00000-0x0000000000BA2000-memory.dmp

Filesize
1.6MB

Download
memory/840-223-0x0000000001100000-0x00000000012A2000-memory.dmp

Filesize
1.6MB

Download
memory/1244-307-0x0000000000CB0000-0x0000000000E52000-memory.dmp

Filesize
1.6MB

Download
memory/1604-176-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/1604-177-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/1708-235-0x0000000001240000-0x00000000013E2000-memory.dmp

Filesize
1.6MB

Download
memory/1836-13-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/1836-15-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/1836-5-0x0000000000700000-0x0000000000716000-memory.dmp

Filesize
88KB

Download
memory/1836-1-0x0000000001120000-0x00000000012C2000-memory.dmp

Filesize
1.6MB

Download
memory/1836-7-0x0000000000860000-0x0000000000870000-memory.dmp

Filesize
64KB

Download
memory/1836-8-0x0000000000840000-0x0000000000848000-memory.dmp

Filesize
32KB

Download
memory/1836-2-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

Filesize
9.9MB

Download
memory/1836-11-0x00000000008A0000-0x00000000008AA000-memory.dmp

Filesize
40KB

Download
memory/1836-12-0x0000000000B00000-0x0000000000B0E000-memory.dmp

Filesize
56KB

Download
memory/1836-163-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

Filesize
9.9MB

Download
memory/1836-0-0x000007FEF5BD3000-0x000007FEF5BD4000-memory.dmp

Filesize
4KB

Download
memory/1836-10-0x0000000000890000-0x000000000089C000-memory.dmp

Filesize
48KB

Download
memory/1836-9-0x0000000000850000-0x000000000085C000-memory.dmp

Filesize
48KB

Download
memory/1836-3-0x00000000006E0000-0x00000000006FC000-memory.dmp

Filesize
112KB

Download
memory/1836-16-0x0000000000B40000-0x0000000000B4C000-memory.dmp

Filesize
48KB

Download
memory/1836-14-0x0000000000B20000-0x0000000000B28000-memory.dmp

Filesize
32KB

Download
memory/1836-4-0x00000000004C0000-0x00000000004D0000-memory.dmp

Filesize
64KB

Download
memory/1836-6-0x0000000000720000-0x0000000000728000-memory.dmp

Filesize
32KB

Download
memory/2400-259-0x00000000000B0000-0x0000000000252000-memory.dmp

Filesize
1.6MB

Download
memory/2468-295-0x0000000000140000-0x00000000002E2000-memory.dmp

Filesize
1.6MB

Download
memory/2580-201-0x0000000000E10000-0x0000000000FB2000-memory.dmp

Filesize
1.6MB

Download
memory/2668-247-0x00000000013A0000-0x0000000001542000-memory.dmp

Filesize
1.6MB

Download
memory/2860-283-0x0000000000A90000-0x0000000000C32000-memory.dmp

Filesize
1.6MB

Download
memory/2924-319-0x0000000001260000-0x0000000001402000-memory.dmp

Filesize
1.6MB

Download