dcrat | ce63ae9069832ff3b0f2eb76b384c40cd8b70987280d4cc07559493a2b5c04ff

Analysis

max time kernel
135s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
Size

885KB
MD5

cce068b8de20f89eb28352e1ce50beb0
SHA1

e9a9235ac140112623fc944d139f9940aa2bf082
SHA256

4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e
SHA512

09a04910138dce47f5688c4b210f40299225c1b31514e29ab20a80ab9e177d989c8049274f7d1699ca718bdcf895e171b8bd15917bae0f6d723d07d5c5cf424d
SSDEEP

12288:clNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:clNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	1684	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	1684	schtasks.exe	30

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral15/memory/1696-1-0x0000000000970000-0x0000000000A54000-memory.dmp	dcrat
behavioral15/files/0x0005000000019629-65.dat	dcrat
behavioral15/files/0x000700000001945c-117.dat	dcrat
behavioral15/files/0x00080000000194ad-136.dat	dcrat
behavioral15/memory/1836-147-0x0000000000020000-0x0000000000104000-memory.dmp	dcrat
behavioral15/files/0x0005000000019dcb-146.dat	dcrat
behavioral15/files/0x0005000000019379-18.dat	dcrat
behavioral15/memory/2200-159-0x0000000001300000-0x00000000013E4000-memory.dmp	dcrat
behavioral15/memory/672-171-0x00000000003F0000-0x00000000004D4000-memory.dmp	dcrat
behavioral15/memory/588-183-0x0000000000EF0000-0x0000000000FD4000-memory.dmp	dcrat
behavioral15/memory/960-206-0x0000000000120000-0x0000000000204000-memory.dmp	dcrat
behavioral15/memory/2332-218-0x0000000000840000-0x0000000000924000-memory.dmp	dcrat
behavioral15/memory/2560-230-0x0000000000F10000-0x0000000000FF4000-memory.dmp	dcrat
behavioral15/memory/1628-242-0x00000000002E0000-0x00000000003C4000-memory.dmp	dcrat
behavioral15/memory/2592-254-0x0000000000820000-0x0000000000904000-memory.dmp	dcrat
behavioral15/memory/1952-266-0x0000000000C60000-0x0000000000D44000-memory.dmp	dcrat

Executes dropped EXE 11 IoCs

pid	Process
1836	lsm.exe
2200	lsm.exe
672	lsm.exe
588	lsm.exe
264	lsm.exe
960	lsm.exe
2332	lsm.exe
2560	lsm.exe
1628	lsm.exe
2592	lsm.exe
1952	lsm.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\lsm.exe	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\101b941d020240	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCXC821.tmp	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCXC822.tmp	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\RCXC895.tmp	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\RCXC896.tmp	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\RCXC917.tmp	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\RCXC986.tmp	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File created	C:\Program Files (x86)\Microsoft.NET\sppsvc.exe	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\sppsvc.exe	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File created	C:\Program Files (x86)\Microsoft.NET\0a1fd5f707cd16	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\101b941d020240	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\ModemLogs\audiodg.exe	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File created	C:\Windows\ModemLogs\42af1c969fbb7b	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File opened for modification	C:\Windows\TAPI\RCXC825.tmp	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File opened for modification	C:\Windows\TAPI\RCXC894.tmp	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File opened for modification	C:\Windows\ModemLogs\RCXC899.tmp	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File opened for modification	C:\Windows\ModemLogs\RCXC8A9.tmp	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File created	C:\Windows\TAPI\sppsvc.exe	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
File created	C:\Windows\TAPI\0a1fd5f707cd16	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2592	schtasks.exe
2640	schtasks.exe
2872	schtasks.exe
2060	schtasks.exe
1716	schtasks.exe
2776	schtasks.exe
2292	schtasks.exe
2992	schtasks.exe
2584	schtasks.exe
2708	schtasks.exe
2940	schtasks.exe
1440	schtasks.exe
2780	schtasks.exe
2604	schtasks.exe
2732	schtasks.exe
108	schtasks.exe
1904	schtasks.exe
1780	schtasks.exe
2772	schtasks.exe
2784	schtasks.exe
2040	schtasks.exe
3064	schtasks.exe
2464	schtasks.exe
2788	schtasks.exe
1740	schtasks.exe
2252	schtasks.exe
2884	schtasks.exe
1032	schtasks.exe
908	schtasks.exe
1808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1696	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
1836	lsm.exe
2200	lsm.exe
672	lsm.exe
588	lsm.exe
264	lsm.exe
960	lsm.exe
2332	lsm.exe
2560	lsm.exe
1628	lsm.exe
2592	lsm.exe
1952	lsm.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1696	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
Token: SeDebugPrivilege	1836	lsm.exe
Token: SeDebugPrivilege	2200	lsm.exe
Token: SeDebugPrivilege	672	lsm.exe
Token: SeDebugPrivilege	588	lsm.exe
Token: SeDebugPrivilege	264	lsm.exe
Token: SeDebugPrivilege	960	lsm.exe
Token: SeDebugPrivilege	2332	lsm.exe
Token: SeDebugPrivilege	2560	lsm.exe
Token: SeDebugPrivilege	1628	lsm.exe
Token: SeDebugPrivilege	2592	lsm.exe
Token: SeDebugPrivilege	1952	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 1836	1696	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe	62
PID 1696 wrote to memory of 1836	1696	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe	62
PID 1696 wrote to memory of 1836	1696	4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe	62
PID 1836 wrote to memory of 2300	1836	lsm.exe	63
PID 1836 wrote to memory of 2300	1836	lsm.exe	63
PID 1836 wrote to memory of 2300	1836	lsm.exe	63
PID 1836 wrote to memory of 3000	1836	lsm.exe	64
PID 1836 wrote to memory of 3000	1836	lsm.exe	64
PID 1836 wrote to memory of 3000	1836	lsm.exe	64
PID 2300 wrote to memory of 2200	2300	WScript.exe	65
PID 2300 wrote to memory of 2200	2300	WScript.exe	65
PID 2300 wrote to memory of 2200	2300	WScript.exe	65
PID 2200 wrote to memory of 2636	2200	lsm.exe	66
PID 2200 wrote to memory of 2636	2200	lsm.exe	66
PID 2200 wrote to memory of 2636	2200	lsm.exe	66
PID 2200 wrote to memory of 2696	2200	lsm.exe	67
PID 2200 wrote to memory of 2696	2200	lsm.exe	67
PID 2200 wrote to memory of 2696	2200	lsm.exe	67
PID 2636 wrote to memory of 672	2636	WScript.exe	68
PID 2636 wrote to memory of 672	2636	WScript.exe	68
PID 2636 wrote to memory of 672	2636	WScript.exe	68
PID 672 wrote to memory of 444	672	lsm.exe	69
PID 672 wrote to memory of 444	672	lsm.exe	69
PID 672 wrote to memory of 444	672	lsm.exe	69
PID 672 wrote to memory of 2556	672	lsm.exe	70
PID 672 wrote to memory of 2556	672	lsm.exe	70
PID 672 wrote to memory of 2556	672	lsm.exe	70
PID 444 wrote to memory of 588	444	WScript.exe	71
PID 444 wrote to memory of 588	444	WScript.exe	71
PID 444 wrote to memory of 588	444	WScript.exe	71
PID 588 wrote to memory of 1356	588	lsm.exe	72
PID 588 wrote to memory of 1356	588	lsm.exe	72
PID 588 wrote to memory of 1356	588	lsm.exe	72
PID 588 wrote to memory of 1236	588	lsm.exe	73
PID 588 wrote to memory of 1236	588	lsm.exe	73
PID 588 wrote to memory of 1236	588	lsm.exe	73
PID 1356 wrote to memory of 264	1356	WScript.exe	74
PID 1356 wrote to memory of 264	1356	WScript.exe	74
PID 1356 wrote to memory of 264	1356	WScript.exe	74
PID 264 wrote to memory of 2320	264	lsm.exe	75
PID 264 wrote to memory of 2320	264	lsm.exe	75
PID 264 wrote to memory of 2320	264	lsm.exe	75
PID 264 wrote to memory of 1584	264	lsm.exe	76
PID 264 wrote to memory of 1584	264	lsm.exe	76
PID 264 wrote to memory of 1584	264	lsm.exe	76
PID 2320 wrote to memory of 960	2320	WScript.exe	77
PID 2320 wrote to memory of 960	2320	WScript.exe	77
PID 2320 wrote to memory of 960	2320	WScript.exe	77
PID 960 wrote to memory of 2684	960	lsm.exe	78
PID 960 wrote to memory of 2684	960	lsm.exe	78
PID 960 wrote to memory of 2684	960	lsm.exe	78
PID 960 wrote to memory of 2564	960	lsm.exe	79
PID 960 wrote to memory of 2564	960	lsm.exe	79
PID 960 wrote to memory of 2564	960	lsm.exe	79
PID 2684 wrote to memory of 2332	2684	WScript.exe	80
PID 2684 wrote to memory of 2332	2684	WScript.exe	80
PID 2684 wrote to memory of 2332	2684	WScript.exe	80
PID 2332 wrote to memory of 1916	2332	lsm.exe	81
PID 2332 wrote to memory of 1916	2332	lsm.exe	81
PID 2332 wrote to memory of 1916	2332	lsm.exe	81
PID 2332 wrote to memory of 1808	2332	lsm.exe	82
PID 2332 wrote to memory of 1808	2332	lsm.exe	82
PID 2332 wrote to memory of 1808	2332	lsm.exe	82
PID 1916 wrote to memory of 2560	1916	WScript.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
"C:\Users\Admin\AppData\Local\Temp\4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe
  "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b5ecc55-a1ae-4ee3-8e46-c2b5c8b9d2d7.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe
      "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2200
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ab1f4b0-fa34-40e3-81cc-3ef42834a46f.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdf9143b-58de-498a-a57b-e172b1887cda.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8d71fd5-5d71-44cb-a712-65925599ac7c.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa7d1d1b-e739-4778-8041-4d5328dcbdcd.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5085b55-1364-4c9f-ab53-e02a658badfb.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12779149-7879-490a-b679-282309868756.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5af857bd-af65-47a0-b039-63a5b4c9f868.vbs"
        17⤵
        
        PID:1844
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b08fa9a0-e910-40fc-9f20-904ce495fed2.vbs"
        19⤵
        
        PID:1544
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27e8e4c3-4d3a-435b-a6c4-3c48bcc56a3f.vbs"
        21⤵
        
        PID:2752
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72719baa-e685-4a3a-8269-1c404eda6ebf.vbs"
        23⤵
        
        PID:2964
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe"
        24⤵
        
        PID:2140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0ea9aac-a17a-4885-a2db-436f322fe736.vbs"
        25⤵
        
        PID:1520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa596496-82d0-4051-baea-91c20096dd40.vbs"
        25⤵
        
        PID:1956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2542b797-59dd-4342-834b-76986663f4a6.vbs"
        23⤵
        
        PID:1020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5948c7f-b873-48eb-a26b-22792f4e2b24.vbs"
        21⤵
        
        PID:992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a69c225b-1639-4066-9021-60fbd38a410a.vbs"
        19⤵
        
        PID:1620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22197a7d-eddd-4d42-b105-8bfda8b61c52.vbs"
        17⤵
        
        PID:836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\634a0f31-345a-4ffa-bfe7-fd88bac5f2f6.vbs"
        15⤵
        
        PID:1808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6403de29-50a2-4e84-99fd-a43baa57d856.vbs"
        13⤵
        
        PID:2564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20834340-4e4f-4ff0-afc9-e30457a5e148.vbs"
        11⤵
        
        PID:1584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\def1e421-9a3b-4584-b8a9-f67e43844664.vbs"
        9⤵
        
        PID:1236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41ff0746-394f-4552-9cbd-b1ae767b99d4.vbs"
        7⤵
        
        PID:2556
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\052791ee-31f0-466a-9a39-d084206ef453.vbs"
        5⤵
        
        PID:2696
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d004bb89-10a6-45e2-85a2-e4928eb9d80e.vbs"
    3⤵
    PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\TAPI\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Documents\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Documents\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\ModemLogs\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\ModemLogs\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\lsm.exe

Filesize
885KB

MD5
fd8844f20571f82fa74057b698862e94

SHA1
4e7013317ec5c309387c064a777bc8d2556fd3d2

SHA256
acecb07d18728e8d48bec8aaca87e1200cf6e6586129b559ebf753e06d5ce5e1

SHA512
fbf4f64cf010cd7783b14a6ee58dc4ed571acd13af191a37946beb24fa3b61cbb881487d9c80e38b6707b9abdc04401af5e488985b00ac711943100c2880598f

Download Submit
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe

Filesize
885KB

MD5
fdeddfc75ca245d2ce2aceff82c9bc43

SHA1
bdaf591d8091850f5547d62a69b87d3abe2e3643

SHA256
bc0ab847e0c91c7b3bb70fdb7f764143f808ac3d687de56a74a8be875070bff0

SHA512
5284c99f5e5277ef2493b5481c285642b701372e35850b218231fccea52879e5f68343abec012160efdf7d011b170b2d1cdb53c5ef8e6562ea50af9629b50e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b5ecc55-a1ae-4ee3-8e46-c2b5c8b9d2d7.vbs

Filesize
749B

MD5
c659a6ff9d22b736713cf2bf1878f0fa

SHA1
7c9765e23a330925f9bcd6f0b0bf9511ecf3f5a1

SHA256
1c8b8d6b48b16db4b79b2039dd64cdbd08cd0817d7983c17b07704f420099c32

SHA512
bc1e15c62deeda328bcdab534f41f7d7f8b520768a13810088e7711111d8d7a1d176ddfb74ba9eb5bfaa76b22ed284e52e1bc0ba5d93ee80de64f4c4eb09952f

Download Submit
C:\Users\Admin\AppData\Local\Temp\12779149-7879-490a-b679-282309868756.vbs

Filesize
749B

MD5
eef579beef35c18d4fd920827019207d

SHA1
7f5e5f9f33063046228edd816d7eb6a56876d83d

SHA256
ef3be2b8e3dafc70308dd227834796ca1ebe15f12fc422052c587d1b61ee3534

SHA512
4a321c6718e929e1c08eb0c545e141ea2afdf3d804de6f33b7333affea7870194f90d989a061e855889f8da0a935dbc0c06851f72c3abaa514d24e50212ef8cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\27e8e4c3-4d3a-435b-a6c4-3c48bcc56a3f.vbs

Filesize
749B

MD5
cc2aec71962615870752407485b1756d

SHA1
4062ed0ec18783e90d8dea615d35f212ee4d1663

SHA256
2aeebed698253439151c354595fe4e2999d1e8fbc8a91b53a8024df85def2b21

SHA512
ee9b5ea7dc1e30a1f1fd360d0822298de7e2096063aff701756aabe6b58e3c3c9da7563ab1a4d4bb7e84edea15c3fb3cc805232365dcfdb1f272fa6a9a15eb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ab1f4b0-fa34-40e3-81cc-3ef42834a46f.vbs

Filesize
749B

MD5
e5b46a0009ba0b9a1c74d19ef5518407

SHA1
b75f6b82fa73f4f5bbb78717ba4e54024a6d1780

SHA256
416ff60a474005a5aa9ee9a7f8bfdc95c1248482f6c470e33d90f77e8f92e801

SHA512
ea9d388d28402a2d1c728581d9588aebcd4ebeab6a828837b16e07b8fa02fe3900384707195ca7dcfc9abb0ff316a0b3e1d6db90cf312a306f999d1e5bef1a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5af857bd-af65-47a0-b039-63a5b4c9f868.vbs

Filesize
749B

MD5
a53b819b320cd624dc78b906d7c2e9e7

SHA1
10fa74153366c52d1a8f5c787a3f8b9cf8d70a48

SHA256
ef0b663fc879c0077ed08e3337516e7e9fc983bc4e476458777311d7b17cbcc7

SHA512
92d119a1d7b095364cb9bc6e5a044a4c3c8771f8d8eff2ee2397784e2ded5d53e614b7d381e7c260d81019062e8b39cf348462ef20c5a8fe708af026c22b3b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\72719baa-e685-4a3a-8269-1c404eda6ebf.vbs

Filesize
749B

MD5
edc3ff84d0efe95cd664a091c7ef3ad9

SHA1
d0ea29370667d6090b83cbceee2ff8d6907b777c

SHA256
1b3c88c230a024f628ea20f273e0d48d1001c0cea5d7ef861d8d35e41c566307

SHA512
b5854ee56afded218b1d556d2141c79247abe66408ef4dc8f5cfb70ca64f53e18d3952e98999dffaac6c985006e8bbd5943c4c18a68b6dc25fba0fb30ef0c413

Download Submit
C:\Users\Admin\AppData\Local\Temp\b08fa9a0-e910-40fc-9f20-904ce495fed2.vbs

Filesize
749B

MD5
50179b1d59660ca2436f352f9b9b1e35

SHA1
df5487a92f615b62551daf3309eb2676ddbf5604

SHA256
4b62d1fa102f468b6a9c59ec4d3bb284018ff7c8b2dd52c2514fec997b62ca13

SHA512
ffd5e6e5c47849454bd0ced6697c7801b578dc66b306e32d0a34b0b38c83ad8546cfbc7557ba656c097782fc9d22f024751242443dca7a303ba3c3a2594230d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5085b55-1364-4c9f-ab53-e02a658badfb.vbs

Filesize
748B

MD5
d4c3656e3e8e2adb9e731b8005aabcbe

SHA1
fc8094f1dfd789efcafff1ec8fbc796be97e956e

SHA256
9ddb4e1d2133138514a864441dd2e890fea218ed1a6ee6cf80bac9795de22bcf

SHA512
e1d4c7132ee2877fe85d5596ce83094f84409bc8a96d1c6f722eade019780866059f40e32adfb529db9e1a8b8e81547f947b9a310d70622c1e8970f0d426e912

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdf9143b-58de-498a-a57b-e172b1887cda.vbs

Filesize
748B

MD5
4a1d38e77af0dd1adedc937f60a07943

SHA1
a3d6888716f2fac49e6d338cb5a6eace22214a4e

SHA256
4a287fa0753ee12ad11ef30f8c94a4ea31b617964dc3dc986ffebfdc76479e87

SHA512
656dbf9deee86dfabc7d5b515ae74c2f9c896a311780a4d07ad504c39aa418e65eb415f3c1193746174b74b6eca5aecd701253b201b043eb1dd929bb9818ec9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d004bb89-10a6-45e2-85a2-e4928eb9d80e.vbs

Filesize
525B

MD5
91bdd6cbd34c6032e274a6136b6ce82d

SHA1
e986ed79bd90eec32316c6d832afe4e23f8a36fc

SHA256
009f1178dd9e8b55083c6e8afe704f4ca34d929e8c6764d2fad82caf72edfd2a

SHA512
3360a7dae46058a0a7b5ba8ae0fa5d9c7adbe936bb495b8fbb53a4eb26ec427d898c24643d142c3df04eee2ce84afed45bbcfc99c64ee50ae551560558c2a6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0ea9aac-a17a-4885-a2db-436f322fe736.vbs

Filesize
749B

MD5
63cd8a26c9c33168c12474164675ca9f

SHA1
64b8e7e2c25ee8bd819cf561d0da6c9f290ba285

SHA256
f0346769e98f0786bc731ea14e88bdc24e727ec39dc4f941112f20f904a5ae97

SHA512
2529addc62dcf29e247e58f6cc735cbd9cf823564d604a72758f68d0cf5b66d673bd7bbf64a5a6931b2e49217aaf24f3892915db8df822ece0302d1aaf691e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8d71fd5-5d71-44cb-a712-65925599ac7c.vbs

Filesize
748B

MD5
75a14af84458e0189cdfda837b6ef3c4

SHA1
cfe5d8ad0500384ccf6d8ac4b5a0eb29b8c19269

SHA256
e25fbc34ed520b708e993b3f04a3964d89ce5517368a3fffbdfc6b661ae3cc07

SHA512
15bd43a1d2ae8e191d6be2accaf217521db31a1f1a12962a278d0f6f8ab3e97424eb529133aaeaf609d09b8825f165f249544ba28df10fc22fb7b7700b88f5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa7d1d1b-e739-4778-8041-4d5328dcbdcd.vbs

Filesize
748B

MD5
a158ebc6549935155bd9e49f4e8f8170

SHA1
d3a3c72d5f247fd9720f883caffe5c39e0c89fd3

SHA256
bf90a812c69ca74ff19304fd0f02569f2932cc3b3c9b13f7bb0618cbc8720db0

SHA512
75abfb7313712aa5e3f0965b99e56cdc3eecda3e5e20f586e6add218eca8b849f1c4f78cb641a4aeec63330b9c0d8b7aabcf6666a6c8368daa299d99f004ec14

Download Submit
C:\Users\Default\winlogon.exe

Filesize
885KB

MD5
a7907b130e812fa0c17f7b33f1c5306a

SHA1
83663ea1f867b72f13dd24258f845175fd840f61

SHA256
673de02a84fe38f0b2070932eed9544115ce770bb71d44ff7ef01f9b99a9816d

SHA512
9d2bc22e26622903eac1668f5bd7491065c2666b9928516259541a5591bec8c3d0f66cc79c183fec91e84ba9175e91c23096691f789f8f59bd075e71235e5067

Download Submit
C:\Users\Public\Documents\smss.exe

Filesize
885KB

MD5
cce068b8de20f89eb28352e1ce50beb0

SHA1
e9a9235ac140112623fc944d139f9940aa2bf082

SHA256
4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e

SHA512
09a04910138dce47f5688c4b210f40299225c1b31514e29ab20a80ab9e177d989c8049274f7d1699ca718bdcf895e171b8bd15917bae0f6d723d07d5c5cf424d

Download Submit
C:\Windows\TAPI\sppsvc.exe

Filesize
885KB

MD5
762d7d2fff92abbb4265fdb901ffd9ca

SHA1
eebf361e81468927ed4678301e6178ded4345438

SHA256
ab9507e0021e74102bf90377487a6a499211d033b83f86afa1cd98b0d2cfe442

SHA512
9466cc6baa454353dd3c7335e41ba5d90972c948f46a6bad66cea549dd067d3bb6f3a74ec11864f9b4072859d4929518256421cb992ad0c296efc2e690981348

Download Submit
memory/588-183-0x0000000000EF0000-0x0000000000FD4000-memory.dmp

Filesize
912KB

Download
memory/672-171-0x00000000003F0000-0x00000000004D4000-memory.dmp

Filesize
912KB

Download
memory/960-206-0x0000000000120000-0x0000000000204000-memory.dmp

Filesize
912KB

Download
memory/1628-242-0x00000000002E0000-0x00000000003C4000-memory.dmp

Filesize
912KB

Download
memory/1696-4-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/1696-8-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/1696-0-0x000007FEF55A3000-0x000007FEF55A4000-memory.dmp

Filesize
4KB

Download
memory/1696-6-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/1696-148-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/1696-7-0x0000000000530000-0x000000000053E000-memory.dmp

Filesize
56KB

Download
memory/1696-1-0x0000000000970000-0x0000000000A54000-memory.dmp

Filesize
912KB

Download
memory/1696-9-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/1696-2-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/1696-3-0x0000000000150000-0x000000000016C000-memory.dmp

Filesize
112KB

Download
memory/1696-5-0x0000000000500000-0x0000000000516000-memory.dmp

Filesize
88KB

Download
memory/1836-147-0x0000000000020000-0x0000000000104000-memory.dmp

Filesize
912KB

Download
memory/1952-266-0x0000000000C60000-0x0000000000D44000-memory.dmp

Filesize
912KB

Download
memory/2200-159-0x0000000001300000-0x00000000013E4000-memory.dmp

Filesize
912KB

Download
memory/2332-218-0x0000000000840000-0x0000000000924000-memory.dmp

Filesize
912KB

Download
memory/2560-230-0x0000000000F10000-0x0000000000FF4000-memory.dmp

Filesize
912KB

Download
memory/2592-254-0x0000000000820000-0x0000000000904000-memory.dmp

Filesize
912KB

Download