dcrat | 63b2109d651e58bdceb6dcd68821e723f4a5ce45875405cf395ff04937ea26b8

Analysis

max time kernel
149s
max time network
158s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
Size

1.6MB
MD5

4d0d9e2f3b8a29bd81895302e6b96923
SHA1

400acf93d23144e814d99769db2796e71b802c42
SHA256

9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7
SHA512

6284cb80bfde21bdcd41b0474a92b5f5516a92bfb77256cf6fda6072b4de483334480d4e66f556a861d2592077ece71578e9cae224639c4ad63818f578637913
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2868	schtasks.exe	30

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2524-1-0x0000000000F40000-0x00000000010E2000-memory.dmp	dcrat
behavioral1/files/0x000500000001a41c-25.dat	dcrat
behavioral1/files/0x000600000001a4ac-70.dat	dcrat
behavioral1/files/0x0007000000019f4e-81.dat	dcrat
behavioral1/files/0x000900000001a325-104.dat	dcrat
behavioral1/files/0x000700000001a41e-113.dat	dcrat
behavioral1/memory/2612-168-0x0000000000C30000-0x0000000000DD2000-memory.dmp	dcrat
behavioral1/memory/1976-185-0x0000000000220000-0x00000000003C2000-memory.dmp	dcrat
behavioral1/memory/2900-197-0x0000000000AF0000-0x0000000000C92000-memory.dmp	dcrat
behavioral1/memory/2672-209-0x0000000000BA0000-0x0000000000D42000-memory.dmp	dcrat
behavioral1/memory/2112-221-0x0000000000030000-0x00000000001D2000-memory.dmp	dcrat
behavioral1/memory/956-233-0x00000000008F0000-0x0000000000A92000-memory.dmp	dcrat
behavioral1/memory/2620-245-0x0000000000B00000-0x0000000000CA2000-memory.dmp	dcrat
behavioral1/memory/1908-290-0x0000000000F60000-0x0000000001102000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1540	powershell.exe
2244	powershell.exe
2172	powershell.exe
2056	powershell.exe
788	powershell.exe
1692	powershell.exe
1636	powershell.exe
1624	powershell.exe
1272	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2612	lsass.exe
1976	lsass.exe
2900	lsass.exe
2672	lsass.exe
2112	lsass.exe
956	lsass.exe
2620	lsass.exe
3020	lsass.exe
1520	lsass.exe
2292	lsass.exe
1908	lsass.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\de-DE\101b941d020240	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\RCXA28E.tmp	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\570e96430f9abd	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\lsm.exe	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\RCX9C03.tmp	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\RCX9C04.tmp	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\RCXA773.tmp	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXA9F5.tmp	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\cc11b995f2a76d	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File created	C:\Program Files (x86)\Windows Portable Devices\System.exe	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\lsm.exe	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXA987.tmp	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\winlogon.exe	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File created	C:\Program Files (x86)\Windows Portable Devices\27d1bcfc3c54e0	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\RCXA2FC.tmp	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\RCXA705.tmp	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\winlogon.exe	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\System.exe	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1648	schtasks.exe
3016	schtasks.exe
1932	schtasks.exe
1324	schtasks.exe
2736	schtasks.exe
2860	schtasks.exe
2140	schtasks.exe
2656	schtasks.exe
2644	schtasks.exe
3008	schtasks.exe
1564	schtasks.exe
2628	schtasks.exe
2676	schtasks.exe
1928	schtasks.exe
1684	schtasks.exe
2200	schtasks.exe
3028	schtasks.exe
1372	schtasks.exe
2840	schtasks.exe
1676	schtasks.exe
2768	schtasks.exe
1228	schtasks.exe
1992	schtasks.exe
1980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
1636	powershell.exe
1692	powershell.exe
2244	powershell.exe
1540	powershell.exe
1272	powershell.exe
2172	powershell.exe
2056	powershell.exe
1624	powershell.exe
788	powershell.exe
2612	lsass.exe
1976	lsass.exe
2900	lsass.exe
2672	lsass.exe
2112	lsass.exe
956	lsass.exe
2620	lsass.exe
3020	lsass.exe
1520	lsass.exe
2292	lsass.exe
1908	lsass.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2612	lsass.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeDebugPrivilege	1976	lsass.exe
Token: SeDebugPrivilege	2900	lsass.exe
Token: SeDebugPrivilege	2672	lsass.exe
Token: SeDebugPrivilege	2112	lsass.exe
Token: SeDebugPrivilege	956	lsass.exe
Token: SeDebugPrivilege	2620	lsass.exe
Token: SeDebugPrivilege	3020	lsass.exe
Token: SeDebugPrivilege	1520	lsass.exe
Token: SeDebugPrivilege	2292	lsass.exe
Token: SeDebugPrivilege	1908	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 1624	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	55
PID 2524 wrote to memory of 1624	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	55
PID 2524 wrote to memory of 1624	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	55
PID 2524 wrote to memory of 1540	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	56
PID 2524 wrote to memory of 1540	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	56
PID 2524 wrote to memory of 1540	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	56
PID 2524 wrote to memory of 1636	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	57
PID 2524 wrote to memory of 1636	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	57
PID 2524 wrote to memory of 1636	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	57
PID 2524 wrote to memory of 1272	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	59
PID 2524 wrote to memory of 1272	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	59
PID 2524 wrote to memory of 1272	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	59
PID 2524 wrote to memory of 1692	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	61
PID 2524 wrote to memory of 1692	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	61
PID 2524 wrote to memory of 1692	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	61
PID 2524 wrote to memory of 788	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	63
PID 2524 wrote to memory of 788	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	63
PID 2524 wrote to memory of 788	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	63
PID 2524 wrote to memory of 2244	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	64
PID 2524 wrote to memory of 2244	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	64
PID 2524 wrote to memory of 2244	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	64
PID 2524 wrote to memory of 2172	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	65
PID 2524 wrote to memory of 2172	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	65
PID 2524 wrote to memory of 2172	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	65
PID 2524 wrote to memory of 2056	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	66
PID 2524 wrote to memory of 2056	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	66
PID 2524 wrote to memory of 2056	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	66
PID 2524 wrote to memory of 2612	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	73
PID 2524 wrote to memory of 2612	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	73
PID 2524 wrote to memory of 2612	2524	9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe	73
PID 2612 wrote to memory of 2280	2612	lsass.exe	74
PID 2612 wrote to memory of 2280	2612	lsass.exe	74
PID 2612 wrote to memory of 2280	2612	lsass.exe	74
PID 2612 wrote to memory of 2904	2612	lsass.exe	75
PID 2612 wrote to memory of 2904	2612	lsass.exe	75
PID 2612 wrote to memory of 2904	2612	lsass.exe	75
PID 2280 wrote to memory of 1976	2280	WScript.exe	77
PID 2280 wrote to memory of 1976	2280	WScript.exe	77
PID 2280 wrote to memory of 1976	2280	WScript.exe	77
PID 1976 wrote to memory of 2204	1976	lsass.exe	78
PID 1976 wrote to memory of 2204	1976	lsass.exe	78
PID 1976 wrote to memory of 2204	1976	lsass.exe	78
PID 1976 wrote to memory of 660	1976	lsass.exe	79
PID 1976 wrote to memory of 660	1976	lsass.exe	79
PID 1976 wrote to memory of 660	1976	lsass.exe	79
PID 2204 wrote to memory of 2900	2204	WScript.exe	80
PID 2204 wrote to memory of 2900	2204	WScript.exe	80
PID 2204 wrote to memory of 2900	2204	WScript.exe	80
PID 2900 wrote to memory of 2912	2900	lsass.exe	81
PID 2900 wrote to memory of 2912	2900	lsass.exe	81
PID 2900 wrote to memory of 2912	2900	lsass.exe	81
PID 2900 wrote to memory of 1912	2900	lsass.exe	82
PID 2900 wrote to memory of 1912	2900	lsass.exe	82
PID 2900 wrote to memory of 1912	2900	lsass.exe	82
PID 2912 wrote to memory of 2672	2912	WScript.exe	83
PID 2912 wrote to memory of 2672	2912	WScript.exe	83
PID 2912 wrote to memory of 2672	2912	WScript.exe	83
PID 2672 wrote to memory of 1704	2672	lsass.exe	84
PID 2672 wrote to memory of 1704	2672	lsass.exe	84
PID 2672 wrote to memory of 1704	2672	lsass.exe	84
PID 2672 wrote to memory of 2588	2672	lsass.exe	85
PID 2672 wrote to memory of 2588	2672	lsass.exe	85
PID 2672 wrote to memory of 2588	2672	lsass.exe	85
PID 1704 wrote to memory of 2112	1704	WScript.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe
"C:\Users\Admin\AppData\Local\Temp\9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\en-US\9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\de-DE\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\de-DE\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2056
- C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
  "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a05dd963-d4ae-480e-adbe-4cef5cfaabe5.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
      C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c24ec46d-7532-44c8-9a3e-22b0c2c1258b.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2204
      - C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5d9056e-e95c-433e-bc95-b7b072e8b1e3.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1903fbb0-1447-4a38-be01-f82f26c2ccf6.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a39acb0-3411-470d-bd3b-7fed4829c514.vbs"
        11⤵
        
        PID:2580
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b29ba988-ddc7-4e2c-ad5c-614af789c4f6.vbs"
        13⤵
        
        PID:1008
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8de5900-8744-4c5d-a228-a211985b4b5b.vbs"
        15⤵
        
        PID:2908
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96a41540-6d80-4310-986d-f9a31d8fa6a1.vbs"
        17⤵
        
        PID:564
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb95b207-9aa0-4d93-8d24-21ec9c914fe0.vbs"
        19⤵
        
        PID:1240
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e31a0791-00e8-414e-8955-f7b0b20ec500.vbs"
        21⤵
        
        PID:936
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f0d537f-e04f-4867-beaf-b460cc204c87.vbs"
        23⤵
        
        PID:2668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a96ec76c-ccad-467a-8388-14496b650dba.vbs"
        23⤵
        
        PID:1764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92d9ca43-439f-46d9-92f2-f0820f373da3.vbs"
        21⤵
        
        PID:2564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96f9be42-b535-442e-9141-4cded3fe338b.vbs"
        19⤵
        
        PID:2396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9567ad8b-42f0-4158-8843-f8561bf8edb6.vbs"
        17⤵
        
        PID:2840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e65e116f-bd5b-4dd5-9665-e5bc9a2d5204.vbs"
        15⤵
        
        PID:3064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13f02cdb-7aa4-463e-9a50-ee71ffc059b6.vbs"
        13⤵
        
        PID:1640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de5e998a-a198-4670-a440-799eb311d918.vbs"
        11⤵
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d223c4ef-a0c9-476c-9418-5efca903eac5.vbs"
        9⤵
        
        PID:2588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbce1519-7671-41f4-8f99-a195e399026e.vbs"
        7⤵
        
        PID:1912
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3977a979-e181-4883-8dbd-3e18317da539.vbs"
        5⤵
        
        PID:660
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c74dbba6-5a8c-4d12-b55f-bd37d6b39e25.vbs"
    3⤵
    PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae79" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\en-US\9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae79" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\en-US\9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\de-DE\lsm.exe

Filesize
1.6MB

MD5
1451044a50457c5884a637760b5765c6

SHA1
19b023b3fca503cc576251636ef3bbca3753782c

SHA256
f6dd64804cc1dfc95b79cf59ea251fdc9b8a49de21dd696afb90f23f05802cde

SHA512
c06d121a0fc115dfae5ae977a720d9f3c4de239bd4722c1fc16c9c2b265170d34a463a24d73ff2d23eef1d4065a4d015e6b2e1a2d72d16caa048a52795c8608e

Download Submit
C:\Program Files (x86)\Internet Explorer\de-DE\winlogon.exe

Filesize
1.6MB

MD5
a974094fdf0c0ee7637624570f03c238

SHA1
d99123b67e039c53f4fdfcd65dc46ce036e2fb2e

SHA256
d7a9b7cecb3b9cf0867e495ee85de4c8858f0cc175914111b745e606042f8c21

SHA512
70714307ccb62b81d5140d47f4995a3297e4713a7ecb2619e3db8683eac813bd79279c62770270e5f5d8e778450de791257cee7acca1ae1270561d03a1aa3e50

Download Submit
C:\Program Files (x86)\Windows Portable Devices\System.exe

Filesize
1.6MB

MD5
34c8fdf59f237473829a36d2af5ddff1

SHA1
d0594bf07425b06b9151af0e458f272b454a3e11

SHA256
09af5e7aa71438cdff66fb5c13f43a03eb241dadda2917af1db337742219a01e

SHA512
db69133ffead80c602143868eee10e9aefc3c5bade2e99bb9d3384ddb3e95b76e0f0a513d0a3856fb80fd312e8afa90cbe3db9ed7811bd3978483d0c23b99155

Download Submit
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\System.exe

Filesize
1.6MB

MD5
4d0d9e2f3b8a29bd81895302e6b96923

SHA1
400acf93d23144e814d99769db2796e71b802c42

SHA256
9e0a427b0baf95dffaf2f1cbdf9772d2bb5f8c0f7b4b1d9a8d8072ffed2e9ae7

SHA512
6284cb80bfde21bdcd41b0474a92b5f5516a92bfb77256cf6fda6072b4de483334480d4e66f556a861d2592077ece71578e9cae224639c4ad63818f578637913

Download Submit
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe

Filesize
1.6MB

MD5
59d109eb92f2df874450ee549e1f3fb1

SHA1
defb46ff189ed74f37db8608f9236c744eac9054

SHA256
24cd2f65937215efe5cdf0f17761a38bd2dfcf58a1635f908138c894018d5df7

SHA512
7ed959c7a20968b2f91886749bff7c8875b48c357da448ea0dca33231af9afb16b095cee221024bc9b368269a4c8d9b13df12010b83a60ae646c2e230fd81362

Download Submit
C:\Users\Admin\AppData\Local\Temp\1903fbb0-1447-4a38-be01-f82f26c2ccf6.vbs

Filesize
734B

MD5
300f9e005c9f4c62daf8734c587ea607

SHA1
a28eba81942294e0b771b148e6dca8e66a2e70d1

SHA256
124f9247b0e7213d1571a12631e14611b2584de43fa23e0e06a32414df679b70

SHA512
ccc739b272d697f73f6c708931e0ded4a671ec6890245fbe37d4963f5a7f66e0897b952c69a05d7a6911cea4ed3b32bb22bef01ba179253cc68983627cf85601

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f0d537f-e04f-4867-beaf-b460cc204c87.vbs

Filesize
734B

MD5
95fe1bdb160212bab0711c36a7026add

SHA1
242d93b22516e61391edde30e9df8d447e8898fe

SHA256
8e97b0e9e825e9e6ca082a123fbd7c65f06714393ee1357a94dc58a9880a898c

SHA512
b0c0c1f11c206e7eca6a99a5da3d700f0ae25007ff292714d6140bd7c355671f3c2d2ae40c333fff3307896b609bea42aff9e4c08e4e31ef9d2f645295ff308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a39acb0-3411-470d-bd3b-7fed4829c514.vbs

Filesize
734B

MD5
fe604e89687f0701ad58fd2f55b13749

SHA1
664aff4bb940bb7e11000c30581b32bc59030fcf

SHA256
e7c264cd410d45fca32e33573951deacaba2f7563a4445727e5c02cc70a29d3a

SHA512
a932cc8f634c8de2387a92e85ff6ae2641189a71a02b454d28d7e385a698a6745f4b7fe447e02ddf0ca2f780182ccfa8e8647478e201505aa0f9352cf18f8d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\96a41540-6d80-4310-986d-f9a31d8fa6a1.vbs

Filesize
734B

MD5
66e425fb8e071952eeb7a206ae9d6437

SHA1
94292eb946d018659b494c2bcb5a18070562474a

SHA256
cf537d68c8fb34efd011f600781994ce9caa1a1be571f78fc04e76b8d95285da

SHA512
b830567082a4452f7da5a52d4636fe2cf6e8964ca3e145365d26516bedc3085eef2cf50ba1bb2b3fc83b30ccb0f86b9f2d04a1ec6709862eeb1371c32a5d82e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a05dd963-d4ae-480e-adbe-4cef5cfaabe5.vbs

Filesize
734B

MD5
fdd0ceeccb45f17bb851bde1ad02f5f5

SHA1
caad2f8ed88e34788cafefab64fd66028a01a445

SHA256
f8b449f8db6db22d918a51de4159b8c0890eaaaf385234f5f677f8c7689a7033

SHA512
53fdea420676b2ce4afe1cd8681848488404caa6a270d4cce9f34fc3e87d8b3c6425ecf58b7c8d57773e87aae0e46df100ec41a901a17e2f5be553d8e71805f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8de5900-8744-4c5d-a228-a211985b4b5b.vbs

Filesize
734B

MD5
10219f9185eee4062bd32f65f0060343

SHA1
8b3e6a2d3bbe5f6de337f8afcf4e10dc0c61fc56

SHA256
03adfe4ddad40279f33e31a8117ba1058f186dc71127e8965e3b55145f531404

SHA512
189f66783b336a72b74cde3443218439b78323a2f1add1b38358218f01c3f67c590ba353f82e7f32297e0a8d876681c07e511dd1f561f7e18f1d577a28ac9691

Download Submit
C:\Users\Admin\AppData\Local\Temp\b29ba988-ddc7-4e2c-ad5c-614af789c4f6.vbs

Filesize
733B

MD5
abdad14b6de946f2a43a0192a90ebd31

SHA1
05834560c5f1cccf47a73fcef3c0499f74817aec

SHA256
f6d7a6aa3f9658397dfe81a0f760d17319341fb39ec1556ba9c585b73c801753

SHA512
1cf682d04698bdafffccc55d3eb1fceef8b75f00c4ba52ff3051fb624d24df7e80648f61659f9b00a55a1b193e9d8c355f55945bcd1a493b6b57a4523945b275

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb95b207-9aa0-4d93-8d24-21ec9c914fe0.vbs

Filesize
734B

MD5
0de3182f2826428e5090975fae87a7a2

SHA1
ebdc877ae4326f7f1be3b066f1076bb1b00b9e42

SHA256
9f171aa1be1866dfdd58fee494ac01d0e4535cbe6a662209cc36bc2826ec9ef9

SHA512
5f0b12e67a41d44b323115fd36c3453d69132a582aa0389f47b2bd7119fc6a1e4001778999c0d867a63edc0fd0f036264aa44c6ca7bc945eb9b48ee5b2b87e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c24ec46d-7532-44c8-9a3e-22b0c2c1258b.vbs

Filesize
734B

MD5
a1704ab8168a25dbd0ca70a73345df72

SHA1
6aaaaac9a4ec5133bea036da9f91cceb9c3f4d5c

SHA256
17a82362851df198d389c2159a5ebb8a91732c758035687ed46c4c1f8fdec826

SHA512
b8a9d7fdad29e8d35b9b61d1512655e152c73c161962f507ef6411f5a616acf869615971d76d2830ea547314e995af3eaa68bbefb09e7477054b48160bae7698

Download Submit
C:\Users\Admin\AppData\Local\Temp\c74dbba6-5a8c-4d12-b55f-bd37d6b39e25.vbs

Filesize
510B

MD5
7113e5acab2e5b96b4f4e2ebb010b4bd

SHA1
2a4cde5e246d1dd6f1785a63acbbc653e43268ce

SHA256
3ca6562dc77cf868ec87cc8e47b18b2c8f7aca8e0a931ad2997043e9fb36b702

SHA512
670f1625ccf64d71a5b88a6a4e5e7aaf1242fbf0b642f2af72db87f7588516649f8df0fcd3c0dd66ac2d55e1c7e91047f998b2dcc6ee4d23ef386fb49faf2992

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5d9056e-e95c-433e-bc95-b7b072e8b1e3.vbs

Filesize
734B

MD5
c1ca2b113b0d606af6816cc0d03e5519

SHA1
30147c1f4e507f3b28f6a1fd2900f16874d2524b

SHA256
d1c539dbaf3927819ad0cb856a41dd9cef81787a080c44c4ccaed042c67027e2

SHA512
b23fed236eccca1087e1d5606944310b855e6db3f36500ccef8d201b6deeca18b2dc583afe5c6e36024e3e4a3bb5071b2c77433156a8f03055b3e1bd514a9c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\e31a0791-00e8-414e-8955-f7b0b20ec500.vbs

Filesize
734B

MD5
e8ac1edc4e68b0c8b8a0cb8be1f6d6f2

SHA1
075ab63ae4dd7691003023bb07cfe36f2f54872c

SHA256
5861d6b7c3c4f4e1b75f84d2c671a5a35d87581c14142c3a846e30658eb63dd4

SHA512
bb040151e2321952f16a35460f67c83edf9d88aa5e651ef6c9fd83b7184bfdd5d22b2c6c6939d127479a3bfb447235c80b1284a2eb2f618658e4e0e4d3b4197f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5417110a8717dae3675b30f2005c33af

SHA1
60a407d06f13a63aed9c9d2c0b81ea4b52227585

SHA256
9440b7f59dcb1157f74230922ba56565776fce0663d9793531e446057fceae6d

SHA512
a2a8433d374409e8314ec2b25b062e038ee62f06959be5afafc1105df3f6a64934952599e1b6a937f113fb0d62a68076c8f5ce4fcd1abed8448dbc3833b6497f

Download Submit
memory/956-233-0x00000000008F0000-0x0000000000A92000-memory.dmp

Filesize
1.6MB

Download
memory/1636-164-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/1692-166-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/1908-290-0x0000000000F60000-0x0000000001102000-memory.dmp

Filesize
1.6MB

Download
memory/1976-185-0x0000000000220000-0x00000000003C2000-memory.dmp

Filesize
1.6MB

Download
memory/2112-221-0x0000000000030000-0x00000000001D2000-memory.dmp

Filesize
1.6MB

Download
memory/2524-12-0x0000000000CE0000-0x0000000000CEE000-memory.dmp

Filesize
56KB

Download
memory/2524-10-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/2524-174-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2524-11-0x0000000000C90000-0x0000000000C9A000-memory.dmp

Filesize
40KB

Download
memory/2524-13-0x0000000000E70000-0x0000000000E78000-memory.dmp

Filesize
32KB

Download
memory/2524-14-0x0000000000E80000-0x0000000000E88000-memory.dmp

Filesize
32KB

Download
memory/2524-16-0x0000000000EA0000-0x0000000000EAC000-memory.dmp

Filesize
48KB

Download
memory/2524-1-0x0000000000F40000-0x00000000010E2000-memory.dmp

Filesize
1.6MB

Download
memory/2524-15-0x0000000000E90000-0x0000000000E9A000-memory.dmp

Filesize
40KB

Download
memory/2524-2-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2524-0-0x000007FEF5063000-0x000007FEF5064000-memory.dmp

Filesize
4KB

Download
memory/2524-3-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/2524-9-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2524-8-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/2524-6-0x0000000000430000-0x0000000000438000-memory.dmp

Filesize
32KB

Download
memory/2524-4-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2524-7-0x0000000000440000-0x0000000000450000-memory.dmp

Filesize
64KB

Download
memory/2524-5-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2612-168-0x0000000000C30000-0x0000000000DD2000-memory.dmp

Filesize
1.6MB

Download
memory/2620-245-0x0000000000B00000-0x0000000000CA2000-memory.dmp

Filesize
1.6MB

Download
memory/2672-209-0x0000000000BA0000-0x0000000000D42000-memory.dmp

Filesize
1.6MB

Download
memory/2900-197-0x0000000000AF0000-0x0000000000C92000-memory.dmp

Filesize
1.6MB

Download