dcrat | 5de218dd00c5b6536a8ea373bbe9b9f2079f788a113b847fbd5c39932170a6e6

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1ec8c3742e4e01173d709df1353dc5d.exe
Size

885KB
MD5

d1ec8c3742e4e01173d709df1353dc5d
SHA1

30c91b20f0ced765718860cbb2a9f39ca19cf20b
SHA256

e50d685dc91548b2786aaff53e3b0e3a0779a6e41304a59607c042a2ad12482d
SHA512

1ba0dc8ff62291ca5d6213a1b7b6e473ee34b3b5dd5e56d6e6880c9a954f4682144785bd43f5e0e357913e465f53b9e78424dc8bb4146b479303597ecd2e3b65
SSDEEP

12288:+lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:+lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2768	schtasks.exe	29

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral17/memory/1712-1-0x0000000000390000-0x0000000000474000-memory.dmp	dcrat
behavioral17/files/0x000500000001a4d5-18.dat	dcrat
behavioral17/files/0x000b00000001c89f-99.dat	dcrat
behavioral17/files/0x000500000001c8c2-109.dat	dcrat
behavioral17/files/0x000e00000001c8cc-205.dat	dcrat
behavioral17/memory/1004-227-0x0000000000D50000-0x0000000000E34000-memory.dmp	dcrat
behavioral17/memory/1740-250-0x0000000000090000-0x0000000000174000-memory.dmp	dcrat
behavioral17/memory/792-262-0x0000000001140000-0x0000000001224000-memory.dmp	dcrat
behavioral17/memory/1620-296-0x0000000000050000-0x0000000000134000-memory.dmp	dcrat
behavioral17/memory/2732-308-0x0000000000F10000-0x0000000000FF4000-memory.dmp	dcrat
behavioral17/memory/2024-331-0x00000000012B0000-0x0000000001394000-memory.dmp	dcrat
behavioral17/memory/1696-343-0x0000000001310000-0x00000000013F4000-memory.dmp	dcrat
behavioral17/memory/1732-355-0x0000000000270000-0x0000000000354000-memory.dmp	dcrat

Executes dropped EXE 12 IoCs

pid	Process
1004	spoolsv.exe
2724	spoolsv.exe
1740	spoolsv.exe
792	spoolsv.exe
1960	spoolsv.exe
2308	spoolsv.exe
1620	spoolsv.exe
2732	spoolsv.exe
1556	spoolsv.exe
2024	spoolsv.exe
1696	spoolsv.exe
1732	spoolsv.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCX471A.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe
File created	C:\Program Files (x86)\Google\CrashReports\csrss.exe	d1ec8c3742e4e01173d709df1353dc5d.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX46E1.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\6203df4a6bafc7	d1ec8c3742e4e01173d709df1353dc5d.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\taskhost.exe	d1ec8c3742e4e01173d709df1353dc5d.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\b75386f1303e64	d1ec8c3742e4e01173d709df1353dc5d.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\it-IT\RCX45CB.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\it-IT\RCX45CC.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe
File created	C:\Program Files\Microsoft Games\FreeCell\it-IT\dwm.exe	d1ec8c3742e4e01173d709df1353dc5d.exe
File created	C:\Program Files\Microsoft Games\FreeCell\it-IT\6cb0b6c459d5d3	d1ec8c3742e4e01173d709df1353dc5d.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe	d1ec8c3742e4e01173d709df1353dc5d.exe
File created	C:\Program Files (x86)\Google\CrashReports\886983d96e3d3e	d1ec8c3742e4e01173d709df1353dc5d.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX46E0.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCX4709.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\RCX471B.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\RCX471C.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Globalization\ELS\spoolsv.exe	d1ec8c3742e4e01173d709df1353dc5d.exe
File created	C:\Windows\Globalization\ELS\f3b6ecef712a24	d1ec8c3742e4e01173d709df1353dc5d.exe
File created	C:\Windows\LiveKernelReports\taskhost.exe	d1ec8c3742e4e01173d709df1353dc5d.exe
File opened for modification	C:\Windows\fr-FR\RCX46CF.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe
File opened for modification	C:\Windows\Globalization\ELS\RCX46E2.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe
File opened for modification	C:\Windows\Globalization\ELS\RCX46E3.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe
File created	C:\Windows\fr-FR\sppsvc.exe	d1ec8c3742e4e01173d709df1353dc5d.exe
File created	C:\Windows\fr-FR\0a1fd5f707cd16	d1ec8c3742e4e01173d709df1353dc5d.exe
File created	C:\Windows\LiveKernelReports\b75386f1303e64	d1ec8c3742e4e01173d709df1353dc5d.exe
File opened for modification	C:\Windows\fr-FR\RCX46CE.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe
File opened for modification	C:\Windows\LiveKernelReports\RCX471D.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe
File opened for modification	C:\Windows\LiveKernelReports\RCX478B.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2920	schtasks.exe
668	schtasks.exe
1108	schtasks.exe
924	schtasks.exe
2776	schtasks.exe
3044	schtasks.exe
1996	schtasks.exe
2184	schtasks.exe
1412	schtasks.exe
3064	schtasks.exe
1856	schtasks.exe
2640	schtasks.exe
2948	schtasks.exe
2996	schtasks.exe
1700	schtasks.exe
2212	schtasks.exe
1036	schtasks.exe
2084	schtasks.exe
2336	schtasks.exe
2688	schtasks.exe
2796	schtasks.exe
2852	schtasks.exe
2380	schtasks.exe
652	schtasks.exe
2260	schtasks.exe
2644	schtasks.exe
2632	schtasks.exe
824	schtasks.exe
1860	schtasks.exe
1948	schtasks.exe
2428	schtasks.exe
2148	schtasks.exe
1648	schtasks.exe
2840	schtasks.exe
2936	schtasks.exe
2684	schtasks.exe
2720	schtasks.exe
1976	schtasks.exe
2228	schtasks.exe
1056	schtasks.exe
2924	schtasks.exe
2352	schtasks.exe
2156	schtasks.exe
316	schtasks.exe
1804	schtasks.exe
2468	schtasks.exe
2520	schtasks.exe
2880	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1712	d1ec8c3742e4e01173d709df1353dc5d.exe
1004	spoolsv.exe
2724	spoolsv.exe
1740	spoolsv.exe
792	spoolsv.exe
1960	spoolsv.exe
2308	spoolsv.exe
1620	spoolsv.exe
2732	spoolsv.exe
1556	spoolsv.exe
2024	spoolsv.exe
1696	spoolsv.exe
1732	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	d1ec8c3742e4e01173d709df1353dc5d.exe
Token: SeDebugPrivilege	1004	spoolsv.exe
Token: SeDebugPrivilege	2724	spoolsv.exe
Token: SeDebugPrivilege	1740	spoolsv.exe
Token: SeDebugPrivilege	792	spoolsv.exe
Token: SeDebugPrivilege	1960	spoolsv.exe
Token: SeDebugPrivilege	2308	spoolsv.exe
Token: SeDebugPrivilege	1620	spoolsv.exe
Token: SeDebugPrivilege	2732	spoolsv.exe
Token: SeDebugPrivilege	1556	spoolsv.exe
Token: SeDebugPrivilege	2024	spoolsv.exe
Token: SeDebugPrivilege	1696	spoolsv.exe
Token: SeDebugPrivilege	1732	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1004	1712	d1ec8c3742e4e01173d709df1353dc5d.exe	78
PID 1712 wrote to memory of 1004	1712	d1ec8c3742e4e01173d709df1353dc5d.exe	78
PID 1712 wrote to memory of 1004	1712	d1ec8c3742e4e01173d709df1353dc5d.exe	78
PID 1004 wrote to memory of 2152	1004	spoolsv.exe	79
PID 1004 wrote to memory of 2152	1004	spoolsv.exe	79
PID 1004 wrote to memory of 2152	1004	spoolsv.exe	79
PID 1004 wrote to memory of 3028	1004	spoolsv.exe	80
PID 1004 wrote to memory of 3028	1004	spoolsv.exe	80
PID 1004 wrote to memory of 3028	1004	spoolsv.exe	80
PID 2152 wrote to memory of 2724	2152	WScript.exe	81
PID 2152 wrote to memory of 2724	2152	WScript.exe	81
PID 2152 wrote to memory of 2724	2152	WScript.exe	81
PID 2724 wrote to memory of 1932	2724	spoolsv.exe	82
PID 2724 wrote to memory of 1932	2724	spoolsv.exe	82
PID 2724 wrote to memory of 1932	2724	spoolsv.exe	82
PID 2724 wrote to memory of 3032	2724	spoolsv.exe	83
PID 2724 wrote to memory of 3032	2724	spoolsv.exe	83
PID 2724 wrote to memory of 3032	2724	spoolsv.exe	83
PID 1932 wrote to memory of 1740	1932	WScript.exe	84
PID 1932 wrote to memory of 1740	1932	WScript.exe	84
PID 1932 wrote to memory of 1740	1932	WScript.exe	84
PID 1740 wrote to memory of 2532	1740	spoolsv.exe	85
PID 1740 wrote to memory of 2532	1740	spoolsv.exe	85
PID 1740 wrote to memory of 2532	1740	spoolsv.exe	85
PID 1740 wrote to memory of 1896	1740	spoolsv.exe	86
PID 1740 wrote to memory of 1896	1740	spoolsv.exe	86
PID 1740 wrote to memory of 1896	1740	spoolsv.exe	86
PID 2532 wrote to memory of 792	2532	WScript.exe	87
PID 2532 wrote to memory of 792	2532	WScript.exe	87
PID 2532 wrote to memory of 792	2532	WScript.exe	87
PID 792 wrote to memory of 3004	792	spoolsv.exe	88
PID 792 wrote to memory of 3004	792	spoolsv.exe	88
PID 792 wrote to memory of 3004	792	spoolsv.exe	88
PID 792 wrote to memory of 2976	792	spoolsv.exe	89
PID 792 wrote to memory of 2976	792	spoolsv.exe	89
PID 792 wrote to memory of 2976	792	spoolsv.exe	89
PID 3004 wrote to memory of 1960	3004	WScript.exe	90
PID 3004 wrote to memory of 1960	3004	WScript.exe	90
PID 3004 wrote to memory of 1960	3004	WScript.exe	90
PID 1960 wrote to memory of 2784	1960	spoolsv.exe	91
PID 1960 wrote to memory of 2784	1960	spoolsv.exe	91
PID 1960 wrote to memory of 2784	1960	spoolsv.exe	91
PID 1960 wrote to memory of 924	1960	spoolsv.exe	92
PID 1960 wrote to memory of 924	1960	spoolsv.exe	92
PID 1960 wrote to memory of 924	1960	spoolsv.exe	92
PID 2784 wrote to memory of 2308	2784	WScript.exe	93
PID 2784 wrote to memory of 2308	2784	WScript.exe	93
PID 2784 wrote to memory of 2308	2784	WScript.exe	93
PID 2308 wrote to memory of 2260	2308	spoolsv.exe	94
PID 2308 wrote to memory of 2260	2308	spoolsv.exe	94
PID 2308 wrote to memory of 2260	2308	spoolsv.exe	94
PID 2308 wrote to memory of 2844	2308	spoolsv.exe	95
PID 2308 wrote to memory of 2844	2308	spoolsv.exe	95
PID 2308 wrote to memory of 2844	2308	spoolsv.exe	95
PID 2260 wrote to memory of 1620	2260	WScript.exe	96
PID 2260 wrote to memory of 1620	2260	WScript.exe	96
PID 2260 wrote to memory of 1620	2260	WScript.exe	96
PID 1620 wrote to memory of 2628	1620	spoolsv.exe	97
PID 1620 wrote to memory of 2628	1620	spoolsv.exe	97
PID 1620 wrote to memory of 2628	1620	spoolsv.exe	97
PID 1620 wrote to memory of 2296	1620	spoolsv.exe	98
PID 1620 wrote to memory of 2296	1620	spoolsv.exe	98
PID 1620 wrote to memory of 2296	1620	spoolsv.exe	98
PID 2628 wrote to memory of 2732	2628	WScript.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d1ec8c3742e4e01173d709df1353dc5d.exe
"C:\Users\Admin\AppData\Local\Temp\d1ec8c3742e4e01173d709df1353dc5d.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\Globalization\ELS\spoolsv.exe
  "C:\Windows\Globalization\ELS\spoolsv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd5c66fe-a8fa-437e-a8ce-41ccb527a7ae.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\Globalization\ELS\spoolsv.exe
      C:\Windows\Globalization\ELS\spoolsv.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6acfc1ef-f44b-47f3-a898-13be7efadb45.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1932
      - C:\Windows\Globalization\ELS\spoolsv.exe
        
        C:\Windows\Globalization\ELS\spoolsv.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4962259-b440-42b7-a888-90eb9dc51c9d.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\Globalization\ELS\spoolsv.exe
        
        C:\Windows\Globalization\ELS\spoolsv.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d70a1b7f-f7ea-42eb-bfe4-739edaa5702c.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\Globalization\ELS\spoolsv.exe
        
        C:\Windows\Globalization\ELS\spoolsv.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\688a049e-894d-4252-b545-d19c365824d1.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\Globalization\ELS\spoolsv.exe
        
        C:\Windows\Globalization\ELS\spoolsv.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17144f83-75d4-4ae4-b385-f247d6d88702.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\Globalization\ELS\spoolsv.exe
        
        C:\Windows\Globalization\ELS\spoolsv.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0721e6b7-b8b9-4c2e-ba79-2f8501580c07.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\Globalization\ELS\spoolsv.exe
        
        C:\Windows\Globalization\ELS\spoolsv.exe
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bb9b680-b035-475f-8a52-f64303af58f0.vbs"
        17⤵
        
        PID:1312
        
        C:\Windows\Globalization\ELS\spoolsv.exe
        
        C:\Windows\Globalization\ELS\spoolsv.exe
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0441088-6acb-4b67-b456-6190b59b8dd4.vbs"
        19⤵
        
        PID:1972
        
        C:\Windows\Globalization\ELS\spoolsv.exe
        
        C:\Windows\Globalization\ELS\spoolsv.exe
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b62caa7b-fe5f-410b-9d10-cf403b2ec886.vbs"
        21⤵
        
        PID:2200
        
        C:\Windows\Globalization\ELS\spoolsv.exe
        
        C:\Windows\Globalization\ELS\spoolsv.exe
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94040a2f-cc41-41af-991e-232c2682bb5b.vbs"
        23⤵
        
        PID:2892
        
        C:\Windows\Globalization\ELS\spoolsv.exe
        
        C:\Windows\Globalization\ELS\spoolsv.exe
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\127bed29-70ce-4143-8b26-078acf4cb267.vbs"
        25⤵
        
        PID:2420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4263f60f-9dc3-4cb0-9b71-0e359d41f321.vbs"
        25⤵
        
        PID:2444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34f27bde-12ef-4269-af83-373b0b1f4cff.vbs"
        23⤵
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8838b6a-16f1-44ac-b5e5-2aadc38889ff.vbs"
        21⤵
        
        PID:2396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\634df613-9bb4-4cc9-8cd9-caf79848caf0.vbs"
        19⤵
        
        PID:1960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c5c3c9e-841c-479c-9c6a-3fce99512a40.vbs"
        17⤵
        
        PID:1852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2edeeed-47f2-4770-9a6e-77cf4fedacff.vbs"
        15⤵
        
        PID:2296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b85ca3f7-52b2-4380-aff9-bf76fb3a19a5.vbs"
        13⤵
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46db2463-925a-4960-9990-394c58a4a8e6.vbs"
        11⤵
        
        PID:924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e66e5cd5-2df5-4213-b78f-d609960fefa2.vbs"
        9⤵
        
        PID:2976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08e8e150-388e-4843-ae60-4846848393f1.vbs"
        7⤵
        
        PID:1896
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99556402-1851-4c6d-b771-4d6a515f1726.vbs"
        5⤵
        
        PID:3032
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb316013-893d-49c0-9c6c-2dac44e6c5e1.vbs"
    3⤵
    PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Pictures\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Pictures\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Games\FreeCell\it-IT\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\FreeCell\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\FreeCell\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\Sample Pictures\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\Sample Pictures\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Default\PrintHood\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Default\PrintHood\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\fr-FR\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Globalization\ELS\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Globalization\ELS\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\Globalization\ELS\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Adobe\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Adobe\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\CrashReports\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\CrashReports\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe

Filesize
885KB

MD5
1b5d74c0495bdd159be9f50e8d954ffe

SHA1
ca25e0d4949091819108a61bd1c2939a6050baee

SHA256
578f1b32dc9911a3d81dd5b179c70602de23f96adc19bb00ae4bacfef172bdc0

SHA512
8364cff191c9929b41fe766023cda6a9ba49920edbab90d8079da1692f7f7b0352bc56af166190f9e2f16df18c7b504b76f9bdfd948b0b40947bfc54422c75ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\0721e6b7-b8b9-4c2e-ba79-2f8501580c07.vbs

Filesize
716B

MD5
9651f5caacab40d09501ef2c4fd55906

SHA1
8d1d11c09a4c94c07ec62fabefdafd0017d94847

SHA256
36ab45311d3a4eec7a21a9ed32751d458840947f23215b5ca1ce807e39d36d65

SHA512
6b4366daf7ec8a7ba0ede34e0167d5955fd6ee88e6fa52562587cb574e8ba05e74ba88f21139200dbab62ede5259ad6ddf7ab8ddac14d6b1fcdcea397bde65c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\127bed29-70ce-4143-8b26-078acf4cb267.vbs

Filesize
716B

MD5
8491a8878cab40bfb2802823feef9fb8

SHA1
23aa84355db134b3eb249c91afff98049ba5470b

SHA256
7c3615f104c794a9c4a656ab4a4c50d4832132c1ee698f595c277a2f31da1209

SHA512
4838544fb501ff6632b7b8b47b33b57e8e28bdd3b5332318641a49cf503ed00a746461b929c8f6c0caf873cc4ef20a096b73d468ff5736e105c9202915442544

Download Submit
C:\Users\Admin\AppData\Local\Temp\17144f83-75d4-4ae4-b385-f247d6d88702.vbs

Filesize
716B

MD5
1e7c5ced9ec603bf1965651cf5798c48

SHA1
69ecf7ca64fa7bd6b19da328d97f20de2f2e5a96

SHA256
9c5893301ccfe10af7eb44d8fff0f42765f5c6feafd5275dcfce38068ba840dd

SHA512
d1675bab2fa59ea79990fa28ea9ecdfcf3f6ddb26f650a5077f74398d7caa9e4db82e4e054e616d7485093c2a2013d14af9b482ea203bf99e6e064018825d5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\688a049e-894d-4252-b545-d19c365824d1.vbs

Filesize
716B

MD5
6b34a05d07b0e99ea73784f31d3b776d

SHA1
1f5e3a1685d94b7f84a7c5d7498921e82c0bcad4

SHA256
c446268c4e41734b4581cffa27b8b7ed06c8b28c110a3911a7559bc00caef39a

SHA512
3c43edc41c3f4f6cc9f5592a51213328dbcce7cbe4763f0d84e9119ebc7c0de73daeb42a326bd2294227c8116264fc711e557ba0e690d104ea60c7f4cf5dc3a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6acfc1ef-f44b-47f3-a898-13be7efadb45.vbs

Filesize
716B

MD5
3a24fe6025aa042b182ad0979cc3794a

SHA1
cfe3f662f73a921df5b1057f831fc1a012231b78

SHA256
568ac918bae3d15929dc159ccb5a534c97fa3175d49845d5de67d653f83459f9

SHA512
bd887666731f73f07afb8ac3119378cbeb563b17e09d6b2496616c0c1053cb762917bcfa6afd1543d207859e4fc1e559ce3fa7ad5467902be978b18ca41281b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7bb9b680-b035-475f-8a52-f64303af58f0.vbs

Filesize
716B

MD5
db9ed0d7cd37f10a766397a67d86ec48

SHA1
64bf3ac017de95fa223b0ad908c085741d5f2000

SHA256
62e863f419c0d8588d0bddbf120f63693e756d3561c1c1f634d66130987edf1e

SHA512
ceb05824d5569ea9209feed3fd310c231d2bdb091aa491b72d8a3dd6d239a5535ce7e6880ee35e2c22022491677dacbc44b521aef8b0b33666db88cc8459c5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\94040a2f-cc41-41af-991e-232c2682bb5b.vbs

Filesize
716B

MD5
3c95d1d1f67ef62de0e9fe0d47d586c9

SHA1
8855def25e6b44beb250ec0666e1e57c1a80b6bb

SHA256
a986626731da77c0e3bfd1daccf66cde695c8b7367ff63dbdfe81746b53f1e02

SHA512
b79deb7deb26f7632bc68794f8d82bce0a6edb07ac3755e676587fd1203f81a3084f00a44019aeedaee0b52a3114148cd36ad3fc426724ea02914a846e823a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4962259-b440-42b7-a888-90eb9dc51c9d.vbs

Filesize
716B

MD5
8a90e822bab9fd8bf69fec3b693e2288

SHA1
0e33eb8a4a98476e4e18c80dad30d6c88843e8ad

SHA256
bc6f70598d79ef65e5efb25a75cd440ace5d6ab003f2c0084e847bfc3f89ac14

SHA512
b07bb71cefdb9b1a2a7ba6ce7c80f4ca9036c647f19381bc6f1c0521a77cef6f11b86dab342ba3e3d9eaabba77bb8c222ef7baf247a1a0a137dbf0a91af16fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0441088-6acb-4b67-b456-6190b59b8dd4.vbs

Filesize
716B

MD5
7f851d3245b8750bd3f9dfc4ec0cb4b8

SHA1
b4294e356dee0789123ab2d80e14bbf649228f0d

SHA256
0ba6ee6a474e66e32122250e867555b14a0d46b64817a2c08276bd20dcc46e4f

SHA512
4b7e3f0e73258b46c83cc9cc72c634db8fb543276de8ca373ff88983f1fed37e02ab28cf4da7ee199796a99343e0265aa4480568a4f115ba8ab4304a1d31dc74

Download Submit
C:\Users\Admin\AppData\Local\Temp\b62caa7b-fe5f-410b-9d10-cf403b2ec886.vbs

Filesize
716B

MD5
74f790b9d3b54ff89697501be44a50a3

SHA1
09ff5418c1ce2109a6558690e0c32ca7174dfe09

SHA256
c69a8daba3baab2470655b8b33e36845f9b71b97bff52398dfc11c608259025d

SHA512
861023e8c9a95dd583f51c8d12657a059563d62bebb1f752bc0b5f120ce9deb7e39aa32c5aab3007883f52ddc9443eff5313d9b430068c4d58ddbdb2f5f11e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d70a1b7f-f7ea-42eb-bfe4-739edaa5702c.vbs

Filesize
715B

MD5
125fa9db654cabc40c87ae2b23f4b337

SHA1
10e4a910d7c6b5df4c8e8e11dac26d3a300f157a

SHA256
32aa6c8f4ef0b0bf4c989e440988e7d9bdd912497ed7af499da0ac7e7b4a4830

SHA512
cd518b31fba84abb5cb4392b5d25b10c617f4970857ebd39fa368d77ce38772b672b026e5378f3fc6926fa23ef9d9c2a4219db5d2100f876413490e5fc8ddc86

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb316013-893d-49c0-9c6c-2dac44e6c5e1.vbs

Filesize
492B

MD5
32115548f5a4e31e56d59e576518095b

SHA1
57073e119ea2840a9d1b570f312c17ef092df6b3

SHA256
ed147ae66383fa5798915abbbec9900937a49c44389183c28f2afaa022073364

SHA512
4bd16e022b888ea760cbde551d10cd0e38fe5022d983ca9a00c867609f354727f2454ec0028d4ed5146df2a4fd3a0c7cb22e5a7baa4bce7a4d9dd71d8b2e49f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd5c66fe-a8fa-437e-a8ce-41ccb527a7ae.vbs

Filesize
716B

MD5
aff404fabad8ae58a2d3a51000f1bd5c

SHA1
f64a5afaa78d4a810e848c194eea230e5a10ef0b

SHA256
1a502575c864a13f540b7cccccf9906f8e6244aba5b3b80b13f24b257910b807

SHA512
967f476decbbb92b18c7f94c34a02bb4c941f81b86e402c4fc9ecc373db284a0a75f75c672ce0ac4f6e21b90dc52d86ef380ca2cefb060ae8cd32f88eb5788c9

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\lsm.exe

Filesize
885KB

MD5
d1ec8c3742e4e01173d709df1353dc5d

SHA1
30c91b20f0ced765718860cbb2a9f39ca19cf20b

SHA256
e50d685dc91548b2786aaff53e3b0e3a0779a6e41304a59607c042a2ad12482d

SHA512
1ba0dc8ff62291ca5d6213a1b7b6e473ee34b3b5dd5e56d6e6880c9a954f4682144785bd43f5e0e357913e465f53b9e78424dc8bb4146b479303597ecd2e3b65

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\lsm.exe

Filesize
885KB

MD5
fb9bf9481d4295c847f0e74b7feece13

SHA1
602db0704b0eaec3d5b43fe5b8954db9242daf44

SHA256
29a0b4ed909b045c5aa00f92a79aa4710e039f7608a0ef9d631b45c2d582575a

SHA512
68542893106a6d0048bf488ac6c4f9e419264063ae75db5b46f505afc92d68d097d8a9f7e17370c4b78a101a751b396ac714e7b19611e4d69179da5bf5bfcca4

Download Submit
C:\Windows\LiveKernelReports\taskhost.exe

Filesize
885KB

MD5
604227f6f477871757e69fd10c8f7cb9

SHA1
11d2f3e635c7e3e8be8de1c17ca8535a1cf67ed6

SHA256
2dcba9d5155a5c0ddc4f3cf581ca48739fb70eac3ef5cb99ad489c85e59fbd11

SHA512
9947b69e9c964665df5cf63a11c076f9e7754153e3485518d1d2954018cfd9a84d85ffac9428efd71e6e4d6372c9041c8a3b54be6698ea5861c39535cc0eb3af

Download Submit
memory/792-262-0x0000000001140000-0x0000000001224000-memory.dmp

Filesize
912KB

Download
memory/1004-227-0x0000000000D50000-0x0000000000E34000-memory.dmp

Filesize
912KB

Download
memory/1620-296-0x0000000000050000-0x0000000000134000-memory.dmp

Filesize
912KB

Download
memory/1696-343-0x0000000001310000-0x00000000013F4000-memory.dmp

Filesize
912KB

Download
memory/1712-8-0x0000000000800000-0x0000000000808000-memory.dmp

Filesize
32KB

Download
memory/1712-6-0x0000000000660000-0x000000000066A000-memory.dmp

Filesize
40KB

Download
memory/1712-228-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/1712-0-0x000007FEF5E03000-0x000007FEF5E04000-memory.dmp

Filesize
4KB

Download
memory/1712-9-0x0000000000810000-0x000000000081C000-memory.dmp

Filesize
48KB

Download
memory/1712-7-0x00000000007F0000-0x00000000007FE000-memory.dmp

Filesize
56KB

Download
memory/1712-1-0x0000000000390000-0x0000000000474000-memory.dmp

Filesize
912KB

Download
memory/1712-2-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/1712-5-0x0000000000370000-0x0000000000386000-memory.dmp

Filesize
88KB

Download
memory/1712-3-0x00000000001D0000-0x00000000001EC000-memory.dmp

Filesize
112KB

Download
memory/1712-4-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/1732-355-0x0000000000270000-0x0000000000354000-memory.dmp

Filesize
912KB

Download
memory/1740-250-0x0000000000090000-0x0000000000174000-memory.dmp

Filesize
912KB

Download
memory/2024-331-0x00000000012B0000-0x0000000001394000-memory.dmp

Filesize
912KB

Download
memory/2732-308-0x0000000000F10000-0x0000000000FF4000-memory.dmp

Filesize
912KB

Download