dcrat | 7f1beb32d0565e8ebe9db45b1bc9a29b8fe6f2cfb7f17605bd2f6ec40f761b89

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
Size

1.6MB
MD5

27b689b77f3516a11f09ecb8897ad4c2
SHA1

654cb72e6167f879a83930da230b28099359721f
SHA256

5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772
SHA512

8d55b966e8e634053b62cb545366d661a37dbf467e836b8028ad63055cccd3c9032c9ba04a84e79994926425250e39f808757cfec454ddf2670cff3569b3cbbe
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2624	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2624	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2624	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2624	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2624	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2624	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2624	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2624	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	2624	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2624	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2624	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2624	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2624	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2624	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2624	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2624	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2624	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2624	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2624	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2624	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2624	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2624	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2624	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2624	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2624	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2624	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2624	schtasks.exe	30

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2848-1-0x0000000000AE0000-0x0000000000C82000-memory.dmp	dcrat
behavioral1/files/0x00050000000193b6-25.dat	dcrat
behavioral1/files/0x00060000000194c9-72.dat	dcrat
behavioral1/files/0x0007000000019297-83.dat	dcrat
behavioral1/memory/1768-177-0x0000000000800000-0x00000000009A2000-memory.dmp	dcrat
behavioral1/memory/1940-213-0x0000000000F20000-0x00000000010C2000-memory.dmp	dcrat
behavioral1/memory/992-257-0x0000000001200000-0x00000000013A2000-memory.dmp	dcrat
behavioral1/memory/996-269-0x0000000000010000-0x00000000001B2000-memory.dmp	dcrat
behavioral1/memory/1616-281-0x00000000012D0000-0x0000000001472000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1812	powershell.exe
2204	powershell.exe
1028	powershell.exe
288	powershell.exe
2208	powershell.exe
2580	powershell.exe
1280	powershell.exe
1680	powershell.exe
2100	powershell.exe
2888	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
1768	System.exe
1940	System.exe
2928	System.exe
2808	System.exe
1280	System.exe
992	System.exe
996	System.exe
1616	System.exe
2760	System.exe
1292	System.exe
2672	System.exe
612	System.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\fr-FR\6ccacd8608530f	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\RCX7D5E.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\Idle.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\ja-JP\RCX869B.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCX8B11.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\RCX8D83.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\6ccacd8608530f	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files (x86)\Google\Temp\wininit.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\cc11b995f2a76d	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\wininit.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\RCX8D84.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\winlogon.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\ja-JP\Idle.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\Idle.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\Idle.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files (x86)\Google\Temp\56085415360792	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\ja-JP\RCX869A.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCX8B12.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\winlogon.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\RCX7D5F.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\security\ApplicationId\csrss.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Windows\fr-FR\cc11b995f2a76d	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Windows\security\ApplicationId\886983d96e3d3e	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Windows\fr-FR\RCX7B4A.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Windows\security\ApplicationId\RCX8495.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Windows\security\ApplicationId\RCX8496.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Windows\fr-FR\winlogon.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Windows\fr-FR\winlogon.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Windows\security\ApplicationId\csrss.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Windows\fr-FR\RCX7B4B.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2748	schtasks.exe
996	schtasks.exe
1652	schtasks.exe
2908	schtasks.exe
2292	schtasks.exe
3000	schtasks.exe
2280	schtasks.exe
2304	schtasks.exe
584	schtasks.exe
2416	schtasks.exe
1520	schtasks.exe
624	schtasks.exe
2456	schtasks.exe
1988	schtasks.exe
1012	schtasks.exe
2336	schtasks.exe
2536	schtasks.exe
1112	schtasks.exe
1916	schtasks.exe
2276	schtasks.exe
2356	schtasks.exe
1480	schtasks.exe
2000	schtasks.exe
1704	schtasks.exe
2728	schtasks.exe
2716	schtasks.exe
664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
1812	powershell.exe
1680	powershell.exe
2208	powershell.exe
1280	powershell.exe
2204	powershell.exe
2888	powershell.exe
2100	powershell.exe
1028	powershell.exe
2580	powershell.exe
288	powershell.exe
1768	System.exe
1940	System.exe
2928	System.exe
2808	System.exe
1280	System.exe
992	System.exe
996	System.exe
1616	System.exe
2760	System.exe
1292	System.exe
2672	System.exe
612	System.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	288	powershell.exe
Token: SeDebugPrivilege	1768	System.exe
Token: SeDebugPrivilege	1940	System.exe
Token: SeDebugPrivilege	2928	System.exe
Token: SeDebugPrivilege	2808	System.exe
Token: SeDebugPrivilege	1280	System.exe
Token: SeDebugPrivilege	992	System.exe
Token: SeDebugPrivilege	996	System.exe
Token: SeDebugPrivilege	1616	System.exe
Token: SeDebugPrivilege	2760	System.exe
Token: SeDebugPrivilege	1292	System.exe
Token: SeDebugPrivilege	2672	System.exe
Token: SeDebugPrivilege	612	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 1680	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	58
PID 2848 wrote to memory of 1680	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	58
PID 2848 wrote to memory of 1680	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	58
PID 2848 wrote to memory of 1812	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	59
PID 2848 wrote to memory of 1812	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	59
PID 2848 wrote to memory of 1812	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	59
PID 2848 wrote to memory of 2204	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	60
PID 2848 wrote to memory of 2204	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	60
PID 2848 wrote to memory of 2204	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	60
PID 2848 wrote to memory of 1028	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	61
PID 2848 wrote to memory of 1028	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	61
PID 2848 wrote to memory of 1028	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	61
PID 2848 wrote to memory of 288	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	62
PID 2848 wrote to memory of 288	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	62
PID 2848 wrote to memory of 288	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	62
PID 2848 wrote to memory of 2100	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	63
PID 2848 wrote to memory of 2100	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	63
PID 2848 wrote to memory of 2100	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	63
PID 2848 wrote to memory of 2208	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	64
PID 2848 wrote to memory of 2208	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	64
PID 2848 wrote to memory of 2208	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	64
PID 2848 wrote to memory of 2580	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	65
PID 2848 wrote to memory of 2580	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	65
PID 2848 wrote to memory of 2580	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	65
PID 2848 wrote to memory of 1280	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	66
PID 2848 wrote to memory of 1280	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	66
PID 2848 wrote to memory of 1280	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	66
PID 2848 wrote to memory of 2888	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	67
PID 2848 wrote to memory of 2888	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	67
PID 2848 wrote to memory of 2888	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	67
PID 2848 wrote to memory of 1768	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	78
PID 2848 wrote to memory of 1768	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	78
PID 2848 wrote to memory of 1768	2848	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	78
PID 1768 wrote to memory of 2584	1768	System.exe	79
PID 1768 wrote to memory of 2584	1768	System.exe	79
PID 1768 wrote to memory of 2584	1768	System.exe	79
PID 1768 wrote to memory of 1372	1768	System.exe	80
PID 1768 wrote to memory of 1372	1768	System.exe	80
PID 1768 wrote to memory of 1372	1768	System.exe	80
PID 2584 wrote to memory of 1940	2584	WScript.exe	81
PID 2584 wrote to memory of 1940	2584	WScript.exe	81
PID 2584 wrote to memory of 1940	2584	WScript.exe	81
PID 1940 wrote to memory of 2016	1940	System.exe	82
PID 1940 wrote to memory of 2016	1940	System.exe	82
PID 1940 wrote to memory of 2016	1940	System.exe	82
PID 1940 wrote to memory of 2492	1940	System.exe	83
PID 1940 wrote to memory of 2492	1940	System.exe	83
PID 1940 wrote to memory of 2492	1940	System.exe	83
PID 2016 wrote to memory of 2928	2016	WScript.exe	85
PID 2016 wrote to memory of 2928	2016	WScript.exe	85
PID 2016 wrote to memory of 2928	2016	WScript.exe	85
PID 2928 wrote to memory of 1652	2928	System.exe	86
PID 2928 wrote to memory of 1652	2928	System.exe	86
PID 2928 wrote to memory of 1652	2928	System.exe	86
PID 2928 wrote to memory of 1032	2928	System.exe	87
PID 2928 wrote to memory of 1032	2928	System.exe	87
PID 2928 wrote to memory of 1032	2928	System.exe	87
PID 1652 wrote to memory of 2808	1652	WScript.exe	88
PID 1652 wrote to memory of 2808	1652	WScript.exe	88
PID 1652 wrote to memory of 2808	1652	WScript.exe	88
PID 2808 wrote to memory of 2664	2808	System.exe	89
PID 2808 wrote to memory of 2664	2808	System.exe	89
PID 2808 wrote to memory of 2664	2808	System.exe	89
PID 2808 wrote to memory of 1680	2808	System.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
"C:\Users\Admin\AppData\Local\Temp\5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fr-FR\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\ApplicationId\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\ja-JP\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\fr-FR\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe
  "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f1ca177-e3c3-406f-9a97-f80c54185110.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe
      C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1940
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed9d67d3-4a6d-4aa1-bc75-3f3b13541458.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2016
      - C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9876097-4d89-40cc-a268-8c03ee9d7cec.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74004ac8-5c70-43e6-ab07-f3313e73d457.vbs"
        9⤵
        
        PID:2664
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ee837a4-eb94-4051-9ea6-65377fd5d78b.vbs"
        11⤵
        
        PID:2068
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\780b4c2b-0340-480c-9842-f6b49d22dd05.vbs"
        13⤵
        
        PID:2564
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db1dac72-de39-4745-93c8-2a5f058bf1cb.vbs"
        15⤵
        
        PID:3048
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c1ff242-fdd5-48f1-8f95-a583da4bcc08.vbs"
        17⤵
        
        PID:2776
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ada2962-2eb0-4dfa-ae87-c122efe8013d.vbs"
        19⤵
        
        PID:2356
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dac3ced8-fb3f-4e94-8e19-9635302fe45d.vbs"
        21⤵
        
        PID:2136
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31161693-8bf2-4aaf-834b-3200a1987053.vbs"
        23⤵
        
        PID:1436
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60b315ac-3cfa-44b5-823c-e341c16c4f63.vbs"
        25⤵
        
        PID:1312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b4e36d1-d3ef-4aa3-8b5f-f20abe9a6328.vbs"
        25⤵
        
        PID:2864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a9bbf0b-3b3a-4599-87eb-af2e4c7f333f.vbs"
        23⤵
        
        PID:2016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e8406ba-ff2b-4e3c-9806-3311f9bb2f6d.vbs"
        21⤵
        
        PID:2468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d1a613b-b746-4564-b70b-c205c3a5b033.vbs"
        19⤵
        
        PID:2988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e72c4553-9455-419b-8368-8565bb1ddb10.vbs"
        17⤵
        
        PID:2944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a8dd420-5b3e-4300-a275-dca6af6a233f.vbs"
        15⤵
        
        PID:2384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1657021d-0fc4-40f4-9155-2f9d8add00e0.vbs"
        13⤵
        
        PID:1476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a299b03d-ff57-4708-8c89-3cd2f2f81b8a.vbs"
        11⤵
        
        PID:1764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8528e06-f63e-46fa-8493-242ebe608cd9.vbs"
        9⤵
        
        PID:1680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97c37f21-dcbb-4d0c-8e0d-912cc1842d8e.vbs"
        7⤵
        
        PID:1032
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c36f23f-5acb-4e03-b564-ab3b39cf664b.vbs"
        5⤵
        
        PID:2492
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\146f07ae-8946-4a6a-92f8-8b7e7a8156ea.vbs"
    3⤵
    PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Videos\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Videos\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\security\ApplicationId\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\security\ApplicationId\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\security\ApplicationId\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Temp\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe

Filesize
1.6MB

MD5
59f2c0356a721a15497d1893197fab1c

SHA1
2cd626faa49c439c6fa8df8be112566a6f83aca3

SHA256
fc077f1e16a3180634bdca6453b400c2b21e22bbefe088d2ccf02caabc032149

SHA512
e5ad01f5e23ecd17c42fc57c0ba6fccb12a794b877a5b742b92f6cf0da40b253864cd983d0fd2394cb6a14d3ebc37e479ead55ba5738c329ed6259cb6cb35c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\146f07ae-8946-4a6a-92f8-8b7e7a8156ea.vbs

Filesize
511B

MD5
cf41527c4a1960b845c9264b335439d1

SHA1
51a99435e8fa233268aedb9e802276fe3f44ae08

SHA256
ac05f15e115a8d6652a936d9e507d4ed1b621a0235a4ff44d10fabbe83b1a6b9

SHA512
4e9a02fd51bb6aee44ce8efb71c99bd7f583d0a8a2fa8e66279a1d77192d456cb317b9f6690a89647ad0db397fb25f9bae3180950555d1bf28ab4fb044b0acc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f1ca177-e3c3-406f-9a97-f80c54185110.vbs

Filesize
735B

MD5
dad33d6f111c6db08048f4e3ea5cb3a3

SHA1
b648dd1bf22ee44690c6de93c562b628d08d143f

SHA256
1f6344837848c71238ad537666f7db075bc85ffa7063903e378f88b5e88d062b

SHA512
357dae43f6fbe06a70ec3f943670ae9b2909350df0a13873c1d284e7593f57f82e706360b2fc2d6e4a345d62d0842cd5db8fe3e1e433c99267d5af4ae13bfcb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\31161693-8bf2-4aaf-834b-3200a1987053.vbs

Filesize
735B

MD5
a6b543e83288d3cbf307668f09818181

SHA1
fefcb478e6283f4f2a15146d410a4934721949ff

SHA256
02565da0c81ad20a4bd58ad104e17dd0497c4354074aae92841c9127ef4296c1

SHA512
432bc7d81f30cd6520f8b92a03b14ec8f78af220904122fc854ac465eefa1432391a894b7c1237632c02abb369ef5ed5db37345e573c0b2425a69b8da3cca8ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c1ff242-fdd5-48f1-8f95-a583da4bcc08.vbs

Filesize
735B

MD5
0b5ae8c2ff1bedfae4830e21ac2e1052

SHA1
acc47f502e6c62e903ec725e6caa7e33995cbe5f

SHA256
61b34e60958e529ec22e7b9295a9a76440a377f19273e4d86dabee027235da8c

SHA512
086a48fc9eccad7b0d4a190ed6f7d1fe14545f98d5ea5ca7fc636ce1a500437ab7cd382c5a8036f257151e50f43c818256404f650a5b4bccb4b7492f3eefd216

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ee837a4-eb94-4051-9ea6-65377fd5d78b.vbs

Filesize
735B

MD5
3da7224e0014066822d09ca6554344c6

SHA1
938227d40baf8e79a495d14f9fb498a5d488b5c6

SHA256
2b3843b5bd92e58a81d8a987c1dba2f3447b570f77c244694017d8187a60097d

SHA512
73fc1c062f1bf793f65b2ab957186a77bb915fbcfba17fe36254ee20660c0dcf2afc8deee122e2d5551181f352f3fab3a9825ec31d7b133db9321c5e1c0c4ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ada2962-2eb0-4dfa-ae87-c122efe8013d.vbs

Filesize
735B

MD5
afcb35eacc317b3c50ddfee90de69572

SHA1
b7dcb9855d06aaaa76052934e75103d46f4f5c9e

SHA256
ee1aa9439ea393218bd2eef746e22f432587503b2403df01dab09d003a01fa28

SHA512
33bac9f2f5a45e7eb2411dc7bf79526af93ac18b44f04ce583594ed182c78f344b4cf1a7c7f3e74d6c3232aec2b28ba59d4594cd6d5397e2763df922ec10e5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\60b315ac-3cfa-44b5-823c-e341c16c4f63.vbs

Filesize
734B

MD5
ab976a0281f2a84ab4552453afc72285

SHA1
db649bb46653a0f32a1e53fae0a3595c270b2e27

SHA256
7e0e9e985c0bd9d4a0e32259e3ea1c1a8e7ca4e618e085ca154d30113fbc492b

SHA512
8fb8916d1682204ec2f07f52f1f8903a43e135d19ee4b4915fb3fb1c870762e54eb8f41a3614ad092228bc2e0442a26f332e185af0d61976087f515f9542386b

Download Submit
C:\Users\Admin\AppData\Local\Temp\74004ac8-5c70-43e6-ab07-f3313e73d457.vbs

Filesize
735B

MD5
35d63e1454fb2333ccf73c9799bb7851

SHA1
22a4b2eee958b2c664c5795cd7f9b532b66470cb

SHA256
9d7141cd36995d6b25acf2263c6d37d5671ee993c70aec1d7d217baa62843db0

SHA512
1e2e6546af093d052992b6edba12ba01cc6f1f844c41e642b5efd5ae4cc87538b22cced1c77b304c242ae9fd1f47aa1e8a709b811006e3d6067bf9d5a5c65030

Download Submit
C:\Users\Admin\AppData\Local\Temp\780b4c2b-0340-480c-9842-f6b49d22dd05.vbs

Filesize
734B

MD5
cba33198b7ec9ed53e2e467fb71a7f07

SHA1
13e3fd823f32678dad7bd21fccd6fae67053f004

SHA256
80cbb18004ba5db859de87c8c4ad3a3ca2666289a8263d27d02bbb52005afe5c

SHA512
307be7e8489907564e454361865afa1f1e17dec8185f4bb840962e9c283776b7ab71c95c28c4bdb523c52e35661055112c9dd03de83357f5beb80d3aa0a46e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\dac3ced8-fb3f-4e94-8e19-9635302fe45d.vbs

Filesize
735B

MD5
3973afea84e7e5fd821e36765599e716

SHA1
9ea3d6b5c51511361d897fe57208597d12b925ee

SHA256
fff1354c24218e500d5687edfeeaa7476886a68f8c6031985a59cf4fd7a415e6

SHA512
ce217e1c4a0bc55f7045f7a26f9787ee6ecb3d1c392be264ad511cc3ccacbf6158eb3dc209e04be64727296ee3bf6c27cc5040e9397c6c98602a22edfa1f6a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\db1dac72-de39-4745-93c8-2a5f058bf1cb.vbs

Filesize
734B

MD5
7bbb8c363ef3c909988f8b3138fed63c

SHA1
73d1e096fe1e378ba9e8d8d5d4d1d78fb6f68fb5

SHA256
b9b8cb722c131dc55a110b73b1f5120875679b49d4341ae1bcf75af597c8e367

SHA512
82cacbef6080570c7e224850031cde84c6cf13ec049d01ad471a086e3fda3221b22e116d58d9d26f68422bb7de41bfc5baca92bf13ae4b37d50814b94379336d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed9d67d3-4a6d-4aa1-bc75-3f3b13541458.vbs

Filesize
735B

MD5
0410f027ba4afee6216b7e2d2c4cd7ac

SHA1
861ce9d8e224bd7825fe840f545e0cccb8711fe2

SHA256
3bb32e09ca034e705fb398093804d05518f75654459da4d957bf105af105366e

SHA512
b8d31bb571d0e5d1c4f6b694f310003f34f557447703fdafdc55a8851b8a41d6b028115d1502bf55bd8c983e3aa902279c6b86457272ab69955558143a813f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9876097-4d89-40cc-a268-8c03ee9d7cec.vbs

Filesize
735B

MD5
e7f7fbaf0c9f99bd485f8bb6a077edcc

SHA1
9f21504b36781d5dc1f4a72c2b874080cf3d13b7

SHA256
cd62fe3c93206f569b380f48157dad0722841b66b8e6bcf32caeae2a099d5f0f

SHA512
42b0b3ba69e0e721d60ac3ffb42830595d839af2996abcf4bf8268e960bf42854158acbfc3f8f2a499959df7b8814368b3ba030e3600b1fbae05daf1d7e0c3f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
958719f3401a6e10151e9fc3cf37ae02

SHA1
53fffaa7d60cbf7a69a0aac7a9c0e13ee3912201

SHA256
9b8092c9777e2f950369de7596c930314d318041b44217e551da4d0ee73316c3

SHA512
8fc1460ccb4ac57c6973f93547f51218d8a24737d89a2d3de7066b79bded4271edac080c211de8c8cadd4529bfb565f9a0c1b42483cd7ea235d4774e55cebc05

Download Submit
C:\Users\Public\Videos\sppsvc.exe

Filesize
1.6MB

MD5
54cced2abc98602889a7125b5cb05ab5

SHA1
ff1161d6a2a0d7307b0e341a90a904e908fe5e3c

SHA256
849042a248f86ccba5c2f4b98a712a997aa124b231938ec0c67485a8d8fa5585

SHA512
ba2cff70facfd3e5a1d21a637179c1083a6d8fb5821043d7de85e2051255c74e6fa81d9bbe0a97908ff66ce866e97bcb89a5cf0a64abf5d7c1f174d5336ce443

Download Submit
C:\Windows\security\ApplicationId\csrss.exe

Filesize
1.6MB

MD5
27b689b77f3516a11f09ecb8897ad4c2

SHA1
654cb72e6167f879a83930da230b28099359721f

SHA256
5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772

SHA512
8d55b966e8e634053b62cb545366d661a37dbf467e836b8028ad63055cccd3c9032c9ba04a84e79994926425250e39f808757cfec454ddf2670cff3569b3cbbe

Download Submit
memory/992-257-0x0000000001200000-0x00000000013A2000-memory.dmp

Filesize
1.6MB

Download
memory/996-269-0x0000000000010000-0x00000000001B2000-memory.dmp

Filesize
1.6MB

Download
memory/1616-281-0x00000000012D0000-0x0000000001472000-memory.dmp

Filesize
1.6MB

Download
memory/1680-154-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/1768-177-0x0000000000800000-0x00000000009A2000-memory.dmp

Filesize
1.6MB

Download
memory/1812-155-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/1940-213-0x0000000000F20000-0x00000000010C2000-memory.dmp

Filesize
1.6MB

Download
memory/2848-0-0x000007FEF5543000-0x000007FEF5544000-memory.dmp

Filesize
4KB

Download
memory/2848-13-0x0000000000630000-0x0000000000638000-memory.dmp

Filesize
32KB

Download
memory/2848-12-0x0000000000620000-0x000000000062E000-memory.dmp

Filesize
56KB

Download
memory/2848-16-0x0000000000A40000-0x0000000000A4C000-memory.dmp

Filesize
48KB

Download
memory/2848-11-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/2848-10-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2848-9-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/2848-8-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/2848-14-0x0000000000640000-0x0000000000648000-memory.dmp

Filesize
32KB

Download
memory/2848-197-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp

Filesize
9.9MB

Download
memory/2848-7-0x0000000000330000-0x0000000000340000-memory.dmp

Filesize
64KB

Download
memory/2848-6-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/2848-15-0x0000000000650000-0x000000000065A000-memory.dmp

Filesize
40KB

Download
memory/2848-5-0x0000000000300000-0x0000000000316000-memory.dmp

Filesize
88KB

Download
memory/2848-4-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2848-3-0x0000000000160000-0x000000000017C000-memory.dmp

Filesize
112KB

Download
memory/2848-2-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp

Filesize
9.9MB

Download
memory/2848-1-0x0000000000AE0000-0x0000000000C82000-memory.dmp

Filesize
1.6MB

Download