dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
60s
max time network
50s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
Size

1.6MB
MD5

2c4dbe075f37719580a096bf67bf048e
SHA1

71673f7af94683985e875f3db73cbf1a5509228e
SHA256

1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567
SHA512

6d5bed3e46aa8e02d678c0a3f1ff6be56b776980af341e9ef84d9febaad843dfa2df28083ff6d8dcad9e74d4724ee1f09190b093c9bb3d1cb78068ca219d3c70
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	1932	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	1932	schtasks.exe	30

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral25/memory/2600-1-0x0000000000150000-0x00000000002F2000-memory.dmp	dcrat
behavioral25/files/0x0005000000019625-25.dat	dcrat
behavioral25/files/0x000a000000019623-102.dat	dcrat
behavioral25/files/0x0008000000019625-124.dat	dcrat
behavioral25/files/0x000800000001962f-168.dat	dcrat
behavioral25/files/0x0008000000019c5d-179.dat	dcrat
behavioral25/memory/1600-259-0x0000000000CD0000-0x0000000000E72000-memory.dmp	dcrat
behavioral25/memory/2964-270-0x0000000001250000-0x00000000013F2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2784	powershell.exe
3064	powershell.exe
2732	powershell.exe
2756	powershell.exe
2108	powershell.exe
2916	powershell.exe
2932	powershell.exe
1292	powershell.exe
2040	powershell.exe
2700	powershell.exe
2848	powershell.exe
2708	powershell.exe
1636	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
1600	winlogon.exe
2964	winlogon.exe
2284	winlogon.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Journal\fr-FR\winlogon.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files\Windows Journal\fr-FR\cc11b995f2a76d	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\RCXB10F.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\RCXB110.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\winlogon.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\Web\886983d96e3d3e	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Windows\IME\it-IT\42af1c969fbb7b	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Windows\Resources\Ease of Access Themes\56085415360792	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Windows\IME\it-IT\audiodg.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\Branding\ShellBrd\wininit.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\Web\csrss.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Windows\Resources\Ease of Access Themes\wininit.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Windows\Branding\ShellBrd\56085415360792	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\Branding\ShellBrd\RCXB5A6.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\Web\RCXBCAD.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\Web\RCXBCAE.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\IME\it-IT\RCXBF1F.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\wininit.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Windows\Branding\ShellBrd\wininit.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\RCXAB01.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\RCXAB02.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\Branding\ShellBrd\RCXB5A5.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\IME\it-IT\RCXBF20.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\IME\it-IT\audiodg.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Windows\Web\csrss.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2728	schtasks.exe
1580	schtasks.exe
1080	schtasks.exe
2180	schtasks.exe
1448	schtasks.exe
2244	schtasks.exe
2784	schtasks.exe
2532	schtasks.exe
2780	schtasks.exe
3044	schtasks.exe
1944	schtasks.exe
1780	schtasks.exe
2676	schtasks.exe
1992	schtasks.exe
2888	schtasks.exe
1952	schtasks.exe
1436	schtasks.exe
1620	schtasks.exe
1816	schtasks.exe
2020	schtasks.exe
2948	schtasks.exe
1972	schtasks.exe
1980	schtasks.exe
2356	schtasks.exe
1640	schtasks.exe
440	schtasks.exe
1532	schtasks.exe
376	schtasks.exe
548	schtasks.exe
2908	schtasks.exe
2936	schtasks.exe
2752	schtasks.exe
2336	schtasks.exe
1280	schtasks.exe
2964	schtasks.exe
1988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
2848	powershell.exe
2708	powershell.exe
2932	powershell.exe
2916	powershell.exe
2108	powershell.exe
2756	powershell.exe
1292	powershell.exe
2784	powershell.exe
1636	powershell.exe
3064	powershell.exe
2040	powershell.exe
2732	powershell.exe
2700	powershell.exe
1600	winlogon.exe
2964	winlogon.exe
2284	winlogon.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	1600	winlogon.exe
Token: SeDebugPrivilege	2964	winlogon.exe
Token: SeDebugPrivilege	2284	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 2708	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	67
PID 2600 wrote to memory of 2708	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	67
PID 2600 wrote to memory of 2708	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	67
PID 2600 wrote to memory of 2932	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	68
PID 2600 wrote to memory of 2932	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	68
PID 2600 wrote to memory of 2932	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	68
PID 2600 wrote to memory of 2848	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	69
PID 2600 wrote to memory of 2848	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	69
PID 2600 wrote to memory of 2848	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	69
PID 2600 wrote to memory of 2916	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	70
PID 2600 wrote to memory of 2916	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	70
PID 2600 wrote to memory of 2916	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	70
PID 2600 wrote to memory of 2108	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	74
PID 2600 wrote to memory of 2108	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	74
PID 2600 wrote to memory of 2108	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	74
PID 2600 wrote to memory of 2700	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	75
PID 2600 wrote to memory of 2700	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	75
PID 2600 wrote to memory of 2700	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	75
PID 2600 wrote to memory of 2756	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	76
PID 2600 wrote to memory of 2756	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	76
PID 2600 wrote to memory of 2756	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	76
PID 2600 wrote to memory of 2040	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	78
PID 2600 wrote to memory of 2040	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	78
PID 2600 wrote to memory of 2040	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	78
PID 2600 wrote to memory of 2732	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	79
PID 2600 wrote to memory of 2732	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	79
PID 2600 wrote to memory of 2732	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	79
PID 2600 wrote to memory of 3064	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	80
PID 2600 wrote to memory of 3064	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	80
PID 2600 wrote to memory of 3064	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	80
PID 2600 wrote to memory of 2784	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	81
PID 2600 wrote to memory of 2784	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	81
PID 2600 wrote to memory of 2784	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	81
PID 2600 wrote to memory of 1636	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	82
PID 2600 wrote to memory of 1636	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	82
PID 2600 wrote to memory of 1636	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	82
PID 2600 wrote to memory of 1292	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	83
PID 2600 wrote to memory of 1292	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	83
PID 2600 wrote to memory of 1292	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	83
PID 2600 wrote to memory of 3004	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	93
PID 2600 wrote to memory of 3004	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	93
PID 2600 wrote to memory of 3004	2600	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	93
PID 3004 wrote to memory of 2864	3004	cmd.exe	95
PID 3004 wrote to memory of 2864	3004	cmd.exe	95
PID 3004 wrote to memory of 2864	3004	cmd.exe	95
PID 3004 wrote to memory of 1600	3004	cmd.exe	97
PID 3004 wrote to memory of 1600	3004	cmd.exe	97
PID 3004 wrote to memory of 1600	3004	cmd.exe	97
PID 1600 wrote to memory of 2460	1600	winlogon.exe	98
PID 1600 wrote to memory of 2460	1600	winlogon.exe	98
PID 1600 wrote to memory of 2460	1600	winlogon.exe	98
PID 1600 wrote to memory of 2740	1600	winlogon.exe	99
PID 1600 wrote to memory of 2740	1600	winlogon.exe	99
PID 1600 wrote to memory of 2740	1600	winlogon.exe	99
PID 2460 wrote to memory of 2964	2460	WScript.exe	100
PID 2460 wrote to memory of 2964	2460	WScript.exe	100
PID 2460 wrote to memory of 2964	2460	WScript.exe	100
PID 2964 wrote to memory of 900	2964	winlogon.exe	101
PID 2964 wrote to memory of 900	2964	winlogon.exe	101
PID 2964 wrote to memory of 900	2964	winlogon.exe	101
PID 2964 wrote to memory of 2360	2964	winlogon.exe	102
PID 2964 wrote to memory of 2360	2964	winlogon.exe	102
PID 2964 wrote to memory of 2360	2964	winlogon.exe	102
PID 900 wrote to memory of 2284	900	WScript.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
"C:\Users\Admin\AppData\Local\Temp\1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Ease of Access Themes\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\fr-FR\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\ShellBrd\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\it-IT\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\THXtcpqvfm.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2864
- - C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
    "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cd5476e-a2c5-48d0-959a-df2738415316.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c79c94d-8a9a-4f95-8d0d-e6f221f53fbf.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3785d1dc-ca86-4966-b44b-4373eb980902.vbs"
        8⤵
        
        PID:564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a3bcc6f-d80e-4fe1-9865-2d567054ba4a.vbs"
        8⤵
        
        PID:2432
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0d6b90d-eee9-4ebb-8d7d-dc8b8b448475.vbs"
        6⤵
        
        PID:2360
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89ec9e05-6dda-4ea8-aeb0-3565a17964d6.vbs"
      4⤵
      PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\Ease of Access Themes\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\Resources\Ease of Access Themes\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\fr-FR\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\Branding\ShellBrd\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\ShellBrd\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Web\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\IME\it-IT\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\IME\it-IT\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\IME\it-IT\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\Default\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Default\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\Idle.exe

Filesize
1.6MB

MD5
2c4dbe075f37719580a096bf67bf048e

SHA1
71673f7af94683985e875f3db73cbf1a5509228e

SHA256
1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567

SHA512
6d5bed3e46aa8e02d678c0a3f1ff6be56b776980af341e9ef84d9febaad843dfa2df28083ff6d8dcad9e74d4724ee1f09190b093c9bb3d1cb78068ca219d3c70

Download Submit
C:\MSOCache\All Users\Idle.exe

Filesize
1.6MB

MD5
1f539d922d2554d10c1be856490fdd85

SHA1
46560be413ac53ded64763a573b81cd448981d9d

SHA256
9e792e61a80fe0413c7ee745015acf5dfed666f6c5779a3817d2f36d6c2e2d59

SHA512
07252e959c55011d8d13b9e84329182b756bd0516c8d92ffe3385ce837ab0c8240ae7f73e2ba7fb4a4b68c205a171c6d621bb811143d6ea265976170c99f1d5e

Download Submit
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe

Filesize
1.6MB

MD5
3d17675db12ca907caf69b90166e84d8

SHA1
f130f781170da35c18cc4093f347ee3ce3f63598

SHA256
c994659ff7ea82a058b97d7240723285fcd09f0eb87d4bec6a68523ac003b993

SHA512
49e7e38b1a4e04ec83265f108f830d21787be8476dfe01d6e0f7eb34205fd89164ea42f8b11d36ddec85a74c429aed07c658ce6a497f1a63c9d261168920f415

Download Submit
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\wininit.exe

Filesize
1.6MB

MD5
aa7078221fd5647986dc3e1ee21c9e0b

SHA1
ffc385d206cc12e3c021e729264b72fac4dbef9d

SHA256
903509d177e09b871ec360f5627fe361d1a095b57b1ee95bbff663b353dd29c3

SHA512
35b900e62b19596555382d6f93fe15b04796a3d675a46bbdfdb6bfd37e1c8fe158bf3fa801e22aa4bfb9035ff136426088af9430b0ecaa9fcd18160cddb004ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c79c94d-8a9a-4f95-8d0d-e6f221f53fbf.vbs

Filesize
737B

MD5
7084bff057f085ea3edb3b516dfcb698

SHA1
bfebeb00052a7d8e69e97f597f506f797d07be8a

SHA256
1847b6ade0c0365e1daf3947f3e502c3a2fb561db0b369ded987168b47dccd2d

SHA512
9193eb5ff5e88811703d8f2314ce4761657148d1b062d4656b27df26a1f46f66d8b4f5b02dd4b8384f5d02013697b8232b7ce60f90f97a187f2117ee6a75805b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3785d1dc-ca86-4966-b44b-4373eb980902.vbs

Filesize
737B

MD5
76319df78ecfbb9c87dd01136073d680

SHA1
88261f032c93153c10401aa4b506ca50b9996476

SHA256
6e940903dc95f27d760e163143e3b23f929c85a63ef185d87da1247862a969bd

SHA512
5c5ce9be10bf5bacc3602bb9fb5d7a71a4083103391219965eb279dd7e4606656429b56db2e4192de9b66487257035774ef66dd0539557a02802f94d791a00eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4cd5476e-a2c5-48d0-959a-df2738415316.vbs

Filesize
737B

MD5
02253cee8c206d7a87a9b27c11f78de9

SHA1
0786107eb89b4ed10887f3f22023ef8a7144e6c0

SHA256
22955e2156e612b3c9fda08705170e1b61184d2d94afceb83927c8771ce07968

SHA512
88141411515a439692ddfc6b807379a0e95eaa4da3fcbfdbc89dc49eee949027b99511efd6910409f1728bc7c1a20507a5b0fb07df273c9afed995c84c499df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\89ec9e05-6dda-4ea8-aeb0-3565a17964d6.vbs

Filesize
513B

MD5
ec925d2fe74b8d5c9a76fc532282e890

SHA1
290083e9cc2e5a109f7fefe5d528c461024cde85

SHA256
a60aa3da87655dcfebadb1a4f5c5bd29cfb8844acd1cf6325e90d1de3d72a98b

SHA512
b934fd80e3fdb62b60980b3e0626917deac8646e9b2e173d90cad38c3f956cd35fb16e2e866c42ade916146169062d97f3db602af62480b589a54c4f5cb0702e

Download Submit
C:\Users\Admin\AppData\Local\Temp\THXtcpqvfm.bat

Filesize
226B

MD5
25d738790d95b7bc210c83481dbe61c5

SHA1
e753005025a3830ad8421453b838749e2c5e192b

SHA256
2baeaf41a9b6e9e91a3c9d70d08de5dc4201665b9fe26602cd1c1b39ca82268c

SHA512
1bff7fcede9c59fcc88d890dab4bf38ec7cecf887b1568fe87641aa51c78068ddf06c5081819966d38a98cd47de197b7590311debfe4a38214a1bff723d7c3d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40SZR3TZZ1C9OKBPVTWI.temp

Filesize
7KB

MD5
87fa70170171c54709e1bc06498cd793

SHA1
22eb20001a51f7eccc96460f649a23eed2c72a92

SHA256
a2745fc598ba78df820e66f3a5e4f19458f1ab3b3d78d76dc84afaeb39c44765

SHA512
7478bf5a06b153463911a4765cc280b00b9faa21e4e91731f65e4760d2573dbe9d973afdffe6fc0a81e3b5a8f865e3654658f31edd53f94480de4ae3ee3dcb5d

Download Submit
C:\Users\Default\audiodg.exe

Filesize
1.6MB

MD5
ad1a0aee53b771b39848eef22cede3e6

SHA1
2d079589857b12a7ce935c0b3ea3c54a832df475

SHA256
c47509467a3cfc41bb6778f1c155cf3476aa6459f3881d225b30c497fa5a4dda

SHA512
041170e6765839014ef479ca706f343c3561c1a87508749a5634a83d912ccfe28cac61957252309d4e9c45cd7974dea2b3a850781466fe3f74aea6ab0c591ee6

Download Submit
memory/1600-259-0x0000000000CD0000-0x0000000000E72000-memory.dmp

Filesize
1.6MB

Download
memory/2600-16-0x00000000023A0000-0x00000000023AC000-memory.dmp

Filesize
48KB

Download
memory/2600-7-0x00000000007D0000-0x00000000007E0000-memory.dmp

Filesize
64KB

Download
memory/2600-13-0x00000000022F0000-0x00000000022F8000-memory.dmp

Filesize
32KB

Download
memory/2600-15-0x0000000002310000-0x000000000231A000-memory.dmp

Filesize
40KB

Download
memory/2600-0-0x000007FEF53B3000-0x000007FEF53B4000-memory.dmp

Filesize
4KB

Download
memory/2600-12-0x00000000022E0000-0x00000000022EE000-memory.dmp

Filesize
56KB

Download
memory/2600-11-0x0000000002170000-0x000000000217A000-memory.dmp

Filesize
40KB

Download
memory/2600-10-0x0000000002160000-0x000000000216C000-memory.dmp

Filesize
48KB

Download
memory/2600-9-0x00000000007F0000-0x00000000007FC000-memory.dmp

Filesize
48KB

Download
memory/2600-8-0x00000000007E0000-0x00000000007E8000-memory.dmp

Filesize
32KB

Download
memory/2600-1-0x0000000000150000-0x00000000002F2000-memory.dmp

Filesize
1.6MB

Download
memory/2600-14-0x0000000002300000-0x0000000002308000-memory.dmp

Filesize
32KB

Download
memory/2600-2-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

Filesize
9.9MB

Download
memory/2600-205-0x000007FEF53B0000-0x000007FEF5D9C000-memory.dmp

Filesize
9.9MB

Download
memory/2600-6-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/2600-5-0x0000000000730000-0x0000000000746000-memory.dmp

Filesize
88KB

Download
memory/2600-4-0x0000000000390000-0x00000000003A0000-memory.dmp

Filesize
64KB

Download
memory/2600-3-0x0000000000370000-0x000000000038C000-memory.dmp

Filesize
112KB

Download
memory/2708-199-0x0000000002000000-0x0000000002008000-memory.dmp

Filesize
32KB

Download
memory/2848-198-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2964-270-0x0000000001250000-0x00000000013F2000-memory.dmp

Filesize
1.6MB

Download