dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
Size

1.6MB
MD5

e38a8ba2db5ea28f0f52d37b4a9d0d45
SHA1

eeb67e1eb72370ce24df9b82c6a7664176dfe064
SHA256

1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6
SHA512

ee6f813b71c0c56c5794cb6b5ba48fdf527a9f0077aaf1a100e1f36c914e28bb6675f8ae90544ada72d0e315b436db8016dffe27467b6891cbbd1ef07d7b661e
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2804	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2804	schtasks.exe	30

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral7/memory/2596-1-0x00000000009B0000-0x0000000000B52000-memory.dmp	dcrat
behavioral7/files/0x000500000001933f-25.dat	dcrat
behavioral7/files/0x000600000001962d-58.dat	dcrat
behavioral7/files/0x0008000000018c16-69.dat	dcrat
behavioral7/files/0x000b000000019512-104.dat	dcrat
behavioral7/memory/1600-186-0x00000000009C0000-0x0000000000B62000-memory.dmp	dcrat
behavioral7/memory/1124-197-0x0000000000CA0000-0x0000000000E42000-memory.dmp	dcrat
behavioral7/memory/2460-209-0x00000000013D0000-0x0000000001572000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1164	powershell.exe
1128	powershell.exe
2440	powershell.exe
1788	powershell.exe
1688	powershell.exe
2836	powershell.exe
1740	powershell.exe
2492	powershell.exe
2300	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
1600	audiodg.exe
1124	audiodg.exe
2460	audiodg.exe
388	audiodg.exe
2596	audiodg.exe
2216	audiodg.exe
3056	audiodg.exe
2760	audiodg.exe
2400	audiodg.exe
1828	audiodg.exe
2132	audiodg.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DAO\System.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Program Files\Windows Mail\RCXC7EC.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DAO\27d1bcfc3c54e0	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Program Files\Windows Mail\audiodg.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DAO\RCXC102.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DAO\RCXC170.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Program Files\Windows Mail\RCXC7EB.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Program Files\Windows Mail\audiodg.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DAO\System.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Program Files\Windows Mail\42af1c969fbb7b	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Web\6ccacd8608530f	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Windows\Offline Web Pages\27d1bcfc3c54e0	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Windows\Web\RCXC3E2.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Windows\Offline Web Pages\RCXC9F0.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Windows\Offline Web Pages\RCXCA5E.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Windows\Offline Web Pages\System.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Windows\Web\Idle.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Windows\Offline Web Pages\System.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Windows\Web\RCXC374.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Windows\Web\Idle.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2536	schtasks.exe
3004	schtasks.exe
948	schtasks.exe
1720	schtasks.exe
2940	schtasks.exe
2852	schtasks.exe
864	schtasks.exe
2708	schtasks.exe
1088	schtasks.exe
2880	schtasks.exe
1808	schtasks.exe
2756	schtasks.exe
1588	schtasks.exe
2032	schtasks.exe
1600	schtasks.exe
2828	schtasks.exe
3024	schtasks.exe
2168	schtasks.exe
2736	schtasks.exe
2992	schtasks.exe
1448	schtasks.exe
2968	schtasks.exe
2860	schtasks.exe
2872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
2492	powershell.exe
1688	powershell.exe
2836	powershell.exe
2440	powershell.exe
1164	powershell.exe
1788	powershell.exe
1740	powershell.exe
2300	powershell.exe
1128	powershell.exe
1600	audiodg.exe
1124	audiodg.exe
2460	audiodg.exe
388	audiodg.exe
2596	audiodg.exe
2216	audiodg.exe
3056	audiodg.exe
2760	audiodg.exe
2400	audiodg.exe
1828	audiodg.exe
2132	audiodg.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	1600	audiodg.exe
Token: SeDebugPrivilege	1124	audiodg.exe
Token: SeDebugPrivilege	2460	audiodg.exe
Token: SeDebugPrivilege	388	audiodg.exe
Token: SeDebugPrivilege	2596	audiodg.exe
Token: SeDebugPrivilege	2216	audiodg.exe
Token: SeDebugPrivilege	3056	audiodg.exe
Token: SeDebugPrivilege	2760	audiodg.exe
Token: SeDebugPrivilege	2400	audiodg.exe
Token: SeDebugPrivilege	1828	audiodg.exe
Token: SeDebugPrivilege	2132	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2836	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	56
PID 2596 wrote to memory of 2836	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	56
PID 2596 wrote to memory of 2836	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	56
PID 2596 wrote to memory of 1740	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	57
PID 2596 wrote to memory of 1740	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	57
PID 2596 wrote to memory of 1740	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	57
PID 2596 wrote to memory of 1128	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	58
PID 2596 wrote to memory of 1128	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	58
PID 2596 wrote to memory of 1128	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	58
PID 2596 wrote to memory of 2440	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	59
PID 2596 wrote to memory of 2440	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	59
PID 2596 wrote to memory of 2440	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	59
PID 2596 wrote to memory of 2492	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	60
PID 2596 wrote to memory of 2492	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	60
PID 2596 wrote to memory of 2492	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	60
PID 2596 wrote to memory of 2300	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	61
PID 2596 wrote to memory of 2300	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	61
PID 2596 wrote to memory of 2300	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	61
PID 2596 wrote to memory of 1788	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	62
PID 2596 wrote to memory of 1788	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	62
PID 2596 wrote to memory of 1788	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	62
PID 2596 wrote to memory of 1164	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	63
PID 2596 wrote to memory of 1164	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	63
PID 2596 wrote to memory of 1164	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	63
PID 2596 wrote to memory of 1688	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	64
PID 2596 wrote to memory of 1688	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	64
PID 2596 wrote to memory of 1688	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	64
PID 2596 wrote to memory of 764	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	74
PID 2596 wrote to memory of 764	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	74
PID 2596 wrote to memory of 764	2596	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	74
PID 764 wrote to memory of 2812	764	cmd.exe	76
PID 764 wrote to memory of 2812	764	cmd.exe	76
PID 764 wrote to memory of 2812	764	cmd.exe	76
PID 764 wrote to memory of 1600	764	cmd.exe	77
PID 764 wrote to memory of 1600	764	cmd.exe	77
PID 764 wrote to memory of 1600	764	cmd.exe	77
PID 1600 wrote to memory of 2644	1600	audiodg.exe	78
PID 1600 wrote to memory of 2644	1600	audiodg.exe	78
PID 1600 wrote to memory of 2644	1600	audiodg.exe	78
PID 1600 wrote to memory of 2052	1600	audiodg.exe	79
PID 1600 wrote to memory of 2052	1600	audiodg.exe	79
PID 1600 wrote to memory of 2052	1600	audiodg.exe	79
PID 2644 wrote to memory of 1124	2644	WScript.exe	80
PID 2644 wrote to memory of 1124	2644	WScript.exe	80
PID 2644 wrote to memory of 1124	2644	WScript.exe	80
PID 1124 wrote to memory of 1292	1124	audiodg.exe	81
PID 1124 wrote to memory of 1292	1124	audiodg.exe	81
PID 1124 wrote to memory of 1292	1124	audiodg.exe	81
PID 1124 wrote to memory of 2416	1124	audiodg.exe	82
PID 1124 wrote to memory of 2416	1124	audiodg.exe	82
PID 1124 wrote to memory of 2416	1124	audiodg.exe	82
PID 1292 wrote to memory of 2460	1292	WScript.exe	83
PID 1292 wrote to memory of 2460	1292	WScript.exe	83
PID 1292 wrote to memory of 2460	1292	WScript.exe	83
PID 2460 wrote to memory of 2384	2460	audiodg.exe	84
PID 2460 wrote to memory of 2384	2460	audiodg.exe	84
PID 2460 wrote to memory of 2384	2460	audiodg.exe	84
PID 2460 wrote to memory of 556	2460	audiodg.exe	85
PID 2460 wrote to memory of 556	2460	audiodg.exe	85
PID 2460 wrote to memory of 556	2460	audiodg.exe	85
PID 2384 wrote to memory of 388	2384	WScript.exe	86
PID 2384 wrote to memory of 388	2384	WScript.exe	86
PID 2384 wrote to memory of 388	2384	WScript.exe	86
PID 388 wrote to memory of 2280	388	audiodg.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
"C:\Users\Admin\AppData\Local\Temp\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\microsoft shared\DAO\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Documents\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SqT8hDQfA5.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2812
- - C:\Program Files\Windows Mail\audiodg.exe
    "C:\Program Files\Windows Mail\audiodg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e49927c6-5a9c-4584-ba10-18fea28bdd59.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Program Files\Windows Mail\audiodg.exe
        
        "C:\Program Files\Windows Mail\audiodg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1124
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc6d24e7-87be-47c2-8a56-8286b048367f.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Program Files\Windows Mail\audiodg.exe
        
        "C:\Program Files\Windows Mail\audiodg.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ad9b274-49c4-46a6-9f3d-5bce813dc1f2.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Program Files\Windows Mail\audiodg.exe
        
        "C:\Program Files\Windows Mail\audiodg.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\566278be-8b7f-436d-b710-0b0a1d338bf9.vbs"
        10⤵
        
        PID:2280
        
        C:\Program Files\Windows Mail\audiodg.exe
        
        "C:\Program Files\Windows Mail\audiodg.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d8ef4e4-a2c7-4875-b9fa-627a3acb4fb9.vbs"
        12⤵
        
        PID:1628
        
        C:\Program Files\Windows Mail\audiodg.exe
        
        "C:\Program Files\Windows Mail\audiodg.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\603f014a-accb-429d-b7d5-5b0657f9a5b9.vbs"
        14⤵
        
        PID:1876
        
        C:\Program Files\Windows Mail\audiodg.exe
        
        "C:\Program Files\Windows Mail\audiodg.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f0d39bc-3b68-40ef-bdec-6e5eaab8b130.vbs"
        16⤵
        
        PID:1444
        
        C:\Program Files\Windows Mail\audiodg.exe
        
        "C:\Program Files\Windows Mail\audiodg.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afdf2c30-978d-41f2-b8e4-3e24c16d3b65.vbs"
        18⤵
        
        PID:680
        
        C:\Program Files\Windows Mail\audiodg.exe
        
        "C:\Program Files\Windows Mail\audiodg.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eaaf27a3-3720-455b-b381-5d254faeab73.vbs"
        20⤵
        
        PID:876
        
        C:\Program Files\Windows Mail\audiodg.exe
        
        "C:\Program Files\Windows Mail\audiodg.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7073f450-902e-4dc9-827d-abae97a97872.vbs"
        22⤵
        
        PID:1892
        
        C:\Program Files\Windows Mail\audiodg.exe
        
        "C:\Program Files\Windows Mail\audiodg.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e950638-dcdf-485a-a739-b186b540ffa5.vbs"
        24⤵
        
        PID:2748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a6a8307-341f-4826-a103-395229404954.vbs"
        24⤵
        
        PID:2724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56cd24d3-b0d9-4776-9b7f-0c4cf2c6fe98.vbs"
        22⤵
        
        PID:2504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cbc0289-1979-45a2-aa4e-b2ed6b4f76d1.vbs"
        20⤵
        
        PID:1612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1c4321d-1d37-4e57-8e10-f00856b893c3.vbs"
        18⤵
        
        PID:2224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a030216-dccc-4683-9533-e759b57b08b8.vbs"
        16⤵
        
        PID:2116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38941ac4-6a9c-4180-bb64-8614f39ee714.vbs"
        14⤵
        
        PID:1544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a864ad20-d9fa-466d-a575-e9de1ad5d4ba.vbs"
        12⤵
        
        PID:1320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10f11ef1-0154-4661-8567-4c3ad58c58f5.vbs"
        10⤵
        
        PID:1128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbd10c38-bfce-4103-8882-7e3e24c8efa7.vbs"
        8⤵
        
        PID:556
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec41753f-5de9-4c08-8923-8f97878ac792.vbs"
        6⤵
        
        PID:2416
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b4a2455-dab0-4b96-92de-ece0968cc231.vbs"
      4⤵
      PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\DAO\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\microsoft shared\DAO\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\DAO\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\Web\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Web\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Documents\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\DAO\System.exe

Filesize
1.6MB

MD5
f8279fa59ecb08ecca301000faf04618

SHA1
b79c80a8ee51ddfada0ca6be081d0ca7ed4ed100

SHA256
100d869bdc4f88c8e44cfdecea7f66ec1af91705c4ef09a49bd86266b3adbdf0

SHA512
4d2d62bd1cb29956f980bf59c88b19830e9b464833214901f289566d4379fe00391629c09b206b6814df447703009aba64238930c87cd01d362f1ad885380b23

Download Submit
C:\Program Files\Windows Mail\audiodg.exe

Filesize
1.6MB

MD5
e38a8ba2db5ea28f0f52d37b4a9d0d45

SHA1
eeb67e1eb72370ce24df9b82c6a7664176dfe064

SHA256
1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6

SHA512
ee6f813b71c0c56c5794cb6b5ba48fdf527a9f0077aaf1a100e1f36c914e28bb6675f8ae90544ada72d0e315b436db8016dffe27467b6891cbbd1ef07d7b661e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d8ef4e4-a2c7-4875-b9fa-627a3acb4fb9.vbs

Filesize
717B

MD5
a856280136a61f673fad74a9e55e1622

SHA1
884fce713ae68fa9ca0660d42555c8a0a867ce68

SHA256
c311799503db224874b720312775c81558623ce0827b6329fe87ab9ee520d5ce

SHA512
b544a6e1fcf6dc557179034fe9f9db0e433eed5807512fefc36ec425725cb2510ea01f6749e291bcd95ef88173cce3c2b8c5f80887b97ddd90a1d92fa75adda4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f0d39bc-3b68-40ef-bdec-6e5eaab8b130.vbs

Filesize
717B

MD5
563a29e4d3b22e6d8573b3bf6ca9defd

SHA1
27d2c192bf8e60725c6d4d873d1530fdaafe78b7

SHA256
930b2e07bfa89fe665932cd46c6e8dec1be69fab807c7dd4c83c047b2129cee6

SHA512
81fc93a20448120e2ab1b12edb3049fdf2a212f191d2cb4e00569072e930e62b83919e18861e6aa2700289e87c3e6ba53d2f654754036f4a62aca7307226609e

Download Submit
C:\Users\Admin\AppData\Local\Temp\566278be-8b7f-436d-b710-0b0a1d338bf9.vbs

Filesize
716B

MD5
6e1a24e8ca9517e57a7581f3afc80875

SHA1
967e184950ca441072193654c7ef197e6f4614a4

SHA256
bd7131677a30020d8f8cf1fb42b799587cb5daa76150d95de63c3c9628c9cb89

SHA512
75c6d300dccb1a00a20e911eb7b08ad0bb241feca04386955d5014b27010483b70cfc8c788ac930ad3466a0be8b7418dd50683fb11a9704233b883299332db41

Download Submit
C:\Users\Admin\AppData\Local\Temp\603f014a-accb-429d-b7d5-5b0657f9a5b9.vbs

Filesize
717B

MD5
ad79955870415ff3e558c814ebf363c4

SHA1
5dac954405494a298ed8f184cfd9818e67d4c71c

SHA256
eb54c74dbf8acf95e45a2b2c2b43b42415419923098685eabc43dd6dc49325f5

SHA512
9fa2af34af82a3c5796286d597d23eef45a39081c58cc518bc74daaaf37f7988c5ba5ece3110b3f0bc6cd2d191cbfa625878d4184d75361bbecbb002b20e6b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7073f450-902e-4dc9-827d-abae97a97872.vbs

Filesize
717B

MD5
8d411df134f35eef7e46f1c705716cfd

SHA1
b23c72817f96583cf24a8e278da51d2bdcbfdb30

SHA256
3a5adb0873486e4ee8c1f907f87cd4bd11405eab97b41ccb9cc76f73dd4dba4a

SHA512
c67d6682b545da97dbfde3b3be6149a301c203029bdb10bf208fa9de0b0ddadedc22469715cab9715b9d6560f600e0e79758b21cac1589c73491edad056316f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ad9b274-49c4-46a6-9f3d-5bce813dc1f2.vbs

Filesize
717B

MD5
d0581bff30eb77aee709493ec7fcf675

SHA1
6ca9d916fc205e09162500955c51e1a5d77df635

SHA256
326bee0965c4c6f9e6d77ef3e3b19456aec439628bb18290da5b0b8b77e44b2e

SHA512
d271446086408e4f8c279fc6b5146a40245ad968e0984215d591b84836f8c748333822b0ee0b398fe6de359b8ec098e362fdc0866d8a5642e5b17927f94c1533

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b4a2455-dab0-4b96-92de-ece0968cc231.vbs

Filesize
493B

MD5
bc91cf9a31b4a02351fcdf782ad44902

SHA1
636a947b3a04bb1f11e8c5ca0eea26473f569216

SHA256
c42641fe7d0b44e2d9634c719e8730d25e3607564949f54e637b3fd3e7acb811

SHA512
b05c2deee71b4fec2fc5c03145738f57fdefc9d77f164926d08dd8da625ccd085c42c1b2f8bd41b053d4ab24e3150485f46fb232a027391350a4f6f0fca1ad62

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e950638-dcdf-485a-a739-b186b540ffa5.vbs

Filesize
717B

MD5
fce49f6b719b76c7e04a581d0f106c21

SHA1
9c8a8f77ac8c2beb0541f9ca9d76af400a955a30

SHA256
4e7d907df0dc6b2b34ffc3baabd91ecc46a7f324a9163ecd1709780e332d0cba

SHA512
cc3581886a55b315e24acf86c5a7b65644bbbc167032ff8db7e3fa34d7634843cef42225ca971cdb3c04c18cf2faf4b9dd9cc0c842ffe0d5552de7b864736523

Download Submit
C:\Users\Admin\AppData\Local\Temp\SqT8hDQfA5.bat

Filesize
206B

MD5
5f8dbab1f65221c0b0a33d55f417a381

SHA1
3f52b39b25e6be55b00ccfb87de575711a3e1754

SHA256
9342404771ac00135aba46d619c9e165488acae879edc61804c0f6aceef11075

SHA512
e39f16ae239c8102c794c0e2177d050ea45aaae9f9c5dd580d2d7219876657bcf1ffb2f7c2026825813bfd2df68f66cc34becc55bfedb1d1f883dcfcb90e94a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\afdf2c30-978d-41f2-b8e4-3e24c16d3b65.vbs

Filesize
717B

MD5
c712cfad0508e03effcf5ecc18c62c73

SHA1
d9df8cf3b65c7a5c0486f06b1eeb6e1aea40ca6a

SHA256
6ce73c5da241fbe418c60cab88286f7e7946b0f087cb69f3059a1f63f07d9d68

SHA512
a1bda824983dd4a27500ba71533c0863e164f7e21dd20ac280232b4e6412c05d360225cbc120a7d5e84829e3c487ef1c71349138c53d764b9e61f47df2fad33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc6d24e7-87be-47c2-8a56-8286b048367f.vbs

Filesize
717B

MD5
ba08555e8f889ae6322edbd820517d4a

SHA1
d52ad34308cf89b0fd07ffdcee6688b552d8d6b8

SHA256
2ff0a3f51a5d73c5391b94953241e4f40fcf8db101078379c907d9f1a0dd23cc

SHA512
67f568e47da8db07174e989e04c1a0e78744a4e04f592f5d8153fd51ef9a6f7d46a278c4007fbd40d14801b1e83aacd1ffe1b59fab26631000103ecf22047cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\e49927c6-5a9c-4584-ba10-18fea28bdd59.vbs

Filesize
717B

MD5
ee2118bcee98c3c0b083fceb370efe5f

SHA1
d2b6ea8d9b746a4560d9d8b269803c7786822925

SHA256
c137371b94cfd644d96430d898a97ab6b6852e29785ce0ce42fb9fb7d2fcbd10

SHA512
684c74f2621894e8a38dfdeb64f66d93e6c5b7ab3396930b71b74a157f443f6b738cf8ab8b83359b8c55827fa7b5b2088776d1a7cdec993f2104a7660f8c027b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eaaf27a3-3720-455b-b381-5d254faeab73.vbs

Filesize
717B

MD5
36fffc84b2a9201d066e249ab35a8d40

SHA1
ffa175f9a40506ac926ee5523caea195f04353fd

SHA256
9625478fef330b5e1539883d774943efc39c02f5cf1c9472885007bd5586ea83

SHA512
ec7092f69026efbcfaa8d627bc5eb78dc0f6094c3e8451afef24e8359896d96a902f9df89898a4119c4cbbe0338514f837d2eee871b0a017eb0b4b653f7fbb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
da021c0cc396b27c3bef93421c2aefca

SHA1
97c508ee314587588c5e5089a97da0ce636daf5f

SHA256
3e20493cd1a8b126dfc747f3d7df2c24b03c7e9344f468db36393bb58eb8e55f

SHA512
c41b5b782667754093e81aa2e077221cc9137674cdb06808dbd65ea640720a2b728f317ed4ce9937e4f3a8850ac51c034131b9b7292340690811b4a0bf134769

Download Submit
C:\Windows\Offline Web Pages\System.exe

Filesize
1.6MB

MD5
578bb26a6396f4b46f81e7fcd15f70eb

SHA1
465f0ede08b5ded518a651cb0f46648b3866d531

SHA256
41c672c95f1bd735875b020a1f91886d2b37d000478cf7b076abcd2081a52e8e

SHA512
fec0748bb8c62ea00a6fd2909c4dd331a3881ca6c7953f44d0cba1e0388240c0aff1e5a9bb1e5cf4037df557d1569e4e71ed5c2d45a11739351739dd4f6a9d7d

Download Submit
C:\Windows\Web\Idle.exe

Filesize
1.6MB

MD5
af5247762b219ace04b6c3d975724a7e

SHA1
557bcf287e81c9e33965cde73c17532c35831e92

SHA256
bb768326b84de0092fb6b4b73c6661d415e3c198d9bb5e2d907cff78be482602

SHA512
904ce6d98dc2d4a01aaa1b5db4996ed9bfabbb2d2746adc2e62b622c42fe8c41e6ca148a1d19c6ac3e9d2d86bf049f2a7e1832c3725ea773efde4ccdbb14d730

Download Submit
memory/1124-197-0x0000000000CA0000-0x0000000000E42000-memory.dmp

Filesize
1.6MB

Download
memory/1600-186-0x00000000009C0000-0x0000000000B62000-memory.dmp

Filesize
1.6MB

Download
memory/2460-209-0x00000000013D0000-0x0000000001572000-memory.dmp

Filesize
1.6MB

Download
memory/2492-160-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2492-162-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/2596-163-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

Filesize
9.9MB

Download
memory/2596-9-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2596-14-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/2596-13-0x0000000000960000-0x0000000000968000-memory.dmp

Filesize
32KB

Download
memory/2596-12-0x0000000000950000-0x000000000095E000-memory.dmp

Filesize
56KB

Download
memory/2596-11-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download
memory/2596-0-0x000007FEF5FD3000-0x000007FEF5FD4000-memory.dmp

Filesize
4KB

Download
memory/2596-10-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/2596-15-0x00000000022E0000-0x00000000022EA000-memory.dmp

Filesize
40KB

Download
memory/2596-16-0x00000000022F0000-0x00000000022FC000-memory.dmp

Filesize
48KB

Download
memory/2596-8-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/2596-6-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/2596-7-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/2596-5-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2596-4-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2596-3-0x00000000001D0000-0x00000000001EC000-memory.dmp

Filesize
112KB

Download
memory/2596-2-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

Filesize
9.9MB

Download
memory/2596-1-0x00000000009B0000-0x0000000000B52000-memory.dmp

Filesize
1.6MB

Download