dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
Size

1.6MB
MD5

c87ae2c7c0c0a77294bdf61219b952f5
SHA1

009d29952e3cec0966402de8b8ffeb264c78a956
SHA256

85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f
SHA512

b7477f968f2356dd08991668b6feb01bb878bad59a6b3857b0a226b1e246852ba0c40214c502e757b01bbd9fc130f9e0cad033a12ada3f1c6f42767b9b813c7c
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2236	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2236	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2236	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2236	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2236	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2236	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2236	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2236	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2236	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2236	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2236	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2236	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2236	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	2236	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2236	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2236	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2236	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2236	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2236	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2236	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2236	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2236	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2236	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2236	schtasks.exe	31

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral13/memory/2108-1-0x0000000000B40000-0x0000000000CE2000-memory.dmp	dcrat
behavioral13/files/0x000500000001a458-25.dat	dcrat
behavioral13/files/0x000500000001a508-46.dat	dcrat
behavioral13/files/0x0009000000019deb-69.dat	dcrat
behavioral13/files/0x000700000001a0a3-80.dat	dcrat
behavioral13/files/0x000a00000001a458-124.dat	dcrat
behavioral13/memory/876-141-0x0000000000170000-0x0000000000312000-memory.dmp	dcrat
behavioral13/memory/1228-191-0x0000000000EC0000-0x0000000001062000-memory.dmp	dcrat
behavioral13/memory/1544-214-0x0000000000F10000-0x00000000010B2000-memory.dmp	dcrat
behavioral13/memory/1320-226-0x0000000001320000-0x00000000014C2000-memory.dmp	dcrat
behavioral13/memory/1548-293-0x00000000001A0000-0x0000000000342000-memory.dmp	dcrat
behavioral13/memory/2736-305-0x00000000003A0000-0x0000000000542000-memory.dmp	dcrat
behavioral13/memory/2716-317-0x0000000000200000-0x00000000003A2000-memory.dmp	dcrat
behavioral13/memory/2076-329-0x00000000009C0000-0x0000000000B62000-memory.dmp	dcrat
behavioral13/files/0x000a00000001a4e0-333.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2168	powershell.exe
768	powershell.exe
1672	powershell.exe
2940	powershell.exe
1540	powershell.exe
940	powershell.exe
880	powershell.exe
2596	powershell.exe
2560	powershell.exe

Executes dropped EXE 14 IoCs

pid	Process
876	audiodg.exe
1228	audiodg.exe
2820	audiodg.exe
1544	audiodg.exe
1320	audiodg.exe
2004	audiodg.exe
2520	audiodg.exe
2332	audiodg.exe
2124	audiodg.exe
3044	audiodg.exe
1548	audiodg.exe
2736	audiodg.exe
2716	audiodg.exe
2076	audiodg.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXE418.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXE487.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\42af1c969fbb7b	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Program Files (x86)\Windows Portable Devices\24dbde2999530e	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\RCXE205.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\RCXE204.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Migration\WTR\RCXD686.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Windows\Migration\WTR\audiodg.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Windows\Migration\WTR\audiodg.exe	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File created	C:\Windows\Migration\WTR\42af1c969fbb7b	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
File opened for modification	C:\Windows\Migration\WTR\RCXD685.tmp	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1516	schtasks.exe
2716	schtasks.exe
2744	schtasks.exe
2888	schtasks.exe
2536	schtasks.exe
2368	schtasks.exe
2616	schtasks.exe
2444	schtasks.exe
1428	schtasks.exe
2828	schtasks.exe
2808	schtasks.exe
3032	schtasks.exe
1104	schtasks.exe
236	schtasks.exe
1940	schtasks.exe
1988	schtasks.exe
2132	schtasks.exe
2840	schtasks.exe
2584	schtasks.exe
1916	schtasks.exe
760	schtasks.exe
1860	schtasks.exe
2676	schtasks.exe
1728	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
1672	powershell.exe
880	powershell.exe
2596	powershell.exe
2560	powershell.exe
940	powershell.exe
2940	powershell.exe
2168	powershell.exe
768	powershell.exe
1540	powershell.exe
876	audiodg.exe
1228	audiodg.exe
2820	audiodg.exe
1544	audiodg.exe
1320	audiodg.exe
2004	audiodg.exe
2520	audiodg.exe
2332	audiodg.exe
2124	audiodg.exe
3044	audiodg.exe
1548	audiodg.exe
2736	audiodg.exe
2716	audiodg.exe
2076	audiodg.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	876	audiodg.exe
Token: SeDebugPrivilege	1228	audiodg.exe
Token: SeDebugPrivilege	2820	audiodg.exe
Token: SeDebugPrivilege	1544	audiodg.exe
Token: SeDebugPrivilege	1320	audiodg.exe
Token: SeDebugPrivilege	2004	audiodg.exe
Token: SeDebugPrivilege	2520	audiodg.exe
Token: SeDebugPrivilege	2332	audiodg.exe
Token: SeDebugPrivilege	2124	audiodg.exe
Token: SeDebugPrivilege	3044	audiodg.exe
Token: SeDebugPrivilege	1548	audiodg.exe
Token: SeDebugPrivilege	2736	audiodg.exe
Token: SeDebugPrivilege	2716	audiodg.exe
Token: SeDebugPrivilege	2076	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1540	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	56
PID 2108 wrote to memory of 1540	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	56
PID 2108 wrote to memory of 1540	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	56
PID 2108 wrote to memory of 940	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	57
PID 2108 wrote to memory of 940	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	57
PID 2108 wrote to memory of 940	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	57
PID 2108 wrote to memory of 1672	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	59
PID 2108 wrote to memory of 1672	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	59
PID 2108 wrote to memory of 1672	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	59
PID 2108 wrote to memory of 880	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	60
PID 2108 wrote to memory of 880	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	60
PID 2108 wrote to memory of 880	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	60
PID 2108 wrote to memory of 768	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	62
PID 2108 wrote to memory of 768	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	62
PID 2108 wrote to memory of 768	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	62
PID 2108 wrote to memory of 2168	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	64
PID 2108 wrote to memory of 2168	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	64
PID 2108 wrote to memory of 2168	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	64
PID 2108 wrote to memory of 2596	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	65
PID 2108 wrote to memory of 2596	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	65
PID 2108 wrote to memory of 2596	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	65
PID 2108 wrote to memory of 2940	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	66
PID 2108 wrote to memory of 2940	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	66
PID 2108 wrote to memory of 2940	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	66
PID 2108 wrote to memory of 2560	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	67
PID 2108 wrote to memory of 2560	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	67
PID 2108 wrote to memory of 2560	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	67
PID 2108 wrote to memory of 876	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	74
PID 2108 wrote to memory of 876	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	74
PID 2108 wrote to memory of 876	2108	85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe	74
PID 876 wrote to memory of 1592	876	audiodg.exe	75
PID 876 wrote to memory of 1592	876	audiodg.exe	75
PID 876 wrote to memory of 1592	876	audiodg.exe	75
PID 876 wrote to memory of 3016	876	audiodg.exe	76
PID 876 wrote to memory of 3016	876	audiodg.exe	76
PID 876 wrote to memory of 3016	876	audiodg.exe	76
PID 1592 wrote to memory of 1228	1592	WScript.exe	77
PID 1592 wrote to memory of 1228	1592	WScript.exe	77
PID 1592 wrote to memory of 1228	1592	WScript.exe	77
PID 1228 wrote to memory of 808	1228	audiodg.exe	78
PID 1228 wrote to memory of 808	1228	audiodg.exe	78
PID 1228 wrote to memory of 808	1228	audiodg.exe	78
PID 1228 wrote to memory of 1064	1228	audiodg.exe	79
PID 1228 wrote to memory of 1064	1228	audiodg.exe	79
PID 1228 wrote to memory of 1064	1228	audiodg.exe	79
PID 808 wrote to memory of 2820	808	WScript.exe	80
PID 808 wrote to memory of 2820	808	WScript.exe	80
PID 808 wrote to memory of 2820	808	WScript.exe	80
PID 2820 wrote to memory of 1296	2820	audiodg.exe	81
PID 2820 wrote to memory of 1296	2820	audiodg.exe	81
PID 2820 wrote to memory of 1296	2820	audiodg.exe	81
PID 2820 wrote to memory of 2952	2820	audiodg.exe	82
PID 2820 wrote to memory of 2952	2820	audiodg.exe	82
PID 2820 wrote to memory of 2952	2820	audiodg.exe	82
PID 1296 wrote to memory of 1544	1296	WScript.exe	83
PID 1296 wrote to memory of 1544	1296	WScript.exe	83
PID 1296 wrote to memory of 1544	1296	WScript.exe	83
PID 1544 wrote to memory of 2528	1544	audiodg.exe	84
PID 1544 wrote to memory of 2528	1544	audiodg.exe	84
PID 1544 wrote to memory of 2528	1544	audiodg.exe	84
PID 1544 wrote to memory of 2352	1544	audiodg.exe	85
PID 1544 wrote to memory of 2352	1544	audiodg.exe	85
PID 1544 wrote to memory of 2352	1544	audiodg.exe	85
PID 2528 wrote to memory of 1320	2528	WScript.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe
"C:\Users\Admin\AppData\Local\Temp\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SendTo\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe
  "C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7690ff1-18db-4012-a257-065e8190d283.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe
      "C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1228
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\293e6b2e-8ae4-4cb3-9084-271153cb875d.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:808
      - C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\644b0ccc-926c-4de0-9b0e-e9a27fc80b6f.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0feeb873-81d7-4c22-9edb-5066c6a92760.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f75e157-9dcb-4dcd-be8b-2cd9e3272c5b.vbs"
        11⤵
        
        PID:2376
        
        C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ed58801-09c4-4836-9f7e-7701a32d2295.vbs"
        13⤵
        
        PID:1252
        
        C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d374a82c-815e-4ab5-98bc-09aa2a183219.vbs"
        15⤵
        
        PID:592
        
        C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2636e96c-fdea-4095-9da2-c78ed6b0a7ac.vbs"
        17⤵
        
        PID:2680
        
        C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e238c803-0349-4418-bd10-66a526b9fc8d.vbs"
        19⤵
        
        PID:1716
        
        C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25afacf6-402d-449d-8f59-b23247335995.vbs"
        21⤵
        
        PID:1836
        
        C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76930b3f-109a-4db8-a753-96de29ce55bc.vbs"
        23⤵
        
        PID:2128
        
        C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2dc0fb0e-802b-4717-aea0-292f80d942ff.vbs"
        25⤵
        
        PID:880
        
        C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b493b43-6559-439a-8d41-f417f7f815cb.vbs"
        27⤵
        
        PID:2452
        
        C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\610ed04c-447f-49d5-8125-7ba1cc9f1b2e.vbs"
        29⤵
        
        PID:1716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3287721d-f1af-4c4b-a1d0-6dac84b35307.vbs"
        29⤵
        
        PID:3040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\833b680f-bb11-4709-a139-88ccd3dad450.vbs"
        27⤵
        
        PID:1928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9366ee35-2997-4150-823e-7a679ca11105.vbs"
        25⤵
        
        PID:2484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69a24ee7-cbe1-42d3-b34d-dd22a1a3bd26.vbs"
        23⤵
        
        PID:1088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b05b06d8-569c-41b3-939d-abed99c3b675.vbs"
        21⤵
        
        PID:628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\248e0361-9d58-4d64-933f-20e824ac9295.vbs"
        19⤵
        
        PID:1748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8dced959-5c69-4ea4-9a89-2b2597b92917.vbs"
        17⤵
        
        PID:2036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e263cc6-6d4a-4069-949a-9b3edf78f6a6.vbs"
        15⤵
        
        PID:2628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ad44a45-683d-4bfc-a21a-7248669d6700.vbs"
        13⤵
        
        PID:332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d85ca6d-7ade-4aa9-8943-747234caf7f7.vbs"
        11⤵
        
        PID:3020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23aabfbe-03cf-41ea-a128-ef3540292b8f.vbs"
        9⤵
        
        PID:2352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06f236b4-850c-4ca4-b6e5-d7c4fb6c3719.vbs"
        7⤵
        
        PID:2952
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2e456a3-da27-4bdf-af84-6da8d4e63588.vbs"
        5⤵
        
        PID:1064
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c962bae5-979d-4aaa-8b61-736962d86266.vbs"
    3⤵
    PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\SendTo\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SendTo\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe

Filesize
1.6MB

MD5
0efaeda44d5ad064f9fb9d98a7d6bfa1

SHA1
f3a2d2d59fb785d985d79b8b1025f4d9c2f56d02

SHA256
4a9d3e2fc83cca96c443a62521c0bc8211fc00f39bb7070500af654c220d4583

SHA512
f71a2b14d8f4345fb1665062b4487fc0482e90a92654b250f66d8a16bb3ccccb509a33f380de248fbff499dffe17cc06149446fbb54c611ed8eec86a2441888d

Download Submit
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe

Filesize
1.6MB

MD5
f39cb71fb19410ddc75cf99446512af6

SHA1
29b71d0b20ca9cd066ffb64e81e1b25f06baec0b

SHA256
e6e91c3cde3c702ca44d5ab9cea08d4737509248bf092b03a4ab69221b10e4f6

SHA512
25f4dc4317544896f35b8d486f27ad9f069e1ae8d7ea051f91f5e6e063ecb88ff66f3a70caf97b5786d29cf17b376a7d094d420376e57032006113637513e08d

Download Submit
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe

Filesize
1.6MB

MD5
fff1c7e1d89cd8573521d25e3cfbd8e8

SHA1
59a9415eba00d0d3dabf40f9f19cb63d913b2c9d

SHA256
8a2d4f10730508693864008843a946c824f711331115f2c94fa60cfedffd3a31

SHA512
43b945a7fb8c2627f7fee36008b65e08c4950636034220a82852bd4b3ce0a7d8a0190c43d54efccc793bb12fa906ce2b134b91ec81c9e046d98dc5960e396075

Download Submit
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe

Filesize
1.6MB

MD5
c565103a45f8d46c8a9aa56217763c05

SHA1
3db69b2c8dfa1e0b4fe851845520f69baf51a61d

SHA256
7537b5803e84dbea92579f628825c2df2b624bc7e777c484cd5b334b7fd030f3

SHA512
cbb52b140dc2aa77e2b1c08fba0953d8000945e20d5435071f4c9bee20f5ac92178135138351f092a8dd50895772bb5f08d1d88c137be439414abb92d4cf7e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b493b43-6559-439a-8d41-f417f7f815cb.vbs

Filesize
726B

MD5
0398583a77bd1f9bd75338799331cd6b

SHA1
3e2e21d362992e65e4e26e38b6426b2bfc0d12e3

SHA256
3a93a93095549190bd895ddea5b5bc93e7f0161799bfafeee2c04882b5fe35ae

SHA512
7749016dde6f713cd6668ac2e14d135261ad6cdd86c5367e4aea5f21abac52a85c6cebc3b253f7e1d287cde23c3fc7cc1afbceeb447a85eba250902fd3c0396b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0feeb873-81d7-4c22-9edb-5066c6a92760.vbs

Filesize
726B

MD5
00f5d909e64781d5558c84ec46c221b8

SHA1
bc0c5805900763905e3df88016b0cf69fb2c25d6

SHA256
0aa936706f5eba2cd2274a16f34ba857b6feb7e934664c02ae48e66a4a60da42

SHA512
d93921325c04fbf5f5454df0355bc1f95f90c397b605bd26849c061cc1dc07f82a28dcba1e1b05b2253a8133b3f85b7725f7612158723ee46a56b8df2263143d

Download Submit
C:\Users\Admin\AppData\Local\Temp\25afacf6-402d-449d-8f59-b23247335995.vbs

Filesize
726B

MD5
9a98eb979844e709825eb151a2938d54

SHA1
5471a09ea19b43e34eb080eff93267a903adc7d1

SHA256
be76b1d1465154687732e556f7cbeff8b51a561ddcfbbd4abe195d9e05725037

SHA512
4544de75b3443884804229a16ad8798720927e50f6bfb0a64bffb1860ac867f19ea96b89c019792f5cf2f061c396cb2c6f7e18231d6a1e2d745abcf7fdfcf218

Download Submit
C:\Users\Admin\AppData\Local\Temp\2636e96c-fdea-4095-9da2-c78ed6b0a7ac.vbs

Filesize
726B

MD5
e687bf0327f2148e768e0e72335750f9

SHA1
c66c4ed780d7844bb5e41190980dd84770ab75bb

SHA256
887533e3272a279f62c377ae2197a12d01848ff3debfd3ffb68fc32f68f2ef03

SHA512
3d65ec0b91ff5f59a1304f0dd727a23c456e177253c657e030dc74f506995a2f0fb775b593c433a70a9f68f0ac5907a218f343d73411dbf1b53a3c3e3dd8a486

Download Submit
C:\Users\Admin\AppData\Local\Temp\293e6b2e-8ae4-4cb3-9084-271153cb875d.vbs

Filesize
726B

MD5
c16eaec3b854872f3ae76f4116a55264

SHA1
92b6eaaef2ab8c9d2382030148dba2d8d8ffd741

SHA256
1eff39921c955305f6e1079b6bb98447de34072f22de01853ca121ffc3fabfd2

SHA512
aafd6ece283a9ccc2fe4d0c0a3c66a9056e0352bfc982573a37ae2f91a11b4001fcc08034d970faef20e99059f7f163ee6db0ec37f6e24b94cc223297237cb01

Download Submit
C:\Users\Admin\AppData\Local\Temp\2dc0fb0e-802b-4717-aea0-292f80d942ff.vbs

Filesize
726B

MD5
c4e53f9f736401569225da7518345e29

SHA1
ac377e1025594058f28e8c19f89476352addc1a3

SHA256
bf15683124ba068f506020bfc7170d059eb4a1021906e522ddee97af49c47868

SHA512
5d47672ef8573c9717e4f19769440d9fbd54dafd8ca533fc089895e68fff94b8fdea6ca47bbecccd716eac2ca73f3595743888c48445f98a3fc35381c708d9cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\610ed04c-447f-49d5-8125-7ba1cc9f1b2e.vbs

Filesize
726B

MD5
e18498bf5c5a9db315d97a1dff42f3f4

SHA1
3ad3b4ca97679dba3caa27c55dd148c975909c37

SHA256
e1e70e4c7fc20fb98f47720ac51863643be0e98628f6a0943c08c544bbbcfb33

SHA512
3c0a9cdbf4c3d6fbfef2d626b16eed689edeb57a4ab64d76688c41761b9bdc3bb8e88b842fff24d6533529a109bc86603329a82e865abde62b80879878c614f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\644b0ccc-926c-4de0-9b0e-e9a27fc80b6f.vbs

Filesize
726B

MD5
e38fb93980d99827c1cfb911b7d44b9a

SHA1
2943bb67da9889bf06f7271aec706e3ee1869b5b

SHA256
6366c295ca24e383950f9389903b4a185d77172973c608ae053bd826eb462819

SHA512
ea77ed2009aebbca38c1244978d1c63d4d5a57f67005a05db291cbf9ca38dbb08b68f31de363060e5c71ced5dfe03d4be674b6d7aeb25052537899dd9fa75f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ed58801-09c4-4836-9f7e-7701a32d2295.vbs

Filesize
726B

MD5
534dc5390b434ae7fa5b71751886dd3d

SHA1
42d58b28b656bccab163c5d2d493010ac8999b61

SHA256
455c36deb9cd71a3fb218a0ad0d6e01097e9cdcaef106fe0d0534f2763b6d413

SHA512
c212aaac2f8cd17c5b18490470cfab5321d75f71cf1403477b133cae15f7f160e1c8bbb005d00ff70566b4779a1bf8a712dfa7dc5449ae4c9be335adfcc3d403

Download Submit
C:\Users\Admin\AppData\Local\Temp\76930b3f-109a-4db8-a753-96de29ce55bc.vbs

Filesize
726B

MD5
c7d89f1d78b0758e9669f75b6b1f2f45

SHA1
c2cfc709d1cbaeee5c65989bca6d72dce0161814

SHA256
bf3b19093ae1035e51b44747f64245001f4d541b5b91668351cd974c357d2f3a

SHA512
52c88ac95a9c65317fff3de34f5c665173b8c1d4b53e044595ed9f2af909a44c6cb4ddfea59f61f30f65264810e51a3878436b5cb721ec2c7e3d428e79e3cd05

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f75e157-9dcb-4dcd-be8b-2cd9e3272c5b.vbs

Filesize
726B

MD5
dfe7c4b9f77bd8b19eeda49e3d41f905

SHA1
fdd443852e5986ca8ea8f6d6969fbc0d632a72fb

SHA256
db88539ec26b9fa3bf16c9559ce7b430e4b6705386f37349607bdc21c5a89cc7

SHA512
930ea9815801c0aba9d8ec51cd86a66de78b6701103bf58787bb63ccc734608bb19e1b5b37eb5098ff6609c4407dfcf23e6082a7d191d7e0f78bec81f838be15

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7690ff1-18db-4012-a257-065e8190d283.vbs

Filesize
725B

MD5
55d546034617d5b6d84d24f6c846a0f1

SHA1
2d42f2d65750ee6a505449281c8b3171f0aaf323

SHA256
ee517097b6c2c137eade62e8bda7dc6efee55a5000d18d22d247d0797bf2b05b

SHA512
9b4a57dd3719aa1dc09624672c89b5af4895b8f04982f31a9803b63de611bf8329a4e0cbe83c1580cbfeb52d27ff7e21b9fca74d9e8f1b7a66bce3c301edfec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1f5f7346b5cd00af8e1e5cf94c96fc4bff4da2c.exe

Filesize
900KB

MD5
6fcb4c61715a0454e8daa91dd5e64f44

SHA1
3565d7b0723764310a18d46bb81e47f6ac1455c5

SHA256
c99ec58e3ca802b7423b478a5ad63e4a8cab6a74739133d234b928a6d26fb3cc

SHA512
6deaae886ea269894c163722d9e38428657a46752a4c66fafa7dcbe3fd71d414c767a9a93664b23d1ecad0bb6d56aec6933355f3f7b8c2c61d2d80bdbf9fe7f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c962bae5-979d-4aaa-8b61-736962d86266.vbs

Filesize
502B

MD5
bd11ff6bf8f4fb1a59be3a43d91fdb87

SHA1
bcac3cf15004028e9204e5e9d8d128a03c6ca7c4

SHA256
1e29f61970980f5d93ca6a601ac86f9eb53fd58fd213a8289ef0c983a1c6f541

SHA512
9a2c714f32d7f249c000a66ecdf0c45cad24f0a4ba5901fa9722575b029648842a3a138bed8577a03934c955f6e26e39875d4aeae35afe62fc65eadf8733f322

Download Submit
C:\Users\Admin\AppData\Local\Temp\d374a82c-815e-4ab5-98bc-09aa2a183219.vbs

Filesize
726B

MD5
6266d19a648c5f6767816d20993371b7

SHA1
c8828a7bd3966c1cc995580d69d2492296b92656

SHA256
50ece8ed877a5c6074b440c270b09e98dc854cda794689e4914a79c783484f01

SHA512
168017f8a0c0c2f0926dcad37a2d308fdcd4a4579d5c57afd71ece2bf39bda4b018c115960750e6cbdf49469492b11cf0a6f132c5a92d48c40a4c05bc1886e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\e238c803-0349-4418-bd10-66a526b9fc8d.vbs

Filesize
726B

MD5
7139e45ba26492ab45e2df2255f61fde

SHA1
1aa9d906c67cf48c6f0a38ee0b7007b1b3fe9f08

SHA256
fd4867683d11242a2fc82493b236fb4105ec9b59b9af4164470cbc0b9dcac34c

SHA512
13eeecf49e083d2cfd848953051e71fbde6a7246b0c6d2803a36819fc7ca909ed144990d0d1bb5016ae0cd363e7432fe63db0574a1d1b855af4744208c0cc213

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f0757beee9a4a7f4db42d2217d6038e1

SHA1
536309b9cd42a32f2d0284dddba953cb694fceb9

SHA256
704fb6a15faa77fca998d2bcdc4b11326ea7d50f9a7917829f820338b5f13e02

SHA512
ba45d6be73c243e63ac0ec66c9108600abbaba16e9ea58a97bf24f11495a1eddb759534349da228eb4dbfbec0e920545d48983960661d66b3af989c24375613b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Idle.exe

Filesize
1.6MB

MD5
c87ae2c7c0c0a77294bdf61219b952f5

SHA1
009d29952e3cec0966402de8b8ffeb264c78a956

SHA256
85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f

SHA512
b7477f968f2356dd08991668b6feb01bb878bad59a6b3857b0a226b1e246852ba0c40214c502e757b01bbd9fc130f9e0cad033a12ada3f1c6f42767b9b813c7c

Download Submit
memory/876-141-0x0000000000170000-0x0000000000312000-memory.dmp

Filesize
1.6MB

Download
memory/1228-191-0x0000000000EC0000-0x0000000001062000-memory.dmp

Filesize
1.6MB

Download
memory/1320-226-0x0000000001320000-0x00000000014C2000-memory.dmp

Filesize
1.6MB

Download
memory/1544-214-0x0000000000F10000-0x00000000010B2000-memory.dmp

Filesize
1.6MB

Download
memory/1548-293-0x00000000001A0000-0x0000000000342000-memory.dmp

Filesize
1.6MB

Download
memory/1672-168-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2076-329-0x00000000009C0000-0x0000000000B62000-memory.dmp

Filesize
1.6MB

Download
memory/2108-9-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/2108-7-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/2108-16-0x0000000000B10000-0x0000000000B1C000-memory.dmp

Filesize
48KB

Download
memory/2108-15-0x00000000005D0000-0x00000000005DA000-memory.dmp

Filesize
40KB

Download
memory/2108-14-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/2108-13-0x00000000005B0000-0x00000000005B8000-memory.dmp

Filesize
32KB

Download
memory/2108-12-0x00000000005A0000-0x00000000005AE000-memory.dmp

Filesize
56KB

Download
memory/2108-11-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/2108-10-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2108-180-0x000007FEF5020000-0x000007FEF5A0C000-memory.dmp

Filesize
9.9MB

Download
memory/2108-1-0x0000000000B40000-0x0000000000CE2000-memory.dmp

Filesize
1.6MB

Download
memory/2108-6-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/2108-8-0x0000000000430000-0x0000000000438000-memory.dmp

Filesize
32KB

Download
memory/2108-5-0x00000000003F0000-0x0000000000406000-memory.dmp

Filesize
88KB

Download
memory/2108-2-0x000007FEF5020000-0x000007FEF5A0C000-memory.dmp

Filesize
9.9MB

Download
memory/2108-4-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/2108-0-0x000007FEF5023000-0x000007FEF5024000-memory.dmp

Filesize
4KB

Download
memory/2108-3-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/2596-179-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2716-317-0x0000000000200000-0x00000000003A2000-memory.dmp

Filesize
1.6MB

Download
memory/2736-305-0x00000000003A0000-0x0000000000542000-memory.dmp

Filesize
1.6MB

Download