dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86c8fa2e136e29f51a3670f440b9f0a0.exe
Size

2.5MB
MD5

86c8fa2e136e29f51a3670f440b9f0a0
SHA1

103d45983c01fc861cb7390afe5db10ff2892fc0
SHA256

da49bed9676a8352a71fdd38dc855a01ca72f5dd393a91e9d7ad71ef9a4f11eb
SHA512

7c5f74c7a041c38216dc4a7f1d60d1a622227b8cd5aea5c1c4d200a5ccfabd7cbd2a17b22ca2ff028fc45dd0373df8cf9a5998cbefe7873fa7f9eda7ad117ddb
SSDEEP

49152:BjLLQdzMIwA7G5ALF/CT2vyYSjEf+QSs5saA2R97oF/cZ8ekY4E7Jy:B2l7G5Auotf+Lg4ElM

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2468	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2468	schtasks.exe	30

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1064	powershell.exe
404	powershell.exe
652	powershell.exe
620	powershell.exe
1240	powershell.exe
2444	powershell.exe
1740	powershell.exe
2024	powershell.exe
2916	powershell.exe
844	powershell.exe

Executes dropped EXE 14 IoCs

pid	Process
1236	86c8fa2e136e29f51a3670f440b9f0a0.exe
1152	86c8fa2e136e29f51a3670f440b9f0a0.exe
2352	86c8fa2e136e29f51a3670f440b9f0a0.exe
2996	86c8fa2e136e29f51a3670f440b9f0a0.exe
2792	86c8fa2e136e29f51a3670f440b9f0a0.exe
2684	86c8fa2e136e29f51a3670f440b9f0a0.exe
2108	86c8fa2e136e29f51a3670f440b9f0a0.exe
2828	86c8fa2e136e29f51a3670f440b9f0a0.exe
1604	86c8fa2e136e29f51a3670f440b9f0a0.exe
1748	86c8fa2e136e29f51a3670f440b9f0a0.exe
2684	86c8fa2e136e29f51a3670f440b9f0a0.exe
1680	86c8fa2e136e29f51a3670f440b9f0a0.exe
1964	86c8fa2e136e29f51a3670f440b9f0a0.exe
1604	86c8fa2e136e29f51a3670f440b9f0a0.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\86c8fa2e136e29f51a3670f440b9f0a0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f\\86c8fa2e136e29f51a3670f440b9f0a0.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\mpr\\dwm.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Tasks\\lsass.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Public\\Desktop\\Idle.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\cli\\WmiPrvSE.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\sendmail\\wininit.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\csrss.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\Nlsdl\\lsass.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\86c8fa2e136e29f51a3670f440b9f0a0 = "\"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\86c8fa2e136e29f51a3670f440b9f0a0.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\System32\sendmail\56085415360792	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\mpr\dwm.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\mpr\6cb0b6c459d5d3	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\wbem\cli\RCXAC24.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\sendmail\RCXAE28.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\sendmail\RCXAE29.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\Nlsdl\lsass.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\Nlsdl\lsass.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\wbem\cli\WmiPrvSE.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\mpr\RCXB09A.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\mpr\RCXB09B.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\mpr\dwm.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\Nlsdl\6203df4a6bafc7	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\wbem\cli\WmiPrvSE.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\Nlsdl\RCX9F7C.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\Nlsdl\RCX9FEA.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\wbem\cli\RCXABB6.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\sendmail\wininit.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\wbem\cli\24dbde2999530e	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\sendmail\wininit.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\RCXB29F.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\RCXB2A0.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\886983d96e3d3e	86c8fa2e136e29f51a3670f440b9f0a0.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\RCXA665.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\Tasks\RCXA6D3.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\Tasks\lsass.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\Tasks\lsass.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\Tasks\6203df4a6bafc7	86c8fa2e136e29f51a3670f440b9f0a0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2612	schtasks.exe
2344	schtasks.exe
2744	schtasks.exe
2840	schtasks.exe
1748	schtasks.exe
2796	schtasks.exe
2716	schtasks.exe
2792	schtasks.exe
2756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
1064	powershell.exe
2444	powershell.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
1240	powershell.exe
2916	powershell.exe
620	powershell.exe
404	powershell.exe
652	powershell.exe
844	powershell.exe
1740	powershell.exe
2024	powershell.exe
1236	86c8fa2e136e29f51a3670f440b9f0a0.exe
1236	86c8fa2e136e29f51a3670f440b9f0a0.exe
1236	86c8fa2e136e29f51a3670f440b9f0a0.exe
1236	86c8fa2e136e29f51a3670f440b9f0a0.exe
1236	86c8fa2e136e29f51a3670f440b9f0a0.exe
1236	86c8fa2e136e29f51a3670f440b9f0a0.exe
1236	86c8fa2e136e29f51a3670f440b9f0a0.exe
1236	86c8fa2e136e29f51a3670f440b9f0a0.exe
1236	86c8fa2e136e29f51a3670f440b9f0a0.exe
1236	86c8fa2e136e29f51a3670f440b9f0a0.exe
1236	86c8fa2e136e29f51a3670f440b9f0a0.exe
1236	86c8fa2e136e29f51a3670f440b9f0a0.exe
1236	86c8fa2e136e29f51a3670f440b9f0a0.exe
1236	86c8fa2e136e29f51a3670f440b9f0a0.exe
1236	86c8fa2e136e29f51a3670f440b9f0a0.exe
1236	86c8fa2e136e29f51a3670f440b9f0a0.exe
1236	86c8fa2e136e29f51a3670f440b9f0a0.exe
1236	86c8fa2e136e29f51a3670f440b9f0a0.exe
1236	86c8fa2e136e29f51a3670f440b9f0a0.exe
1236	86c8fa2e136e29f51a3670f440b9f0a0.exe
1236	86c8fa2e136e29f51a3670f440b9f0a0.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	1236	86c8fa2e136e29f51a3670f440b9f0a0.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1152	86c8fa2e136e29f51a3670f440b9f0a0.exe
Token: SeDebugPrivilege	2352	86c8fa2e136e29f51a3670f440b9f0a0.exe
Token: SeDebugPrivilege	2996	86c8fa2e136e29f51a3670f440b9f0a0.exe
Token: SeDebugPrivilege	2792	86c8fa2e136e29f51a3670f440b9f0a0.exe
Token: SeDebugPrivilege	2684	86c8fa2e136e29f51a3670f440b9f0a0.exe
Token: SeDebugPrivilege	2108	86c8fa2e136e29f51a3670f440b9f0a0.exe
Token: SeDebugPrivilege	2828	86c8fa2e136e29f51a3670f440b9f0a0.exe
Token: SeDebugPrivilege	1604	86c8fa2e136e29f51a3670f440b9f0a0.exe
Token: SeDebugPrivilege	1748	86c8fa2e136e29f51a3670f440b9f0a0.exe
Token: SeDebugPrivilege	2684	86c8fa2e136e29f51a3670f440b9f0a0.exe
Token: SeDebugPrivilege	1680	86c8fa2e136e29f51a3670f440b9f0a0.exe
Token: SeDebugPrivilege	1964	86c8fa2e136e29f51a3670f440b9f0a0.exe
Token: SeDebugPrivilege	1604	86c8fa2e136e29f51a3670f440b9f0a0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2444	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	41
PID 2452 wrote to memory of 2444	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	41
PID 2452 wrote to memory of 2444	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	41
PID 2452 wrote to memory of 1240	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	42
PID 2452 wrote to memory of 1240	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	42
PID 2452 wrote to memory of 1240	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	42
PID 2452 wrote to memory of 620	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	43
PID 2452 wrote to memory of 620	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	43
PID 2452 wrote to memory of 620	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	43
PID 2452 wrote to memory of 652	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	44
PID 2452 wrote to memory of 652	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	44
PID 2452 wrote to memory of 652	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	44
PID 2452 wrote to memory of 404	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	45
PID 2452 wrote to memory of 404	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	45
PID 2452 wrote to memory of 404	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	45
PID 2452 wrote to memory of 1064	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	47
PID 2452 wrote to memory of 1064	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	47
PID 2452 wrote to memory of 1064	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	47
PID 2452 wrote to memory of 844	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	48
PID 2452 wrote to memory of 844	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	48
PID 2452 wrote to memory of 844	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	48
PID 2452 wrote to memory of 2024	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	52
PID 2452 wrote to memory of 2024	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	52
PID 2452 wrote to memory of 2024	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	52
PID 2452 wrote to memory of 2916	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	53
PID 2452 wrote to memory of 2916	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	53
PID 2452 wrote to memory of 2916	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	53
PID 2452 wrote to memory of 1740	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	54
PID 2452 wrote to memory of 1740	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	54
PID 2452 wrote to memory of 1740	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	54
PID 2452 wrote to memory of 1236	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	61
PID 2452 wrote to memory of 1236	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	61
PID 2452 wrote to memory of 1236	2452	86c8fa2e136e29f51a3670f440b9f0a0.exe	61
PID 1236 wrote to memory of 2912	1236	86c8fa2e136e29f51a3670f440b9f0a0.exe	62
PID 1236 wrote to memory of 2912	1236	86c8fa2e136e29f51a3670f440b9f0a0.exe	62
PID 1236 wrote to memory of 2912	1236	86c8fa2e136e29f51a3670f440b9f0a0.exe	62
PID 1236 wrote to memory of 2924	1236	86c8fa2e136e29f51a3670f440b9f0a0.exe	63
PID 1236 wrote to memory of 2924	1236	86c8fa2e136e29f51a3670f440b9f0a0.exe	63
PID 1236 wrote to memory of 2924	1236	86c8fa2e136e29f51a3670f440b9f0a0.exe	63
PID 2912 wrote to memory of 1152	2912	WScript.exe	65
PID 2912 wrote to memory of 1152	2912	WScript.exe	65
PID 2912 wrote to memory of 1152	2912	WScript.exe	65
PID 1152 wrote to memory of 1488	1152	86c8fa2e136e29f51a3670f440b9f0a0.exe	66
PID 1152 wrote to memory of 1488	1152	86c8fa2e136e29f51a3670f440b9f0a0.exe	66
PID 1152 wrote to memory of 1488	1152	86c8fa2e136e29f51a3670f440b9f0a0.exe	66
PID 1152 wrote to memory of 1000	1152	86c8fa2e136e29f51a3670f440b9f0a0.exe	67
PID 1152 wrote to memory of 1000	1152	86c8fa2e136e29f51a3670f440b9f0a0.exe	67
PID 1152 wrote to memory of 1000	1152	86c8fa2e136e29f51a3670f440b9f0a0.exe	67
PID 1488 wrote to memory of 2352	1488	WScript.exe	68
PID 1488 wrote to memory of 2352	1488	WScript.exe	68
PID 1488 wrote to memory of 2352	1488	WScript.exe	68
PID 2352 wrote to memory of 1752	2352	86c8fa2e136e29f51a3670f440b9f0a0.exe	69
PID 2352 wrote to memory of 1752	2352	86c8fa2e136e29f51a3670f440b9f0a0.exe	69
PID 2352 wrote to memory of 1752	2352	86c8fa2e136e29f51a3670f440b9f0a0.exe	69
PID 2352 wrote to memory of 2344	2352	86c8fa2e136e29f51a3670f440b9f0a0.exe	70
PID 2352 wrote to memory of 2344	2352	86c8fa2e136e29f51a3670f440b9f0a0.exe	70
PID 2352 wrote to memory of 2344	2352	86c8fa2e136e29f51a3670f440b9f0a0.exe	70
PID 1752 wrote to memory of 2996	1752	WScript.exe	71
PID 1752 wrote to memory of 2996	1752	WScript.exe	71
PID 1752 wrote to memory of 2996	1752	WScript.exe	71
PID 2996 wrote to memory of 2580	2996	86c8fa2e136e29f51a3670f440b9f0a0.exe	72
PID 2996 wrote to memory of 2580	2996	86c8fa2e136e29f51a3670f440b9f0a0.exe	72
PID 2996 wrote to memory of 2580	2996	86c8fa2e136e29f51a3670f440b9f0a0.exe	72
PID 2996 wrote to memory of 2788	2996	86c8fa2e136e29f51a3670f440b9f0a0.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\86c8fa2e136e29f51a3670f440b9f0a0.exe
"C:\Users\Admin\AppData\Local\Temp\86c8fa2e136e29f51a3670f440b9f0a0.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\86c8fa2e136e29f51a3670f440b9f0a0.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Nlsdl\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f\86c8fa2e136e29f51a3670f440b9f0a0.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\cli\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\sendmail\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\mpr\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe
  "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11ccec6d-7b87-4226-a290-649a48d4531b.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe
      C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1152
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66469486-50d7-42d2-af4b-d5cac3fb797e.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1488
      - C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cdfda6c-4595-4fb3-b916-df95fff78e2c.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e75570c0-6a91-46bb-ae42-06a6f3ff4aab.vbs"
        9⤵
        
        PID:2580
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e250634-edfc-4503-b91a-b516d3e53489.vbs"
        11⤵
        
        PID:1012
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fde3faf4-d73a-4549-8300-846ab3dce9c6.vbs"
        13⤵
        
        PID:2732
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a88cbd3-daff-4579-aa8d-b46f08afb1a4.vbs"
        15⤵
        
        PID:2636
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25e37188-3905-48f4-bf8f-238390686d03.vbs"
        17⤵
        
        PID:2352
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdaba1c2-94a6-44e1-a17f-9a48edee9c9e.vbs"
        19⤵
        
        PID:2596
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73992715-16c3-42cc-9d7a-63f4b75c31e7.vbs"
        21⤵
        
        PID:2600
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be25355b-bd8a-425d-8aeb-200b8f75b606.vbs"
        23⤵
        
        PID:2512
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59066bba-abff-47c6-b826-6c4412266b52.vbs"
        25⤵
        
        PID:2752
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a08e836c-ba25-42b0-9346-faea0bd3d0e1.vbs"
        27⤵
        
        PID:1696
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c8a332b-55c9-49ce-8549-8ab23eb337d9.vbs"
        29⤵
        
        PID:2956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f80841a-2e8a-4ec7-b309-981fa9b63d32.vbs"
        29⤵
        
        PID:2992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13a97dad-fad1-47ec-a69a-2b17be79e150.vbs"
        27⤵
        
        PID:1716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f11c7f80-a112-4530-bbe2-f7c88e4ef568.vbs"
        25⤵
        
        PID:2496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55880611-7664-406d-9f3a-69c23a5e1e60.vbs"
        23⤵
        
        PID:2720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98a52ac8-6655-4319-9f3b-16dddb967fd2.vbs"
        21⤵
        
        PID:1712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6519ca33-7d7e-4769-95c0-4d6ed234b0d9.vbs"
        19⤵
        
        PID:556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8464e770-e85c-4566-99ec-bbc9886f58d5.vbs"
        17⤵
        
        PID:864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf6a09ec-04a9-481f-854c-bb6dfab067be.vbs"
        15⤵
        
        PID:2564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81297fc2-7f55-4b7a-99c4-bfd68a644f10.vbs"
        13⤵
        
        PID:1776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc5d00b3-f98d-466b-aa07-3a70858f7d6d.vbs"
        11⤵
        
        PID:2616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9a08599-d2df-43d8-b868-b7a72012f5aa.vbs"
        9⤵
        
        PID:2788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\732e23a7-5dbf-47f2-809d-9acd5ffa8882.vbs"
        7⤵
        
        PID:2344
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e678441-46e0-4d71-849d-6a9db363b019.vbs"
        5⤵
        
        PID:1000
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\341a0947-29fc-45e2-85fc-ecfaf99e816f.vbs"
    3⤵
    PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\Nlsdl\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "86c8fa2e136e29f51a3670f440b9f0a0" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\86c8fa2e136e29f51a3670f440b9f0a0.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "86c8fa2e136e29f51a3670f440b9f0a0" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f\86c8fa2e136e29f51a3670f440b9f0a0.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Tasks\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Desktop\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\cli\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\sendmail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\mpr\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11ccec6d-7b87-4226-a290-649a48d4531b.vbs

Filesize
761B

MD5
37d2495dca3a3242349519ee7a824fa4

SHA1
a1eccb38c22ddf083d1c54568d03f3dbdd70de0b

SHA256
73dc715667f3d33c1bf713923d385f41b9e16821c3dfa17acec65a512e3d51e1

SHA512
df3ff4ae38a51b3df73c5d5101bd7afd9f823a5cdda7f2f69b17aa03ae353fceda6d3607f52c57185bed775d27865af5f923bf41a1c92d87bb2acc15794de21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\25e37188-3905-48f4-bf8f-238390686d03.vbs

Filesize
761B

MD5
31ae1d5bdc532bbe18552bdd1d7ee12d

SHA1
dafad83d076af560efb7ccc0c7aa0c6c3df2561a

SHA256
b3436ca996d4b3d47ab89373342d575ae1165a16b924ef795409cd907fc3ea38

SHA512
d6b21cafcb0d9dd522506a9dfccb66d11026d9bec94b5ec06f2840f6dd01bf747a5f3962d1f84befb3dcf67968f847768ab650bb6145829494e504d1376e4113

Download Submit
C:\Users\Admin\AppData\Local\Temp\341a0947-29fc-45e2-85fc-ecfaf99e816f.vbs

Filesize
537B

MD5
a25353b119fd0b58f3cdfa1ab10ddaf9

SHA1
7a93c310f0c22f2456e59025add42ed55d3de9d6

SHA256
6626546d1a6c4d557549715c57e97b19657d7af6a3773aa6ef81245c29ccf6fa

SHA512
7f0f13cbace113a134f82ec230a13fdf2514ca20f86e14fe772f34837707154c42eb74d969e9558e9e7d286522b039385b882fe9c1d6fef279e6a46160100bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3cdfda6c-4595-4fb3-b916-df95fff78e2c.vbs

Filesize
761B

MD5
ae3857e33e0a7a5993e6745c6b473cff

SHA1
94212982fbe1616f050cae8437f7fc14cf2f8a05

SHA256
aebadbb211a3cd0c8dd2ac276cf2f050a15feab25238029414f6c26a9f7e1e57

SHA512
21c80e969909d16aeeb6b9d4e2cccc3a059ac01e198057c1db91d614cd6ed1e6003bc15dcd0e540490dd9a7807bfa71627017faa5ee3eacf5fb02bed12b1031b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e250634-edfc-4503-b91a-b516d3e53489.vbs

Filesize
761B

MD5
a953916476040e9896d61ca2af155d35

SHA1
80dbb00e8c72850bf344af99e251a8e5c2e93ab0

SHA256
e8a7037a5a3c6e1c6f33333ddc803c9e545682e5bc3e56e8ba90d3703efa9dfa

SHA512
4713c0469a9e812c97d4dd7e595efa10e77eb4f37cc1dcf2f0ad17432cbad5c2a6d4b1662d99d29d727b4d4ce8bac5312bbdf2f3b82d4e582f2e9811b5a343dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\59066bba-abff-47c6-b826-6c4412266b52.vbs

Filesize
761B

MD5
bec608bbe2915092750f902eef8335fc

SHA1
5ccb738c93aa2aa403142cb51e9841b8d1a5037a

SHA256
7895065f2cf3ed421c5be24cf156804cc373fb74ac2b4c74ae601a3d57202ccd

SHA512
6b8c7452f95a011b43bd32577e6ff1236fc3c5168ef05bfa55bfa86855f30f6e03c92adfc6cb5d504d8fd915cc4700375ec32b990748813483c3edda77f8f508

Download Submit
C:\Users\Admin\AppData\Local\Temp\66469486-50d7-42d2-af4b-d5cac3fb797e.vbs

Filesize
761B

MD5
127351f7159c80ad4a6af4b1da883805

SHA1
df704e5e6f4b47666c6e6877e29a900559f8bd8a

SHA256
5e3b018668d7600171d3f3ab7395c8edc638e3fc75a4d8cb24be11197858f7f8

SHA512
ca29de3587de528e242db0dc68c7e7d9e7163ac54859ed6703dbc80576b3dd8f912f5b3a3ea0cc6dc8b4a5ec7193c9601ab9d0a130d28c3a66c897d652c83b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a88cbd3-daff-4579-aa8d-b46f08afb1a4.vbs

Filesize
761B

MD5
86b4c0916a0a3d36816048102b5d9c2e

SHA1
14240202f0b145476e6a2ec34c80f7b2e8e542c9

SHA256
e2907f5601b409a331750474b6f71d281b085e84a9e93a1adef86f2b7792cb95

SHA512
c03e51b1710bb1d30a27050dc6e45d6652185636c7d27eefb96140dd10db0aa4e047877832b72fd4fa0641dc9ece56b8a7b0b716f80254ded5f612b7ab28f228

Download Submit
C:\Users\Admin\AppData\Local\Temp\73992715-16c3-42cc-9d7a-63f4b75c31e7.vbs

Filesize
761B

MD5
e7d2d308dc6c5fd69a43bd32401354ea

SHA1
1bc5779735fa6b70df66eca8c89e6c1fe352b0c8

SHA256
202fdcb95dd0b1395d7c63d8b001d1bab0d7a1dc86712aec9968b45cbe52d259

SHA512
bf210ecc9c8b787ec84f4993883b44d632d324b0ffcc8f13313b78c923741625a1e9b13140f00d2715450ac53207a094ab009e9135430caed11e6fe977279cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\85c94c7c76edef200af7308df08946171efa15cc64e34da0235a6582538fe75f\86c8fa2e136e29f51a3670f440b9f0a0.exe

Filesize
2.5MB

MD5
e2e1ecd4b6299e7c678fb71c03236898

SHA1
40e84123bce902712e23b350c7cb3432ce04194a

SHA256
895331827cce35773e1af6540343a034ab4df6db41af716cdf0f5d094568bba4

SHA512
eb524f873e6acafd420d341481659b7e7c66a83522b45ea030233ce15b6f93f524fe996860ac1ed61d08634860830384437c42986ee29d7eebd48854ae4eeddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a08e836c-ba25-42b0-9346-faea0bd3d0e1.vbs

Filesize
761B

MD5
ceadfc396df7e2949120f9d7f7e5f132

SHA1
c4229bbbeed30bb886dcbd5dc39fbd692d6e0b0f

SHA256
816331f05a1ea9bc3aaa60fb99c5b23a76d0acf86a1b39671498da5869c72110

SHA512
e60ed27cc8da71526db945a62104eedef9b46fa01ed4da1d37e1e4daaa4b7393f2274db3c003b5e64a46124985340aa3460348e12b55ef41243d036fda048b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdaba1c2-94a6-44e1-a17f-9a48edee9c9e.vbs

Filesize
761B

MD5
fcce5f9791b6a732284886e0d83b1399

SHA1
7c04d9b7e7f07955b88854778ad70819889318cc

SHA256
8b8fb3e1c8fddb4f964822dd4d1062c6aa3f59b4e2b0f56fa91c9d0af1cc9208

SHA512
c79f4a3fc9eed9682bcbf5cd537f93e6ed41ac7dae1cddd6537a05676741f5e03eaca0d12c45c36f60e6e6e55d9342c15fa0249767b5ceeabc77c22eff19da17

Download Submit
C:\Users\Admin\AppData\Local\Temp\e75570c0-6a91-46bb-ae42-06a6f3ff4aab.vbs

Filesize
761B

MD5
c61d6f03bc4b79a41746fbe7cc6b9df7

SHA1
cc4fb7655f096ceed878fc2eaa3b5832ed9c880c

SHA256
374762f192e880d0f1585bd5802c049764880f0280fe61b24c95046e4dce82c0

SHA512
95135526884dca5ffb864477082c2d9ea3760bf420c22a9b8ad76ff68b8422734207438ba8dc086c4782fae3cfde113814c1c94ef001410c717e8c5c960d247b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fde3faf4-d73a-4549-8300-846ab3dce9c6.vbs

Filesize
761B

MD5
612e0f6b25c81a48ad3ff0a0ca2a158d

SHA1
b457924b12ac1a092e6945c68809d91b822e2428

SHA256
8c997c8175925a09d63e32a72ceda95010bc335ffdf73c9324491309ff5e3a08

SHA512
0cb0f73ce24cb4e1d4f5d1d4f36e99c0552e1bc928228183ad6f0482c12cbd13a96ce375146ba9634e78600c43ca2e329ff98fbdcffaaac3e9b8bb4b16476df4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z08HZ96FHV4NZZTA9MHI.temp

Filesize
7KB

MD5
6dd24e1d37c261788385b63a3b82d599

SHA1
df04632e052d7541e1208a7748182162e62645e2

SHA256
1a54dd6447053a10b9f608a445133f3a9e21271a16bf06c586674dd5da1bedd7

SHA512
a7fd07248e9cbcc4bb2e718edb9ac69703e2fbb864b12425d75b6e0d57c66246cd0bcdaf19ea8ac66ccdf272b9ce73cbbec44c53448c498b87cf3343574554d8

Download Submit
C:\Users\Public\Desktop\Idle.exe

Filesize
2.5MB

MD5
86c8fa2e136e29f51a3670f440b9f0a0

SHA1
103d45983c01fc861cb7390afe5db10ff2892fc0

SHA256
da49bed9676a8352a71fdd38dc855a01ca72f5dd393a91e9d7ad71ef9a4f11eb

SHA512
7c5f74c7a041c38216dc4a7f1d60d1a622227b8cd5aea5c1c4d200a5ccfabd7cbd2a17b22ca2ff028fc45dd0373df8cf9a5998cbefe7873fa7f9eda7ad117ddb

Download Submit
C:\Windows\System32\Nlsdl\lsass.exe

Filesize
2.5MB

MD5
6abb556bf2179f93540112bfd5547450

SHA1
dd2f85fcd34250d28a476bb98250aea318867bdf

SHA256
7407f8cdf699bc96e7b61ae7ce8d0c1231e84379c1af18d407bf3f525f7fcead

SHA512
3003effb8e6a7e403fc634298888c8551bf69f9ddfb736392ccdff455b55ea35bac9c23a72c05663714ed28cfcd71fb46ae31b3c9d45d35ebeb32802628f9267

Download Submit
C:\Windows\System32\wbem\cli\WmiPrvSE.exe

Filesize
2.5MB

MD5
b028b1df2357ad05ac58883d840ce859

SHA1
16da6f4fab61032481c8aef8751d10c59e397bc9

SHA256
b743510faeaf3c43ed0e9590873450ebcd2d19a639618e9fd60ffe0fc5952329

SHA512
7684c35be957d79617d6142299ebf3567f1f3909424bcda21fccf3d4e70bdffbaee52fe973ef297c3b0545a108b4165da1d35d45d69766d8f6d6e81968b3e712

Download Submit
C:\Windows\Tasks\lsass.exe

Filesize
2.5MB

MD5
6f06a517d25ab45ecbdf6d5c950c1aa9

SHA1
2bc2f188035478242cbf1d429260f1d45aeb15ac

SHA256
d1d0ecb0475e42f854ab56b5462e0dfd1d6e718adc4c086d6943b8c5de927a08

SHA512
42e351f7c771bb1cc07665298b3ecd3d2f3dbaa18018aa02af525aa986b5a83d89cc27c08254bd7950f042c9e635cc2b0d9a766c81d225add2fe51fef189d733

Download Submit
memory/1064-157-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/1152-213-0x0000000001110000-0x0000000001396000-memory.dmp

Filesize
2.5MB

Download
memory/1152-215-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/1152-214-0x00000000004C0000-0x0000000000516000-memory.dmp

Filesize
344KB

Download
memory/1236-165-0x0000000000820000-0x0000000000AA6000-memory.dmp

Filesize
2.5MB

Download
memory/1236-202-0x0000000002260000-0x0000000002272000-memory.dmp

Filesize
72KB

Download
memory/1236-201-0x00000000007D0000-0x0000000000826000-memory.dmp

Filesize
344KB

Download
memory/1604-302-0x0000000001100000-0x0000000001386000-memory.dmp

Filesize
2.5MB

Download
memory/1604-303-0x0000000000460000-0x00000000004B6000-memory.dmp

Filesize
344KB

Download
memory/1604-365-0x0000000000A40000-0x0000000000CC6000-memory.dmp

Filesize
2.5MB

Download
memory/1680-340-0x0000000000890000-0x0000000000B16000-memory.dmp

Filesize
2.5MB

Download
memory/1748-315-0x0000000000240000-0x00000000004C6000-memory.dmp

Filesize
2.5MB

Download
memory/1964-352-0x0000000000230000-0x00000000004B6000-memory.dmp

Filesize
2.5MB

Download
memory/1964-353-0x00000000007A0000-0x00000000007B2000-memory.dmp

Filesize
72KB

Download
memory/2108-276-0x00000000003E0000-0x0000000000666000-memory.dmp

Filesize
2.5MB

Download
memory/2108-277-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2444-151-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2452-0-0x000007FEF5AA3000-0x000007FEF5AA4000-memory.dmp

Filesize
4KB

Download
memory/2452-1-0x00000000013D0000-0x0000000001656000-memory.dmp

Filesize
2.5MB

Download
memory/2452-2-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

Filesize
9.9MB

Download
memory/2452-3-0x0000000000240000-0x000000000024C000-memory.dmp

Filesize
48KB

Download
memory/2452-13-0x0000000000BA0000-0x0000000000BAA000-memory.dmp

Filesize
40KB

Download
memory/2452-5-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2452-8-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/2452-14-0x0000000000B90000-0x0000000000B9C000-memory.dmp

Filesize
48KB

Download
memory/2452-7-0x00000000011F0000-0x0000000001246000-memory.dmp

Filesize
344KB

Download
memory/2452-12-0x0000000000B00000-0x0000000000B0C000-memory.dmp

Filesize
48KB

Download
memory/2452-15-0x0000000000BB0000-0x0000000000BB8000-memory.dmp

Filesize
32KB

Download
memory/2452-9-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/2452-166-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

Filesize
9.9MB

Download
memory/2452-16-0x0000000000C40000-0x0000000000C4A000-memory.dmp

Filesize
40KB

Download
memory/2452-4-0x0000000000390000-0x00000000003AC000-memory.dmp

Filesize
112KB

Download
memory/2452-10-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

Filesize
40KB

Download
memory/2452-11-0x0000000000AF0000-0x0000000000AFA000-memory.dmp

Filesize
40KB

Download
memory/2452-6-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/2684-327-0x0000000000270000-0x00000000004F6000-memory.dmp

Filesize
2.5MB

Download
memory/2684-328-0x0000000000750000-0x0000000000762000-memory.dmp

Filesize
72KB

Download
memory/2684-264-0x0000000002170000-0x0000000002182000-memory.dmp

Filesize
72KB

Download
memory/2684-263-0x00000000002E0000-0x0000000000566000-memory.dmp

Filesize
2.5MB

Download
memory/2792-251-0x0000000000AD0000-0x0000000000B26000-memory.dmp

Filesize
344KB

Download
memory/2792-250-0x00000000011A0000-0x0000000001426000-memory.dmp

Filesize
2.5MB

Download
memory/2828-290-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/2828-289-0x0000000000AF0000-0x0000000000D76000-memory.dmp

Filesize
2.5MB

Download
memory/2996-238-0x0000000001190000-0x0000000001416000-memory.dmp

Filesize
2.5MB

Download