dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

855deb7775f714f1fc46d29fea8008d7.exe
Size

1.6MB
MD5

855deb7775f714f1fc46d29fea8008d7
SHA1

421d56096458fc456190f7c8d13fa3435c051264
SHA256

795cdb953a299acec277e31a6c97b38acdc44dfca7a2ce6bda2785a48bdfafdf
SHA512

7fd5597d07dd4597262a6122c3b165b0624d99ee9d222f448e2161c07bcef791a08be95bf52eb4cf37c8105e53855bf96d1bf026d887cb3ef85d132c07b40d99
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral9/memory/1472-1-0x0000000000DF0000-0x0000000000F92000-memory.dmp	dcrat
behavioral9/files/0x000900000001755b-25.dat	dcrat
behavioral9/files/0x000500000001a4bd-42.dat	dcrat
behavioral9/files/0x000e00000001202c-53.dat	dcrat
behavioral9/memory/2896-149-0x00000000011F0000-0x0000000001392000-memory.dmp	dcrat
behavioral9/memory/1872-182-0x00000000003F0000-0x0000000000592000-memory.dmp	dcrat
behavioral9/memory/236-194-0x0000000000C50000-0x0000000000DF2000-memory.dmp	dcrat
behavioral9/memory/2756-206-0x00000000012F0000-0x0000000001492000-memory.dmp	dcrat
behavioral9/memory/2772-240-0x0000000000070000-0x0000000000212000-memory.dmp	dcrat
behavioral9/memory/2704-252-0x0000000001360000-0x0000000001502000-memory.dmp	dcrat
behavioral9/memory/1720-275-0x00000000013A0000-0x0000000001542000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1636	powershell.exe
1516	powershell.exe
1792	powershell.exe
1296	powershell.exe
1708	powershell.exe
1908	powershell.exe
1160	powershell.exe

Executes dropped EXE 14 IoCs

pid	Process
2896	wininit.exe
920	wininit.exe
2324	wininit.exe
1872	wininit.exe
236	wininit.exe
2756	wininit.exe
1720	wininit.exe
1588	wininit.exe
2772	wininit.exe
2704	wininit.exe
1932	wininit.exe
1720	wininit.exe
3000	wininit.exe
1420	wininit.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\dwm.exe	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\RCXDB4B.tmp	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\RCXDD50.tmp	855deb7775f714f1fc46d29fea8008d7.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\wininit.exe	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\RCXDB4A.tmp	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\wininit.exe	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\RCXDF54.tmp	855deb7775f714f1fc46d29fea8008d7.exe
File created	C:\Program Files\Uninstall Information\dwm.exe	855deb7775f714f1fc46d29fea8008d7.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\smss.exe	855deb7775f714f1fc46d29fea8008d7.exe
File created	C:\Program Files\Uninstall Information\6cb0b6c459d5d3	855deb7775f714f1fc46d29fea8008d7.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\69ddcba757bf72	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\RCXDD4F.tmp	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\RCXDF64.tmp	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\smss.exe	855deb7775f714f1fc46d29fea8008d7.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe	855deb7775f714f1fc46d29fea8008d7.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\56085415360792	855deb7775f714f1fc46d29fea8008d7.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\56085415360792	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXD6D3.tmp	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXD741.tmp	855deb7775f714f1fc46d29fea8008d7.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\addins\RCXD4CF.tmp	855deb7775f714f1fc46d29fea8008d7.exe
File created	C:\Windows\addins\winlogon.exe	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Windows\addins\winlogon.exe	855deb7775f714f1fc46d29fea8008d7.exe
File created	C:\Windows\addins\cc11b995f2a76d	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Windows\addins\RCXD461.tmp	855deb7775f714f1fc46d29fea8008d7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2068	schtasks.exe
2204	schtasks.exe
2916	schtasks.exe
2736	schtasks.exe
2732	schtasks.exe
3068	schtasks.exe
1896	schtasks.exe
636	schtasks.exe
2992	schtasks.exe
2844	schtasks.exe
2944	schtasks.exe
2704	schtasks.exe
2712	schtasks.exe
2684	schtasks.exe
2716	schtasks.exe
3048	schtasks.exe
3040	schtasks.exe
2852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1472	855deb7775f714f1fc46d29fea8008d7.exe
1708	powershell.exe
1516	powershell.exe
1296	powershell.exe
1636	powershell.exe
1792	powershell.exe
1160	powershell.exe
1908	powershell.exe
2896	wininit.exe
920	wininit.exe
2324	wininit.exe
1872	wininit.exe
236	wininit.exe
2756	wininit.exe
1720	wininit.exe
1588	wininit.exe
2772	wininit.exe
2704	wininit.exe
1932	wininit.exe
1720	wininit.exe
3000	wininit.exe
1420	wininit.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1472	855deb7775f714f1fc46d29fea8008d7.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	2896	wininit.exe
Token: SeDebugPrivilege	920	wininit.exe
Token: SeDebugPrivilege	2324	wininit.exe
Token: SeDebugPrivilege	1872	wininit.exe
Token: SeDebugPrivilege	236	wininit.exe
Token: SeDebugPrivilege	2756	wininit.exe
Token: SeDebugPrivilege	1720	wininit.exe
Token: SeDebugPrivilege	1588	wininit.exe
Token: SeDebugPrivilege	2772	wininit.exe
Token: SeDebugPrivilege	2704	wininit.exe
Token: SeDebugPrivilege	1932	wininit.exe
Token: SeDebugPrivilege	1720	wininit.exe
Token: SeDebugPrivilege	3000	wininit.exe
Token: SeDebugPrivilege	1420	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 1636	1472	855deb7775f714f1fc46d29fea8008d7.exe	50
PID 1472 wrote to memory of 1636	1472	855deb7775f714f1fc46d29fea8008d7.exe	50
PID 1472 wrote to memory of 1636	1472	855deb7775f714f1fc46d29fea8008d7.exe	50
PID 1472 wrote to memory of 1516	1472	855deb7775f714f1fc46d29fea8008d7.exe	51
PID 1472 wrote to memory of 1516	1472	855deb7775f714f1fc46d29fea8008d7.exe	51
PID 1472 wrote to memory of 1516	1472	855deb7775f714f1fc46d29fea8008d7.exe	51
PID 1472 wrote to memory of 1160	1472	855deb7775f714f1fc46d29fea8008d7.exe	53
PID 1472 wrote to memory of 1160	1472	855deb7775f714f1fc46d29fea8008d7.exe	53
PID 1472 wrote to memory of 1160	1472	855deb7775f714f1fc46d29fea8008d7.exe	53
PID 1472 wrote to memory of 1908	1472	855deb7775f714f1fc46d29fea8008d7.exe	55
PID 1472 wrote to memory of 1908	1472	855deb7775f714f1fc46d29fea8008d7.exe	55
PID 1472 wrote to memory of 1908	1472	855deb7775f714f1fc46d29fea8008d7.exe	55
PID 1472 wrote to memory of 1708	1472	855deb7775f714f1fc46d29fea8008d7.exe	56
PID 1472 wrote to memory of 1708	1472	855deb7775f714f1fc46d29fea8008d7.exe	56
PID 1472 wrote to memory of 1708	1472	855deb7775f714f1fc46d29fea8008d7.exe	56
PID 1472 wrote to memory of 1296	1472	855deb7775f714f1fc46d29fea8008d7.exe	57
PID 1472 wrote to memory of 1296	1472	855deb7775f714f1fc46d29fea8008d7.exe	57
PID 1472 wrote to memory of 1296	1472	855deb7775f714f1fc46d29fea8008d7.exe	57
PID 1472 wrote to memory of 1792	1472	855deb7775f714f1fc46d29fea8008d7.exe	59
PID 1472 wrote to memory of 1792	1472	855deb7775f714f1fc46d29fea8008d7.exe	59
PID 1472 wrote to memory of 1792	1472	855deb7775f714f1fc46d29fea8008d7.exe	59
PID 1472 wrote to memory of 3044	1472	855deb7775f714f1fc46d29fea8008d7.exe	64
PID 1472 wrote to memory of 3044	1472	855deb7775f714f1fc46d29fea8008d7.exe	64
PID 1472 wrote to memory of 3044	1472	855deb7775f714f1fc46d29fea8008d7.exe	64
PID 3044 wrote to memory of 896	3044	cmd.exe	66
PID 3044 wrote to memory of 896	3044	cmd.exe	66
PID 3044 wrote to memory of 896	3044	cmd.exe	66
PID 3044 wrote to memory of 2896	3044	cmd.exe	67
PID 3044 wrote to memory of 2896	3044	cmd.exe	67
PID 3044 wrote to memory of 2896	3044	cmd.exe	67
PID 2896 wrote to memory of 2676	2896	wininit.exe	68
PID 2896 wrote to memory of 2676	2896	wininit.exe	68
PID 2896 wrote to memory of 2676	2896	wininit.exe	68
PID 2896 wrote to memory of 264	2896	wininit.exe	69
PID 2896 wrote to memory of 264	2896	wininit.exe	69
PID 2896 wrote to memory of 264	2896	wininit.exe	69
PID 2676 wrote to memory of 920	2676	WScript.exe	70
PID 2676 wrote to memory of 920	2676	WScript.exe	70
PID 2676 wrote to memory of 920	2676	WScript.exe	70
PID 920 wrote to memory of 1324	920	wininit.exe	71
PID 920 wrote to memory of 1324	920	wininit.exe	71
PID 920 wrote to memory of 1324	920	wininit.exe	71
PID 920 wrote to memory of 1956	920	wininit.exe	72
PID 920 wrote to memory of 1956	920	wininit.exe	72
PID 920 wrote to memory of 1956	920	wininit.exe	72
PID 1324 wrote to memory of 2324	1324	WScript.exe	73
PID 1324 wrote to memory of 2324	1324	WScript.exe	73
PID 1324 wrote to memory of 2324	1324	WScript.exe	73
PID 2324 wrote to memory of 2200	2324	wininit.exe	74
PID 2324 wrote to memory of 2200	2324	wininit.exe	74
PID 2324 wrote to memory of 2200	2324	wininit.exe	74
PID 2324 wrote to memory of 2576	2324	wininit.exe	75
PID 2324 wrote to memory of 2576	2324	wininit.exe	75
PID 2324 wrote to memory of 2576	2324	wininit.exe	75
PID 2200 wrote to memory of 1872	2200	WScript.exe	76
PID 2200 wrote to memory of 1872	2200	WScript.exe	76
PID 2200 wrote to memory of 1872	2200	WScript.exe	76
PID 1872 wrote to memory of 1708	1872	wininit.exe	77
PID 1872 wrote to memory of 1708	1872	wininit.exe	77
PID 1872 wrote to memory of 1708	1872	wininit.exe	77
PID 1872 wrote to memory of 1416	1872	wininit.exe	78
PID 1872 wrote to memory of 1416	1872	wininit.exe	78
PID 1872 wrote to memory of 1416	1872	wininit.exe	78
PID 1708 wrote to memory of 236	1708	WScript.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\855deb7775f714f1fc46d29fea8008d7.exe
"C:\Users\Admin\AppData\Local\Temp\855deb7775f714f1fc46d29fea8008d7.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\855deb7775f714f1fc46d29fea8008d7.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\it-IT\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OVO2yVWNDR.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:896
- - C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe
    "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e68ff2b-f071-4065-920b-ac35d9cf1fd1.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:920
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8cbf513-04f5-4585-ac73-b9dd514e7cb7.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2c8841f-73cb-4455-be76-b6eff658101d.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f4ae7fa-938c-49ec-8a1e-cbc493e8ae4f.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df3d0077-bac5-4a37-a288-1152b2b2361a.vbs"
        12⤵
        
        PID:572
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54c6690d-a680-4303-83c3-bb8d7fd1eabe.vbs"
        14⤵
        
        PID:1620
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc5b6726-4f97-4f70-9016-da9f38b6d0c6.vbs"
        16⤵
        
        PID:1808
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\faa9804a-e023-4349-a5df-245e8fd27af2.vbs"
        18⤵
        
        PID:1992
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\226a21c5-c1ce-4fcf-aee8-b7ac8eec3645.vbs"
        20⤵
        
        PID:236
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b233f889-f31e-41a5-ae70-d55cebbf53df.vbs"
        22⤵
        
        PID:2732
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a9bf945-350a-481d-9c48-a4d6d032f673.vbs"
        24⤵
        
        PID:2460
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd3a09a9-bed4-4fc1-b711-d302c4bbf15e.vbs"
        26⤵
        
        PID:888
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a50c1b6b-f3a1-4465-942c-d65337658bc6.vbs"
        28⤵
        
        PID:2872
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe"
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1d13e19-e199-470d-ba69-6ac0226a1cfa.vbs"
        30⤵
        
        PID:2380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ef5f473-00cb-4875-a8c6-a026ae466d29.vbs"
        30⤵
        
        PID:1900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3dd1ffe5-a79d-4843-959c-88703a42f111.vbs"
        28⤵
        
        PID:2472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\658d5a1c-788d-4aea-9fc0-0a24780d020d.vbs"
        26⤵
        
        PID:1368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8eca19d-5711-4850-8113-cf90030e9f86.vbs"
        24⤵
        
        PID:928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ae7bf9e-9a80-4bbd-a7c1-dcc93b18c66f.vbs"
        22⤵
        
        PID:764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebc07969-7027-45b7-b7c0-6fdb3e4a7621.vbs"
        20⤵
        
        PID:3052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42b029ed-d730-4908-92a9-46300834a67b.vbs"
        18⤵
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58d47632-f484-4b9c-a37b-04dfae5787fc.vbs"
        16⤵
        
        PID:1788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b0b3bd1-e8dc-4c21-b87d-c43a823116c9.vbs"
        14⤵
        
        PID:2292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44e10d38-6b16-4f0e-b316-30971147b759.vbs"
        12⤵
        
        PID:2684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\317deb93-b5b9-4837-a00a-d3a3000b26ba.vbs"
        10⤵
        
        PID:1416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81007a6b-56ca-4d82-9212-89d2a4fa75b1.vbs"
        8⤵
        
        PID:2576
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\294f9ff2-0495-47c1-a202-25b9c9d2d4b6.vbs"
        6⤵
        
        PID:1956
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5ffcc32-2142-434e-b02a-752b5b1a0a01.vbs"
      4⤵
      PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\winlogon.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\addins\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\wininit.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\smss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\wininit.exe

Filesize
1.6MB

MD5
855deb7775f714f1fc46d29fea8008d7

SHA1
421d56096458fc456190f7c8d13fa3435c051264

SHA256
795cdb953a299acec277e31a6c97b38acdc44dfca7a2ce6bda2785a48bdfafdf

SHA512
7fd5597d07dd4597262a6122c3b165b0624d99ee9d222f448e2161c07bcef791a08be95bf52eb4cf37c8105e53855bf96d1bf026d887cb3ef85d132c07b40d99

Download Submit
C:\Program Files\Uninstall Information\dwm.exe

Filesize
1.6MB

MD5
59ac23e7c1a42dcceee20fc294120345

SHA1
195f2666f12f7c940148c71ff3f3a36f68d1d313

SHA256
b96dad89551f8bac3b8eb26f56df1b8ed6f867a2e77a88f759c2f2f176572c08

SHA512
b9622e9ba3aa3c5970175e8e649d5995d3874410311c7776b24d8083e231460e842a1d9dd3d7a7961a6b5aea2aeced4559a0a470ece81cf8d6bb30974860648d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f4ae7fa-938c-49ec-8a1e-cbc493e8ae4f.vbs

Filesize
745B

MD5
0cff0523d9640f43de6824075f89a8c6

SHA1
36e9bceaec3a7d3e091cfb119252cfcfe244683a

SHA256
a6cb078d927948a3d0a8e3e4379b788716e1a6a5221b7500fe684cf32cea8df4

SHA512
e38f3cbc124d16fb51ea35abb7bdb586667bdf02075e43f97a9cca9ae6da2216ba39d1222eb90594e0e6cca1313130ae13307a149d0b1ea0d5655b9e13e8a419

Download Submit
C:\Users\Admin\AppData\Local\Temp\226a21c5-c1ce-4fcf-aee8-b7ac8eec3645.vbs

Filesize
745B

MD5
b5407eb7ef5fd5685794eb742ddc7f69

SHA1
0605d3cad9465b93ec3db9dcabed13d50438b026

SHA256
18b135a2ab2dcab1e4538a5909efef095d59624360f42b7a159142bb252d841c

SHA512
db058ebf5b9cfc52a7f667a24a8c4021301070224f13b8c2b4da52b20a65d241fc3292f6c4ce94f52526f32158b5b8ab53f4727771a07373f6dc671a7f7f5fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\54c6690d-a680-4303-83c3-bb8d7fd1eabe.vbs

Filesize
745B

MD5
bf6722e95426cd11627d52da0ade9690

SHA1
2210c9561d961df26795751ea50879f42fab73d9

SHA256
452533becbe31d0e68860bda9ce57ce354f8e49baf1e6ff0dca3ab6e7f962274

SHA512
2e1d0621f7ea2625ef322dd95996923d81d713d4f4e38d38f9f6e681a81f514e1cd345a772ffded2afd91ec344889ab95f2e0fa2089dd79a5e0b18ab092d75a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e68ff2b-f071-4065-920b-ac35d9cf1fd1.vbs

Filesize
745B

MD5
0ab7e31e269afc41d169f521fd3967ad

SHA1
7350586720958f90a5141dc13142f12dfec902cb

SHA256
401f4034d3b72596abb517b30902fea3e21385db64bd16cd93ba879763001928

SHA512
1d37dd6f57a6fef81dc6adc75098bc2825b674f4cdcb965b42ed2f0070e0948b52e1cc2c0f62cb73f247c3b589161d296ae6bf1aa187105f37db14e2a1a6770e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a9bf945-350a-481d-9c48-a4d6d032f673.vbs

Filesize
745B

MD5
ea1d3f3bb13d44fb9b135a98073a6cdd

SHA1
1da4e1a72daa43bab05a57e9b55c65a893b355f9

SHA256
07971fb5b3eed17ae99a7500a7dd32723a435093593c24b8f7e0c90ffac57944

SHA512
bd119252969e779e983fdea81feac7476f6381f154f087c18d525f905bb2091682c0aa55c6a576c99c758c126df9aeab9ce9a68864d094ec4752675001518717

Download Submit
C:\Users\Admin\AppData\Local\Temp\OVO2yVWNDR.bat

Filesize
234B

MD5
cc0f7432376acf4f007f69b1de48fe91

SHA1
550e640d20e4998b3f3b86766bd8b6ec8cb36f63

SHA256
a2bb16dea3052f79e0b7d15f6a8a2c3364fb7959f01600279763efbbd900540f

SHA512
78b1f87f91cd781ee5037497e1a1843a98f5e83acd24387de2071c46771850cd32f051f5c4c10924a81fcc744cf415847480d50cb5e10fde6c337c75eba3649f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a50c1b6b-f3a1-4465-942c-d65337658bc6.vbs

Filesize
745B

MD5
386e2eb5ee788c548392f153f7fb46d6

SHA1
b938248b42ecc93762b1b0b2f6c2d1d29d8ec4e6

SHA256
195f76b0f30408e6552a99fcaee78859044d2cb295e1c87c5f7481e4c4ac4771

SHA512
ad1c460711f323b8f5e18c8fe4c59f1cb1538672485e0af23460d9676e9ce0b8d9bc6770efdf659d17d9b228b4bf08d140e8581046c940ef7aaf7f79881869d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\aed8e25df82f4ea2ec0de33810a5339b52426169.exe

Filesize
1.6MB

MD5
c460aec8f82c784e01b335fde55abeb6

SHA1
09ccb956969b17c53bd36ab76a26d59e2cbaaf75

SHA256
6833906d0463aba5332dc00868815b3eacde133f2ffeb90dd637373cc1dce3c6

SHA512
16eae7c3a3b013adda8f91066c3892101f8151dbeca9da63590631b3fa034baddf41abbd652548f4d54396a1f1bccc5f06580c58a724237e20fd0a1639fdfd16

Download Submit
C:\Users\Admin\AppData\Local\Temp\b233f889-f31e-41a5-ae70-d55cebbf53df.vbs

Filesize
745B

MD5
eaaed1080b5dbe185e0134812c31f94d

SHA1
5ff7bcc6d815b5bc533c2bed6221c3d7c57a664d

SHA256
474c711730fba489e196d5af9cee33dcadb1df48320255b2c8be8a7ebc8c43ce

SHA512
7562ee36c340bf926626e1c1d84e07f21d312d82ec5e2755a70478b99e5aa1f42d3419d39d5f26253ecaa40b222fc40ae2e7e71c0f1ae5848d5b8b0c95e91bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2c8841f-73cb-4455-be76-b6eff658101d.vbs

Filesize
745B

MD5
49b12c05e392c5044e9c6803b51e8846

SHA1
b8fe6a215fffe03f71ce5c6fd66fb44454848704

SHA256
df9707e12fecf36d84c3492be8fe4170ef11620a847863a74199306d9fbc4e09

SHA512
e15a43eb85f020a8803f990638366cf7f7e37359e0549843010c22cf2fd89bb969a4db795662e66ea35b7f62ce093216d1dfaca7240a500dd22e048a39bef544

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc5b6726-4f97-4f70-9016-da9f38b6d0c6.vbs

Filesize
745B

MD5
f9c5c416de2811cc083aefb1338b560d

SHA1
ed79f5d2e02f80a52da2fc045e82be726e6f5e59

SHA256
9ab8e11d4ae7839a432e4951cd5cfbbd434b733f5d75e052d2cb0526c5dd2f91

SHA512
dabfdd7f292b7f1ade5ad8836c152c5c5ed537d24564e066b6ba846d1bc524207e5c0f2238d5738a4e33d5277a510d1642306fcc73396d195ebfbb8a9771c20b

Download Submit
C:\Users\Admin\AppData\Local\Temp\df3d0077-bac5-4a37-a288-1152b2b2361a.vbs

Filesize
744B

MD5
8045c309245630ff57c92369ca1651cb

SHA1
4ad157a501803f3c77d86571e562768347f6fb72

SHA256
0975f2d2f72e40f09e28ccbf0649dafa39eb9aa1eab9e51beef60a04e6dd69d3

SHA512
a945d6e41fbe434e692ffa4ddbb17ba9a7a95951acfd84658ae329acc8d596589655cb85ef50f4c0100ba71aee32d98e89e04f74b27655fe9201792dc791ae9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1d13e19-e199-470d-ba69-6ac0226a1cfa.vbs

Filesize
745B

MD5
8cddfe1eac9134106f656ba2dbc33bab

SHA1
f41f620fca2f7561612fbfd4f14db8aee450d747

SHA256
fac0be332d12d41edcb8293370add416dd7093412de14eea274f1e18833a4999

SHA512
de634b448fb2b3810ab21c10c53c1ead06682085cc1ecb0aa7775dc88277f1b91efb0ab6547928be77bcf70ef1aa46689740e6194bf3b3bcfdb3e62b5a4a3b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5ffcc32-2142-434e-b02a-752b5b1a0a01.vbs

Filesize
521B

MD5
c601f10a904a10009fc1629ace0263f3

SHA1
0fab3098502cd93219a799c8b14fd493a5ce3a16

SHA256
a8da2ae29d35c8b035ec2e556123b461597366d99cf4eb863fb4972b3449125c

SHA512
3148513b690989d309f919bb61476078e44e87362c9576937d244767d11a1005c84231c1a362ec010c2688c04d04e32d68f0a53331a86968c12fd55e9e6d7924

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8cbf513-04f5-4585-ac73-b9dd514e7cb7.vbs

Filesize
744B

MD5
6ac255c1a1180fd16918abe3bf18a759

SHA1
2982f0b36fb257931646b17951fce7925c50341f

SHA256
2ada9c6e0040fd48b045e08d09bcd9ba5f437631cfc6613d7ce25a63c5184d46

SHA512
13886dc2cc0555349fac54ad8fbba70d213fd324d4379bad22ebe65784bbb7e973d1a2efef90b15456d9402997760042d31d00d41a8da7d7ef23ffaf920e2108

Download Submit
C:\Users\Admin\AppData\Local\Temp\faa9804a-e023-4349-a5df-245e8fd27af2.vbs

Filesize
745B

MD5
a8d2efda60e2186efc16831ab548fd50

SHA1
311ebf5b4c1e91cee7d5de0af71934dc968e72b6

SHA256
05426a68112ecb2c4e1c1586354af68a821776bb95a7ddc890a729a2cf99f9c6

SHA512
069cc20775957aff4ef95b5b5048b088d33fe152165274c3d8c18897991829c13105d2cc9b66cbc524978d62155834531b2ed524d21fa40d2acd3bbefc1ccd35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ceed53ef342cff8b52347c2dcbace8d5

SHA1
e1064e0e3726315d069551b6c61d1bbe24515fe5

SHA256
e5d0781f8e6c39fcf173f414107cc6c79a6b74a799aa1bf27068f73f1761c371

SHA512
8e2dad54c473ad36c2aa3de3905b3b3e578c4fa0c6b63ba4bd4ac7927a76cc270734fa961b8ace6f95f3c4dd48117dc5dde9c53fd72f4b6a06100a809726a58d

Download Submit
C:\Windows\addins\winlogon.exe

Filesize
1.6MB

MD5
b181d7f9031420b9a02e08166e1000db

SHA1
5f97dd121e82f307419525eca38bbc878c8ea60a

SHA256
0d4d2841f3a9b1a055f0c00973e2f43a1c1288ebedaaba1cb7ecd541e96931ab

SHA512
9943b33f494bd726c8c8f1372243856c7cd4e23eb60f5548de179c3213c86b449f2943bb12dc04e7448f1373aadf779db13aad0e26da340b279c32d0b9c0e5e5

Download Submit
memory/236-194-0x0000000000C50000-0x0000000000DF2000-memory.dmp

Filesize
1.6MB

Download
memory/1472-13-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/1472-7-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/1472-1-0x0000000000DF0000-0x0000000000F92000-memory.dmp

Filesize
1.6MB

Download
memory/1472-2-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/1472-3-0x00000000001C0000-0x00000000001DC000-memory.dmp

Filesize
112KB

Download
memory/1472-5-0x0000000000AF0000-0x0000000000B06000-memory.dmp

Filesize
88KB

Download
memory/1472-6-0x00000000001F0000-0x00000000001F8000-memory.dmp

Filesize
32KB

Download
memory/1472-8-0x0000000000210000-0x0000000000218000-memory.dmp

Filesize
32KB

Download
memory/1472-9-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/1472-4-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/1472-10-0x0000000000B20000-0x0000000000B2C000-memory.dmp

Filesize
48KB

Download
memory/1472-11-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/1472-0-0x000007FEF5D23000-0x000007FEF5D24000-memory.dmp

Filesize
4KB

Download
memory/1472-131-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/1472-14-0x0000000000B60000-0x0000000000B68000-memory.dmp

Filesize
32KB

Download
memory/1472-15-0x0000000000C70000-0x0000000000C7A000-memory.dmp

Filesize
40KB

Download
memory/1472-16-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/1472-12-0x0000000000B40000-0x0000000000B4E000-memory.dmp

Filesize
56KB

Download
memory/1708-113-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/1708-129-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/1720-275-0x00000000013A0000-0x0000000001542000-memory.dmp

Filesize
1.6MB

Download
memory/1872-182-0x00000000003F0000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2704-252-0x0000000001360000-0x0000000001502000-memory.dmp

Filesize
1.6MB

Download
memory/2756-206-0x00000000012F0000-0x0000000001492000-memory.dmp

Filesize
1.6MB

Download
memory/2772-240-0x0000000000070000-0x0000000000212000-memory.dmp

Filesize
1.6MB

Download
memory/2896-149-0x00000000011F0000-0x0000000001392000-memory.dmp

Filesize
1.6MB

Download