dcrat | 03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25/03/2025, 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
Size

1.6MB
MD5

3460086ec800f981300049f405f07ab7
SHA1

6e642473448a705bfa2a9d9d54d1b0fdd88ed791
SHA256

03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371
SHA512

f7c9ac03a980ee2dfda8cb7e94a01375c326c32be75c628a9848409f2e621f69965b28fec3f8851cedb122c16aa66f8cb29dc92816ba0c83270a09b876828f88
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	3036	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	3036	schtasks.exe	29

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1688-1-0x00000000010B0000-0x0000000001252000-memory.dmp	dcrat
behavioral1/files/0x000500000001960c-25.dat	dcrat
behavioral1/files/0x000500000001a42d-44.dat	dcrat
behavioral1/memory/1760-130-0x00000000001C0000-0x0000000000362000-memory.dmp	dcrat
behavioral1/memory/1664-177-0x0000000000FA0000-0x0000000001142000-memory.dmp	dcrat
behavioral1/memory/1176-189-0x00000000011F0000-0x0000000001392000-memory.dmp	dcrat
behavioral1/memory/2736-201-0x00000000002B0000-0x0000000000452000-memory.dmp	dcrat
behavioral1/memory/2700-213-0x00000000013B0000-0x0000000001552000-memory.dmp	dcrat
behavioral1/memory/1232-225-0x0000000000230000-0x00000000003D2000-memory.dmp	dcrat
behavioral1/memory/1664-237-0x0000000000220000-0x00000000003C2000-memory.dmp	dcrat
behavioral1/memory/1044-249-0x0000000000C30000-0x0000000000DD2000-memory.dmp	dcrat
behavioral1/memory/1828-261-0x0000000000390000-0x0000000000532000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2596	powershell.exe
2116	powershell.exe
2164	powershell.exe
1836	powershell.exe
376	powershell.exe
1636	powershell.exe
2464	powershell.exe
2592	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
1760	lsm.exe
1664	lsm.exe
1176	lsm.exe
2736	lsm.exe
2700	lsm.exe
1232	lsm.exe
1664	lsm.exe
1044	lsm.exe
1828	lsm.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\csrss.exe	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File created	C:\Program Files\Uninstall Information\886983d96e3d3e	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\lsm.exe	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\RCXF387.tmp	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\RCXF388.tmp	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\WmiPrvSE.exe	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\explorer.exe	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\24dbde2999530e	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\lsm.exe	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RCXF790.tmp	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File created	C:\Program Files\Uninstall Information\csrss.exe	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\101b941d020240	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\WmiPrvSE.exe	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXF183.tmp	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\RCXFC07.tmp	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\RCXFC75.tmp	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\RCXFE79.tmp	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\RCXFE7A.tmp	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\7a0fd90576e088	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File created	C:\Program Files\Windows Photo Viewer\03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File created	C:\Program Files\Windows Photo Viewer\65486ec6f79c4e	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXF115.tmp	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RCXF791.tmp	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\explorer.exe	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\tracing\sppsvc.exe	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File created	C:\Windows\tracing\0a1fd5f707cd16	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File opened for modification	C:\Windows\tracing\RCXF58C.tmp	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File opened for modification	C:\Windows\tracing\RCXF58D.tmp	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
File opened for modification	C:\Windows\tracing\sppsvc.exe	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2760	schtasks.exe
600	schtasks.exe
2180	schtasks.exe
1056	schtasks.exe
2552	schtasks.exe
908	schtasks.exe
2772	schtasks.exe
2804	schtasks.exe
2584	schtasks.exe
1064	schtasks.exe
2884	schtasks.exe
3020	schtasks.exe
2664	schtasks.exe
2908	schtasks.exe
2580	schtasks.exe
2956	schtasks.exe
2920	schtasks.exe
2656	schtasks.exe
2628	schtasks.exe
2496	schtasks.exe
2964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
2116	powershell.exe
2596	powershell.exe
2464	powershell.exe
2164	powershell.exe
1636	powershell.exe
376	powershell.exe
2592	powershell.exe
1836	powershell.exe
1760	lsm.exe
1664	lsm.exe
1176	lsm.exe
2736	lsm.exe
2700	lsm.exe
1232	lsm.exe
1664	lsm.exe
1044	lsm.exe
1828	lsm.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	1760	lsm.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	376	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	1664	lsm.exe
Token: SeDebugPrivilege	1176	lsm.exe
Token: SeDebugPrivilege	2736	lsm.exe
Token: SeDebugPrivilege	2700	lsm.exe
Token: SeDebugPrivilege	1232	lsm.exe
Token: SeDebugPrivilege	1664	lsm.exe
Token: SeDebugPrivilege	1044	lsm.exe
Token: SeDebugPrivilege	1828	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2592	1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	51
PID 1688 wrote to memory of 2592	1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	51
PID 1688 wrote to memory of 2592	1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	51
PID 1688 wrote to memory of 2596	1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	52
PID 1688 wrote to memory of 2596	1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	52
PID 1688 wrote to memory of 2596	1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	52
PID 1688 wrote to memory of 2116	1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	53
PID 1688 wrote to memory of 2116	1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	53
PID 1688 wrote to memory of 2116	1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	53
PID 1688 wrote to memory of 2164	1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	54
PID 1688 wrote to memory of 2164	1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	54
PID 1688 wrote to memory of 2164	1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	54
PID 1688 wrote to memory of 1836	1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	55
PID 1688 wrote to memory of 1836	1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	55
PID 1688 wrote to memory of 1836	1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	55
PID 1688 wrote to memory of 376	1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	56
PID 1688 wrote to memory of 376	1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	56
PID 1688 wrote to memory of 376	1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	56
PID 1688 wrote to memory of 1636	1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	57
PID 1688 wrote to memory of 1636	1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	57
PID 1688 wrote to memory of 1636	1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	57
PID 1688 wrote to memory of 2464	1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	58
PID 1688 wrote to memory of 2464	1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	58
PID 1688 wrote to memory of 2464	1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	58
PID 1688 wrote to memory of 1760	1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	67
PID 1688 wrote to memory of 1760	1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	67
PID 1688 wrote to memory of 1760	1688	03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe	67
PID 1760 wrote to memory of 2204	1760	lsm.exe	68
PID 1760 wrote to memory of 2204	1760	lsm.exe	68
PID 1760 wrote to memory of 2204	1760	lsm.exe	68
PID 1760 wrote to memory of 2052	1760	lsm.exe	69
PID 1760 wrote to memory of 2052	1760	lsm.exe	69
PID 1760 wrote to memory of 2052	1760	lsm.exe	69
PID 2204 wrote to memory of 1664	2204	WScript.exe	70
PID 2204 wrote to memory of 1664	2204	WScript.exe	70
PID 2204 wrote to memory of 1664	2204	WScript.exe	70
PID 1664 wrote to memory of 2092	1664	lsm.exe	71
PID 1664 wrote to memory of 2092	1664	lsm.exe	71
PID 1664 wrote to memory of 2092	1664	lsm.exe	71
PID 1664 wrote to memory of 2440	1664	lsm.exe	72
PID 1664 wrote to memory of 2440	1664	lsm.exe	72
PID 1664 wrote to memory of 2440	1664	lsm.exe	72
PID 2092 wrote to memory of 1176	2092	WScript.exe	73
PID 2092 wrote to memory of 1176	2092	WScript.exe	73
PID 2092 wrote to memory of 1176	2092	WScript.exe	73
PID 1176 wrote to memory of 2728	1176	lsm.exe	74
PID 1176 wrote to memory of 2728	1176	lsm.exe	74
PID 1176 wrote to memory of 2728	1176	lsm.exe	74
PID 1176 wrote to memory of 2240	1176	lsm.exe	75
PID 1176 wrote to memory of 2240	1176	lsm.exe	75
PID 1176 wrote to memory of 2240	1176	lsm.exe	75
PID 2728 wrote to memory of 2736	2728	WScript.exe	76
PID 2728 wrote to memory of 2736	2728	WScript.exe	76
PID 2728 wrote to memory of 2736	2728	WScript.exe	76
PID 2736 wrote to memory of 1832	2736	lsm.exe	77
PID 2736 wrote to memory of 1832	2736	lsm.exe	77
PID 2736 wrote to memory of 1832	2736	lsm.exe	77
PID 2736 wrote to memory of 2720	2736	lsm.exe	78
PID 2736 wrote to memory of 2720	2736	lsm.exe	78
PID 2736 wrote to memory of 2720	2736	lsm.exe	78
PID 1832 wrote to memory of 2700	1832	WScript.exe	79
PID 1832 wrote to memory of 2700	1832	WScript.exe	79
PID 1832 wrote to memory of 2700	1832	WScript.exe	79
PID 2700 wrote to memory of 2664	2700	lsm.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe
"C:\Users\Admin\AppData\Local\Temp\03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\fr-FR\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Program Files\Windows Photo Viewer\fr-FR\lsm.exe
  "C:\Program Files\Windows Photo Viewer\fr-FR\lsm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d611097-b75f-4c3a-a196-9799cb6d19c0.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Program Files\Windows Photo Viewer\fr-FR\lsm.exe
      "C:\Program Files\Windows Photo Viewer\fr-FR\lsm.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1664
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89582396-50ca-402a-9ea0-51bd845703e0.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2092
      - C:\Program Files\Windows Photo Viewer\fr-FR\lsm.exe
        
        "C:\Program Files\Windows Photo Viewer\fr-FR\lsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5813385-21c6-4b9d-8b4a-cc61a13c2fd4.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Program Files\Windows Photo Viewer\fr-FR\lsm.exe
        
        "C:\Program Files\Windows Photo Viewer\fr-FR\lsm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e2c1e51-15aa-4e99-8348-1b5b78492afa.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Program Files\Windows Photo Viewer\fr-FR\lsm.exe
        
        "C:\Program Files\Windows Photo Viewer\fr-FR\lsm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88151fe7-bc5c-48f1-8774-401a5811d540.vbs"
        11⤵
        
        PID:2664
        
        C:\Program Files\Windows Photo Viewer\fr-FR\lsm.exe
        
        "C:\Program Files\Windows Photo Viewer\fr-FR\lsm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15013fba-66fe-411d-959a-a8a6da131156.vbs"
        13⤵
        
        PID:2028
        
        C:\Program Files\Windows Photo Viewer\fr-FR\lsm.exe
        
        "C:\Program Files\Windows Photo Viewer\fr-FR\lsm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ca09af0-badc-46ac-828e-64e3f0f0376c.vbs"
        15⤵
        
        PID:2340
        
        C:\Program Files\Windows Photo Viewer\fr-FR\lsm.exe
        
        "C:\Program Files\Windows Photo Viewer\fr-FR\lsm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e35c6966-ca7a-49e3-916f-77634d472e28.vbs"
        17⤵
        
        PID:1748
        
        C:\Program Files\Windows Photo Viewer\fr-FR\lsm.exe
        
        "C:\Program Files\Windows Photo Viewer\fr-FR\lsm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52adf63a-ae8d-479b-9ee6-76cff93993e4.vbs"
        19⤵
        
        PID:2920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\798f60c3-3767-469f-9752-d3dc56be097a.vbs"
        19⤵
        
        PID:2968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8c185e1-8495-4f8a-9e98-e8908aaffd7c.vbs"
        17⤵
        
        PID:1332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce99bc9f-59ab-470d-9743-505fe8dfe376.vbs"
        15⤵
        
        PID:2092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f4f9beb-1e60-4e63-896c-c6486c7036bd.vbs"
        13⤵
        
        PID:2236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\acb488a3-4963-44c2-a198-0b032377fd74.vbs"
        11⤵
        
        PID:1508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd9e0ead-9af6-4573-8392-03a957d89019.vbs"
        9⤵
        
        PID:2720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5178eda-e8b4-4c2b-9f56-33949bfe88a5.vbs"
        7⤵
        
        PID:2240
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e3570c7-2a65-4597-ac75-67aa7c55ae8c.vbs"
        5⤵
        
        PID:2440
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e48d21cf-15d4-4cc0-814d-07ad3576492e.vbs"
    3⤵
    PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Start Menu\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c413710" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c413710" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Uninstall Information\csrss.exe

Filesize
1.6MB

MD5
fa13a16db803548a77161374c6201c43

SHA1
794f9603104b81716c4e3ec3d4fe8249cace6a90

SHA256
4c2a46eef11b781b7ebd59abe0171dad8d97fd204b79eca95681e7239933e80e

SHA512
5d93125ca7b8003de66d3cabb1431f36537eef5da4e5e72be4ee8212f191b88a3408e7b6939fc362fd4279d7bec641668b106bc5aba5d42023e68d17dcff5184

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\csrss.exe

Filesize
1.6MB

MD5
3460086ec800f981300049f405f07ab7

SHA1
6e642473448a705bfa2a9d9d54d1b0fdd88ed791

SHA256
03f8f28519d064e46b87f50af8c2cb5b300a8898249618daee93ebbb61c41371

SHA512
f7c9ac03a980ee2dfda8cb7e94a01375c326c32be75c628a9848409f2e621f69965b28fec3f8851cedb122c16aa66f8cb29dc92816ba0c83270a09b876828f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e2c1e51-15aa-4e99-8348-1b5b78492afa.vbs

Filesize
727B

MD5
31f86717c17b311ec7d99a3d2c5ecc74

SHA1
b119c151f794b44fe13018acb89648e442135d39

SHA256
9226f1d06c380c27814ffe6b6d15a1eff51adf46d1e58c374606106764b5b888

SHA512
5d53c0aa10f4d6a5adc9f2f1f0fc50a15d5287e52aa0c879789409d90febba1e95bffc82fa9b2bb00a5ea3928b574e68974d85be510de7e510bdb05ccbf53f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\15013fba-66fe-411d-959a-a8a6da131156.vbs

Filesize
727B

MD5
7147116ff8916dbae09d3ba223f5c3b4

SHA1
ad4311cb4944e35f505b545857a3c6bd3863bc07

SHA256
ec1bd344e057ffe1f502d49497a88378b611433bd7ae3817afcf69c4c9eb175f

SHA512
5c25c2492102be413f032087d607f57f8f0b15b589272cb2a1964fb7db4cca6c046a29ea9233a175ea087f3b564886bea790c6f44b75322b86560673a0ada950

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d611097-b75f-4c3a-a196-9799cb6d19c0.vbs

Filesize
727B

MD5
51c14820cc7555be842d1819a9085cb6

SHA1
b21ab858afc6a4c99f8485f93c0f57af33cdb1e1

SHA256
1c429457bca87753ba5e699578e6e2c2655c56045284ebc47516e13ef9869f1c

SHA512
56981ba04cc9f5ee1889d8ee5857da87f59b658031c334c31da6ce45980d0b253651254300cacb7caf3fbaed72fe70d9ffba4698a458c125e9feafd768c820c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\52adf63a-ae8d-479b-9ee6-76cff93993e4.vbs

Filesize
727B

MD5
b199a729129f51b312bd746d0f95e3f6

SHA1
231bc4108795008d532e369f29bb7c9645cc3dae

SHA256
a223d7b18c6751c413446bb298d4e3493788cf59354a04936acb5b1aabfa6da0

SHA512
848b016f4727f101a895d8d3d2a5b0ed2e9212e111a8c72a05a43004eb98697cca72d87c795ea28ba39da369c74d3fe762740012f05ea8004adaf3c52f5c1b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\88151fe7-bc5c-48f1-8774-401a5811d540.vbs

Filesize
727B

MD5
236171df56e948b160bfcbd38f863a15

SHA1
87a47662a917c7a7922ddb2d1316ed28a25b238c

SHA256
79f04039d6cec2ac3535454b8633cb1f424a4b438873477d04ec6de21f4e7f31

SHA512
d38ab4302d89c0c92deba18a968e791133cc8f0c72614b4b5ac0863042c88b94e1c403372358f6b7fc8473079550510279672a7fa7865aa783186df6ddbb7423

Download Submit
C:\Users\Admin\AppData\Local\Temp\89582396-50ca-402a-9ea0-51bd845703e0.vbs

Filesize
727B

MD5
fbb8095ec0589bedaab6368417f4b505

SHA1
f38f6489da71b7e84fc163193e2efc88b01366c9

SHA256
edcd1aa4da71701cfd61c47e38937017fba76331e373744bc9594c3f1bad2d9a

SHA512
2d5a16d39ac4d31fc8866565625e0f101a9f36e6b0eb2307fb477729b1d8e7e3d5739b80f9f8bd1af27dc138010b754ffb20707b952933f1696ac3b887db0a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5813385-21c6-4b9d-8b4a-cc61a13c2fd4.vbs

Filesize
727B

MD5
c01fc4133abe3316b7a03ebb94a4f457

SHA1
84bc1dab2be2a83a9caad326be3c4f1bd2b127eb

SHA256
77b5d0d6c576ec1019e4d0787686e7a092342e15749d49446aa2ee01a3bc72e4

SHA512
899f25d143cb4374d8b11787d729d344cf04a9aa70f75e26a8d35d236d99d4c0248f9f4057ed08769de6c2a3a06fdf1b9ee194f3d0914fe20ab83554b004a614

Download Submit
C:\Users\Admin\AppData\Local\Temp\e35c6966-ca7a-49e3-916f-77634d472e28.vbs

Filesize
727B

MD5
28599c3d044ad08bffdaf9c53b628daa

SHA1
bc87d9fc7bed63bf17a845e47719b90df180602a

SHA256
a28f7b678535bf8e03212b7fae579548d4ac8ca7121e55cedc5d686cb0b3469c

SHA512
a3459927e0b54f0f975dc29466b638619851eb9013e1f5b2c817f40d2096a15e1eba6b4f27628d7db0145c98355b049d129927d4df6fbe7c7bc18ceadaa2fed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e48d21cf-15d4-4cc0-814d-07ad3576492e.vbs

Filesize
503B

MD5
59632b05e6414fab171f238ee8881a61

SHA1
fb462e00d7eb2d9ca1048520919c6fca07dd5b9f

SHA256
3a959eb1e7e8b1132d534678d1ebe8340bd1eec6f38f510b1bc55a8e2b002ab9

SHA512
34281ff8761106a5b84cf8e695390616165df84e9e1f6e1c2ec4933e69d8fd6fa7cdb5e16575ffdd3eecd3a788e5650d0c102b2fdcd97a64cdbaad07b81e351f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a46d29297e1b09b71d2b2bc039e98c62

SHA1
a125a6a9a62944447ce74218fb30411cbac573c6

SHA256
0e24fd757672bae3f2b28fcfc6b64b70b645bd781ceb2a47048ae0c2352a3214

SHA512
b7322eb6dd69a51ef02f2eb4761b7d5437b5fc00ef15549ce901365edaa8c562fbbb812c8b55a1c81cad5e72df556bd9163d3021622c43ee52f4b45c230032b4

Download Submit
memory/1044-249-0x0000000000C30000-0x0000000000DD2000-memory.dmp

Filesize
1.6MB

Download
memory/1176-189-0x00000000011F0000-0x0000000001392000-memory.dmp

Filesize
1.6MB

Download
memory/1232-225-0x0000000000230000-0x00000000003D2000-memory.dmp

Filesize
1.6MB

Download
memory/1664-237-0x0000000000220000-0x00000000003C2000-memory.dmp

Filesize
1.6MB

Download
memory/1664-177-0x0000000000FA0000-0x0000000001142000-memory.dmp

Filesize
1.6MB

Download
memory/1688-10-0x0000000000C20000-0x0000000000C2C000-memory.dmp

Filesize
48KB

Download
memory/1688-0-0x000007FEF6323000-0x000007FEF6324000-memory.dmp

Filesize
4KB

Download
memory/1688-1-0x00000000010B0000-0x0000000001252000-memory.dmp

Filesize
1.6MB

Download
memory/1688-15-0x0000000000EE0000-0x0000000000EEA000-memory.dmp

Filesize
40KB

Download
memory/1688-2-0x000007FEF6320000-0x000007FEF6D0C000-memory.dmp

Filesize
9.9MB

Download
memory/1688-3-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/1688-147-0x000007FEF6320000-0x000007FEF6D0C000-memory.dmp

Filesize
9.9MB

Download
memory/1688-13-0x0000000000CD0000-0x0000000000CD8000-memory.dmp

Filesize
32KB

Download
memory/1688-14-0x0000000000CE0000-0x0000000000CE8000-memory.dmp

Filesize
32KB

Download
memory/1688-11-0x0000000000C30000-0x0000000000C3A000-memory.dmp

Filesize
40KB

Download
memory/1688-12-0x0000000000C40000-0x0000000000C4E000-memory.dmp

Filesize
56KB

Download
memory/1688-16-0x0000000000FF0000-0x0000000000FFC000-memory.dmp

Filesize
48KB

Download
memory/1688-9-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/1688-4-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/1688-8-0x00000000006A0000-0x00000000006A8000-memory.dmp

Filesize
32KB

Download
memory/1688-5-0x0000000000660000-0x0000000000676000-memory.dmp

Filesize
88KB

Download
memory/1688-7-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/1688-6-0x0000000000680000-0x0000000000688000-memory.dmp

Filesize
32KB

Download
memory/1760-130-0x00000000001C0000-0x0000000000362000-memory.dmp

Filesize
1.6MB

Download
memory/1828-261-0x0000000000390000-0x0000000000532000-memory.dmp

Filesize
1.6MB

Download
memory/2116-135-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2116-127-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/2700-213-0x00000000013B0000-0x0000000001552000-memory.dmp

Filesize
1.6MB

Download
memory/2736-201-0x00000000002B0000-0x0000000000452000-memory.dmp

Filesize
1.6MB

Download