dcrat | af2a0d3a997ab4aacd34c2cb383ff7572f46898035ce7b958a98df6b431591f5

Analysis

max time kernel
12s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/01/2024, 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pOIK3KqYhOU5.exe
Size

1.5MB
MD5

78776612b260f09e939629b036c3c4a2
SHA1

bb671b7d0385cacc4756481df29dcc62bacfb4bb
SHA256

af2a0d3a997ab4aacd34c2cb383ff7572f46898035ce7b958a98df6b431591f5
SHA512

14714d0e3c57aa55294f274364c464464f3a74e45a2ed30daa6ea7075128c205d7a70a82c6b753526706180c1636c621068692ee372a0feacf785305116ec496
SSDEEP

24576:Dex5rAoPwujnJN0bArlSm/iwCU7IINgSr59bOFJjcOZCaI:D89Ak+mlWw11Ng6al

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2788	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2788	schtasks.exe	28

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pOIK3KqYhOU5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	pOIK3KqYhOU5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	pOIK3KqYhOU5.exe

DCRat payload 20 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2200-0-0x0000000001240000-0x00000000013CA000-memory.dmp	dcrat
behavioral1/files/0x0006000000015c87-21.dat	dcrat
behavioral1/files/0x0006000000016c10-48.dat	dcrat
behavioral1/files/0x0006000000016d47-77.dat	dcrat
behavioral1/files/0x0008000000016c7d-276.dat	dcrat
behavioral1/files/0x0008000000016c7d-275.dat	dcrat
behavioral1/files/0x0008000000016c7d-290.dat	dcrat
behavioral1/files/0x0011000000016c98-296.dat	dcrat
behavioral1/files/0x0008000000016c7d-304.dat	dcrat
behavioral1/files/0x0011000000016c98-310.dat	dcrat
behavioral1/files/0x0008000000016c7d-318.dat	dcrat
behavioral1/files/0x0011000000016c98-324.dat	dcrat
behavioral1/files/0x0008000000016c7d-333.dat	dcrat
behavioral1/files/0x0011000000016c98-338.dat	dcrat
behavioral1/files/0x0008000000016c7d-346.dat	dcrat
behavioral1/files/0x0011000000016c98-352.dat	dcrat
behavioral1/files/0x0008000000016c7d-360.dat	dcrat
behavioral1/files/0x0011000000016c98-367.dat	dcrat
behavioral1/files/0x0008000000016c7d-375.dat	dcrat
behavioral1/files/0x0011000000016c98-381.dat	dcrat

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pOIK3KqYhOU5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pOIK3KqYhOU5.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\ja-JP\spoolsv.exe	pOIK3KqYhOU5.exe
File created	C:\Program Files (x86)\Adobe\6cb0b6c459d5d3	pOIK3KqYhOU5.exe
File opened for modification	C:\Program Files\VideoLAN\RCX4E87.tmp	pOIK3KqYhOU5.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\RCX508B.tmp	pOIK3KqYhOU5.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCX56D7.tmp	pOIK3KqYhOU5.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCX56D8.tmp	pOIK3KqYhOU5.exe
File opened for modification	C:\Program Files (x86)\Adobe\dwm.exe	pOIK3KqYhOU5.exe
File created	C:\Program Files\VideoLAN\dllhost.exe	pOIK3KqYhOU5.exe
File created	C:\Program Files\VideoLAN\5940a34987c991	pOIK3KqYhOU5.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\taskhost.exe	pOIK3KqYhOU5.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\b75386f1303e64	pOIK3KqYhOU5.exe
File opened for modification	C:\Program Files\VideoLAN\RCX4E76.tmp	pOIK3KqYhOU5.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCX59A7.tmp	pOIK3KqYhOU5.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCX5A44.tmp	pOIK3KqYhOU5.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\taskhost.exe	pOIK3KqYhOU5.exe
File created	C:\Program Files\Windows Defender\ja-JP\f3b6ecef712a24	pOIK3KqYhOU5.exe
File created	C:\Program Files (x86)\Adobe\dwm.exe	pOIK3KqYhOU5.exe
File opened for modification	C:\Program Files\VideoLAN\dllhost.exe	pOIK3KqYhOU5.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\RCX508A.tmp	pOIK3KqYhOU5.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\spoolsv.exe	pOIK3KqYhOU5.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\CSC\v2.0.6\pOIK3KqYhOU5.exe	pOIK3KqYhOU5.exe

Creates scheduled task(s) 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2724	schtasks.exe
3056	schtasks.exe
2944	schtasks.exe
2748	schtasks.exe
656	schtasks.exe
1384	schtasks.exe
1132	schtasks.exe
2584	schtasks.exe
2144	schtasks.exe
2752	schtasks.exe
300	schtasks.exe
1324	schtasks.exe
2628	schtasks.exe
2464	schtasks.exe
1628	schtasks.exe
1160	schtasks.exe
1856	schtasks.exe
2844	schtasks.exe
2308	schtasks.exe
980	schtasks.exe
2768	schtasks.exe
2972	schtasks.exe
1352	schtasks.exe
1916	schtasks.exe
2056	schtasks.exe
2840	schtasks.exe
2760	schtasks.exe
2616	schtasks.exe
3060	schtasks.exe
1416	schtasks.exe
1380	schtasks.exe
1968	schtasks.exe
1972	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2200	pOIK3KqYhOU5.exe
2200	pOIK3KqYhOU5.exe
2200	pOIK3KqYhOU5.exe
2200	pOIK3KqYhOU5.exe
2200	pOIK3KqYhOU5.exe
2200	pOIK3KqYhOU5.exe
2200	pOIK3KqYhOU5.exe
2200	pOIK3KqYhOU5.exe
2200	pOIK3KqYhOU5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	pOIK3KqYhOU5.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2040	2200	pOIK3KqYhOU5.exe	62
PID 2200 wrote to memory of 2040	2200	pOIK3KqYhOU5.exe	62
PID 2200 wrote to memory of 2040	2200	pOIK3KqYhOU5.exe	62
PID 2200 wrote to memory of 1600	2200	pOIK3KqYhOU5.exe	63
PID 2200 wrote to memory of 1600	2200	pOIK3KqYhOU5.exe	63
PID 2200 wrote to memory of 1600	2200	pOIK3KqYhOU5.exe	63
PID 2200 wrote to memory of 2392	2200	pOIK3KqYhOU5.exe	85
PID 2200 wrote to memory of 2392	2200	pOIK3KqYhOU5.exe	85
PID 2200 wrote to memory of 2392	2200	pOIK3KqYhOU5.exe	85
PID 2200 wrote to memory of 1604	2200	pOIK3KqYhOU5.exe	84
PID 2200 wrote to memory of 1604	2200	pOIK3KqYhOU5.exe	84
PID 2200 wrote to memory of 1604	2200	pOIK3KqYhOU5.exe	84
PID 2200 wrote to memory of 2088	2200	pOIK3KqYhOU5.exe	83
PID 2200 wrote to memory of 2088	2200	pOIK3KqYhOU5.exe	83
PID 2200 wrote to memory of 2088	2200	pOIK3KqYhOU5.exe	83
PID 2200 wrote to memory of 2764	2200	pOIK3KqYhOU5.exe	82
PID 2200 wrote to memory of 2764	2200	pOIK3KqYhOU5.exe	82
PID 2200 wrote to memory of 2764	2200	pOIK3KqYhOU5.exe	82
PID 2200 wrote to memory of 2404	2200	pOIK3KqYhOU5.exe	81
PID 2200 wrote to memory of 2404	2200	pOIK3KqYhOU5.exe	81
PID 2200 wrote to memory of 2404	2200	pOIK3KqYhOU5.exe	81
PID 2200 wrote to memory of 2664	2200	pOIK3KqYhOU5.exe	80
PID 2200 wrote to memory of 2664	2200	pOIK3KqYhOU5.exe	80
PID 2200 wrote to memory of 2664	2200	pOIK3KqYhOU5.exe	80
PID 2200 wrote to memory of 2140	2200	pOIK3KqYhOU5.exe	79
PID 2200 wrote to memory of 2140	2200	pOIK3KqYhOU5.exe	79
PID 2200 wrote to memory of 2140	2200	pOIK3KqYhOU5.exe	79
PID 2200 wrote to memory of 1888	2200	pOIK3KqYhOU5.exe	65
PID 2200 wrote to memory of 1888	2200	pOIK3KqYhOU5.exe	65
PID 2200 wrote to memory of 1888	2200	pOIK3KqYhOU5.exe	65
PID 2200 wrote to memory of 2348	2200	pOIK3KqYhOU5.exe	78
PID 2200 wrote to memory of 2348	2200	pOIK3KqYhOU5.exe	78
PID 2200 wrote to memory of 2348	2200	pOIK3KqYhOU5.exe	78
PID 2200 wrote to memory of 2680	2200	pOIK3KqYhOU5.exe	77
PID 2200 wrote to memory of 2680	2200	pOIK3KqYhOU5.exe	77
PID 2200 wrote to memory of 2680	2200	pOIK3KqYhOU5.exe	77
PID 2200 wrote to memory of 2460	2200	pOIK3KqYhOU5.exe	86
PID 2200 wrote to memory of 2460	2200	pOIK3KqYhOU5.exe	86
PID 2200 wrote to memory of 2460	2200	pOIK3KqYhOU5.exe	86

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	pOIK3KqYhOU5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	pOIK3KqYhOU5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	pOIK3KqYhOU5.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\pOIK3KqYhOU5.exe
"C:\Users\Admin\AppData\Local\Temp\pOIK3KqYhOU5.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\pOIK3KqYhOU5.exe'
  2⤵
  PID:2040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'
  2⤵
  PID:1600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\taskhost.exe'
  2⤵
  PID:1888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\7a4fb4e2-9ba1-11ee-8f7f-cd885a34f592\dwm.exe'
  2⤵
  PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\wininit.exe'
  2⤵
  PID:2348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\dwm.exe'
  2⤵
  PID:2140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Idle.exe'
  2⤵
  PID:2664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\7a4fb4e2-9ba1-11ee-8f7f-cd885a34f592\dwm.exe'
  2⤵
  PID:2404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\ja-JP\spoolsv.exe'
  2⤵
  PID:2764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\dllhost.exe'
  2⤵
  PID:2088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\7a4fb4e2-9ba1-11ee-8f7f-cd885a34f592\sppsvc.exe'
  2⤵
  PID:1604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'
  2⤵
  PID:2392
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lY2uCtHdrf.bat"
  2⤵
  PID:2460
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2628
- - C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe
    "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe"
    3⤵
    PID:3064
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f051171a-2585-48f2-b19d-2c3107f85309.vbs"
      4⤵
      PID:2564
    - - C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe"
        5⤵
        
        PID:2064
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf5e3421-9acf-40cd-93f7-03792479286e.vbs"
        6⤵
        
        PID:1684
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe"
        7⤵
        
        PID:2636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e18d7c4c-4436-451e-997f-1aa621e4d78c.vbs"
        8⤵
        
        PID:2768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53501616-3deb-4d2a-85d1-dd6e4ddb425b.vbs"
        8⤵
        
        PID:1068
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe"
        9⤵
        
        PID:1912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d32628c-2b01-4b1d-83a1-ab3d6c59c9db.vbs"
        10⤵
        
        PID:2836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\793153ca-57f1-42d2-93bf-2bdd61236587.vbs"
        10⤵
        
        PID:2528
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe"
        11⤵
        
        PID:1644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a817420-e7aa-49d9-82c8-08c73ba5eb77.vbs"
        12⤵
        
        PID:2760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e624671-d30a-4e47-b0f2-3a7c0eff59b0.vbs"
        12⤵
        
        PID:2016
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe"
        13⤵
        
        PID:2172
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee284ed6-9bb4-4c7b-982a-b8535276e057.vbs"
        14⤵
        
        PID:2092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b927920a-4dd8-4cd7-8563-07aeed6e407b.vbs"
        14⤵
        
        PID:920
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe"
        15⤵
        
        PID:1436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ada03f4f-f7e4-4c0d-ba71-197019078014.vbs"
        16⤵
        
        PID:2416
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe"
        17⤵
        
        PID:1960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3593e9f5-d1d4-47cf-ab55-681e6c5bac1b.vbs"
        18⤵
        
        PID:1980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\597badf7-52d1-487c-b0c4-bb6649bb11ab.vbs"
        18⤵
        
        PID:1880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8286c097-ceab-4b62-8e10-991abdf618e7.vbs"
        16⤵
        
        PID:2404
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc0ef2bf-3ad5-4973-b63e-f8120ce59910.vbs"
        6⤵
        
        PID:296
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\811bd74c-2fee-4d9d-a412-1c12eecb1f26.vbs"
      4⤵
      PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\7a4fb4e2-9ba1-11ee-8f7f-cd885a34f592\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\7a4fb4e2-9ba1-11ee-8f7f-cd885a34f592\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\7a4fb4e2-9ba1-11ee-8f7f-cd885a34f592\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\ja-JP\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\7a4fb4e2-9ba1-11ee-8f7f-cd885a34f592\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\7a4fb4e2-9ba1-11ee-8f7f-cd885a34f592\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\7a4fb4e2-9ba1-11ee-8f7f-cd885a34f592\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\7a4fb4e2-9ba1-11ee-8f7f-cd885a34f592\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\7a4fb4e2-9ba1-11ee-8f7f-cd885a34f592\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\7a4fb4e2-9ba1-11ee-8f7f-cd885a34f592\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\csrss.exe

Filesize
1.5MB

MD5
431de655192a33f5a59149e57f7a08bd

SHA1
6933b0bbab32127735854c1ad2802bc8d762a6d4

SHA256
c05d3fb1b68648668c8773eb3b56579df4627fc7a8fbffed8260193c5100c161

SHA512
2b4564688663e9395544a820ff2a3c10e16ac3c0fac3fea08f54bdff0495d280610e14bd227ca3b012cb9048f5e9342f399ec86125e5c5fff6091607920c5568

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe

Filesize
9KB

MD5
fec6449eee21335ada2cdaa35a9577fa

SHA1
fe28d407590e00af4aa0374023c7d8535e26f2af

SHA256
ce360e852ceff749760a08dd97614bc97c9f632e18674a73ea9baae6deb35796

SHA512
8261c95ddb5a8e1785dc6d9aef76adcd1f430266588d2d8ac89c21250c2f9d0e9c4ae008655c2e5c157bf530c4330b53870ced741680f9bfe23871f30650b0d1

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe

Filesize
96KB

MD5
01acb0ad1863caf62add59ee46ab838a

SHA1
03728d8cdb5e76edf500932ce0c2b793fe76c625

SHA256
36fa13b607e586c5fb9de738baeffe857d6c891d2426d4d84f555e4a27863174

SHA512
c1913a4a63d23f3dc03997d5badc8134c1e79d3b2b9cf0c28385d60fc7a8d016b63b37ac5fa62191cdf602924402118576957bd0a5ba980a538fb2fab9e161bb

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe

Filesize
220KB

MD5
cca25ea389464f77ebc78f738cf5d9de

SHA1
48a398204a33a8f35d264ed3a05db632d85a09c3

SHA256
3b901cab7ae96576958ca6c58710ed1e8d964c585b8499e059d178e0e5078856

SHA512
339ad0db20ecb744f7c25e5c75e4d9c1ae94abd295592a976e674a0c7cfe6abebb322d3fd7f45b4bfb9ffe1c0f4bf37a19980290c9336ca518948a35563c4441

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe

Filesize
22KB

MD5
bf41fe000115ab3c6c815d1893a826d1

SHA1
02ca64ccf04a5d2cb913aacbc661ec631395ab90

SHA256
90ccfd9e42b256778c4045dcea5eae8997b27a8a610b8da809c4b05ab4ab9048

SHA512
cc7e4b1cecf763d9381c2d28d0d40fafa3033eec22368ef6ed8f74c1285c98efdf9ac055610ef8cdc33caeb3026a8307e97b531ce962f3355632494e99c605fb

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe

Filesize
359KB

MD5
2553c11eeaf29d40e3261f328d269368

SHA1
63e126d4ed2ff7c7153abd5913180c04a99c4946

SHA256
cc7a0f82c880ff11ec3afc88f36ac7149f4792ffb845176934162de39da75ad1

SHA512
8c10c2a32e418eccd9ee6a613a999a9b99f5d56ef859aadee1bd87bda642b1acd78bdac4ab4e749be3652da68560d043b76eca9e15edf3c258c8cfde0a3a75b9

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe

Filesize
109KB

MD5
fd19a9e831d52c4b85573da69f4017e5

SHA1
6652d5f8f4e6bae408d053973bf3c03e7ba82e57

SHA256
a96545321d94ae889fcb7762892b4aa80e23d16fe2fc91afae8f79b5ce191ef9

SHA512
71e8cd923748561e2cf9625e101a0489d9771f7cb715e315637bb12b7da4455d40889e2011f3f42232df78fe6ad26c4aee12a2789cc0ae0c3a426276d683f22b

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe

Filesize
428KB

MD5
31165de300d5525abc0f2bc76b499631

SHA1
ef9b03fc60eaf96c7e17f1c86f798bfc27d49c97

SHA256
06ca996624b1c60f839d6718aa0e80f5d435c42af8af566eca0575fb22660450

SHA512
8d898816a98ddeabbe8244a84fca57995ea01b184d3b6846786b91f44950dabc588bdc428875b0892551669765334e505c74601cef270b0cd86530cda5b0fa30

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe

Filesize
627KB

MD5
c1236195950991149859d41c058f311c

SHA1
1b0b8a52b5acabec7e20dacd60bad125a3458ccc

SHA256
fb359cb067e943dfe3dfbac7908b70d134e4c03ad48cbf27dfef79e441c600da

SHA512
535daf92da94721b1affc725108e1454860d6b1074d773bc2dd6e35a3cf01f785e69178878d65a9e88dbe61a77bdd6c1af6e637ba27127c0598cfe8dbaf819cd

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe

Filesize
336KB

MD5
82556a41a38c2b6aa2e3675a5d6b8865

SHA1
b5f5bef938f6c7158273db5aab1f37ee827e511c

SHA256
3f139aded7b3843d1745c7ffbab75823254ce1b28097dff8e7ce9918b3a2c87e

SHA512
2a9717f53c81c2087026820e1763c584e4e7761d6bab8047af7d4cac9b23b21bb38280e30fc0962f30840d45bd323baace8b1b30aaf4e2462b33140b37372569

Download Submit
C:\Program Files\VideoLAN\RCX4E76.tmp

Filesize
1.5MB

MD5
66e1689f352ae5121e3b46f678920075

SHA1
9377310bc4aeae274f40be2599d8913591ade093

SHA256
30c7137b3ebf72f7d43731e4121d374d637147be0ab09fc63eb93f2fd155428d

SHA512
36c29c230565ebba35ac6c4389049d31d13058e4dbe88ab39c62d43931c728cc3c858421542dab8c039e331b87cd4fcdfb2017be776c3de9c8c0b0ef77072ac9

Download Submit
C:\Program Files\Windows Defender\ja-JP\spoolsv.exe

Filesize
681KB

MD5
a77103a0afe4aa9af6bd0907c261c70d

SHA1
cae3fcd7ebd6138430f4154209a0f1fbafd054ca

SHA256
79425400d489722145cce6a780d42d4774bb9dab16ef6ed3dadc2966ebf5f8f9

SHA512
a2921f94c78384e8215d68dd9a1f73abcd24adbd9d7dd19c4ecc7cbed7e05e511444e9367d0942abaf8eff3081e6a5acaa9c9b0513821ac99417e77129c7f2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e624671-d30a-4e47-b0f2-3a7c0eff59b0.vbs

Filesize
751B

MD5
ec792b3d705938637eafb907277d2eed

SHA1
66bb74f9c71f7d41d86baf4a03160ca044d2d02a

SHA256
0ad93c42537f6617255c0318ddf2b90aa49f61bc731a6f9d93da662e12af7c7d

SHA512
bccec038413576d930c2d0eff1233e093c749800348688f5d199c8c7a2b97ad798d3f04a9e846ab07225415682a9fbdb0385ece0497b0e9c0ce86dd9e9b73b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\53501616-3deb-4d2a-85d1-dd6e4ddb425b.vbs

Filesize
751B

MD5
54031000dbc2701235eecaea8766f91b

SHA1
53e1ab92c576af2720a4617edb7dfc9117284dfd

SHA256
2672a6bc92dd668e283754b3b6aea92341e014b74f9a9d57c0c96caa5198b74d

SHA512
a1bd0586609b636dde701c56b6225209fb684cf74f778d1b032e986b59a6553714eac0f5711cb029fc510274bf440e37f2390804b4fa093d40a8a5078912225a

Download Submit
C:\Users\Admin\AppData\Local\Temp\597badf7-52d1-487c-b0c4-bb6649bb11ab.vbs

Filesize
751B

MD5
850ce6730d7d3c547ecc56440f7435b1

SHA1
03dc161f0cc92e9f06bfecbe09c8a5b18fae5c2a

SHA256
9ea55d1750f449f9641b42cea1a73ebe5e2a129356d54b3998ef2c7837fec760

SHA512
4fa29c747b399b15f4a1cb374484c76ea507bba78030a7cd0eadaf4c3ac63c912fa8319ff95ce8bcca6558557495fa9cf1e65326aefe7251d6ff80e9ae267d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\793153ca-57f1-42d2-93bf-2bdd61236587.vbs

Filesize
751B

MD5
4597ff79036bf5596bcfb6c0f732834d

SHA1
85e43420e8e5b7bbb088f9828b6ca8bb03894c28

SHA256
584521a90fae73a66cd8948ac05d2b76f617045d443c9fbb36b2540698b8f569

SHA512
222f6396448ad9e0d31eed348fe044d909ce3f10abe8772d2ee4b3292886d1145de7d674be2c27b8811070fce943d0afabbee2e3406c6c8d3f89ff54ba567f93

Download Submit
C:\Users\Admin\AppData\Local\Temp\811bd74c-2fee-4d9d-a412-1c12eecb1f26.vbs

Filesize
527B

MD5
12bdc88a7b59f23bbfac34274a8c52b6

SHA1
b1887f582d00ab0631608a66de583d86e544ff94

SHA256
017441689031b37635f72facbc21cae37f7299451d81b9f6cff959e6445641ff

SHA512
51bb6f92aceaf53d4164ea622ff2e77b8d86d070c25847c92100a484cdacd87bff73c98be25789ed8f7640cade8f7ac8caf0019280a5f95bc43406eff92f5b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e05e547c9ce9a5f024f100d4834a667d45220b9.exe

Filesize
358KB

MD5
610af439383579516505ee160823d262

SHA1
48dbbd1a882b5f4e90430643a6feab9b3f2a71e8

SHA256
2ad0c29ebdd6812633d92d80673f116bf46984756d98d9867c626ac91f314605

SHA512
3d12e772e2a8e851171ff942df805c36b03f3e63440492d6882b0c332b7002ed61555f01af9c2f70fa15f62ffaf2db409b8fa5661c82b06752a3c5d70cded5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e05e547c9ce9a5f024f100d4834a667d45220b9.exe

Filesize
136KB

MD5
42dde11eac78d3b7847d2d8a60ba6254

SHA1
c2bac6ef7d8d6b5d80dac6dfedfbcac1694820a0

SHA256
f1b1f733695ff967e09015def3470e8e8e85ad58835aa0b5def1dd81b9c98b7d

SHA512
38851d877cc910cfb4f7304f92182d2c8b495fad0d39ccafe4c76ffce14bfbcb891a0f33686fceb4f4deef4bc00d53f054e231fcf906305119ce210fc4ac0ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e05e547c9ce9a5f024f100d4834a667d45220b9.exe

Filesize
191KB

MD5
73cf15dd5fb5a1059657bf2d3646ea34

SHA1
6fa5188252ee30b1addf29064bb4041dfc824d5e

SHA256
085673bfc43e7bb2c288833840f1509f2d927f2c4f2f5456e685453644815d17

SHA512
549a20a0c4c192577a0911adc16cf4c170245eea2e23f43569cd62913a07a0bf142a31291a89a538593d13fa049d5a31806d5c853f422b3e4f86d2065c841d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e05e547c9ce9a5f024f100d4834a667d45220b9.exe

Filesize
402KB

MD5
118febdf17820b57bc81e7c1071b8ea6

SHA1
ce9eddc53271ff17ffca687920bf7a870324ab6c

SHA256
cc7ef5e0d3c3f77a463be52133347b4e7491b545e12c61e27ce897f81a8b8610

SHA512
f1b6b5edd1a0f1333f8116ed5a215712180672f9accacaa2ed7d4a36a7d65f7f26f80e3191d7a5eee3e783dad25c8b7c4b3e38132ae481fb9bf5417d13318b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e05e547c9ce9a5f024f100d4834a667d45220b9.exe

Filesize
283KB

MD5
075601a2b03d9fe7bfcd562995184cf0

SHA1
22e59f2cd62fce66da06c9ee860a935759439029

SHA256
f1d676169f526169c5c9e9e8c7213981cd26c3e596a5b315764460b801e3fd15

SHA512
089945cc42c46392bae2e167fb440ebc034719bd2d2bbfd6b888b58acb1fb7e7326f1fa8cbac8485c42c02f46a15acdd1754264cda54779106b51904982db781

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e05e547c9ce9a5f024f100d4834a667d45220b9.exe

Filesize
995KB

MD5
3be972f1fe832f9ccf540ab9b56afd91

SHA1
03874b1e8b1250eed010de3f30909517f282e4a8

SHA256
3f44364a541f2e7d1ee9163ddfaff95a4add0952609bd143d36ed8076a982fa2

SHA512
a2c655c4885a1992608891bb89cf3bc318a3b94947e50341db372427b1001281455b05a5ebe7d8be37e175dd1e555eef4067d6f3a9b041271487df8b3bf5cc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e05e547c9ce9a5f024f100d4834a667d45220b9.exe

Filesize
124KB

MD5
3b44e540616fb1bd0df5a3b67fe33449

SHA1
ba0400cd1308c1274406ff969e9b7f6dadac453a

SHA256
c77c31543d0d8f953febc66bec32ec0070ef65a5ac962b8cf1dc51b67ea1d924

SHA512
09adb6704a6450da7cf2ebfbf5ec7780c20a86479d6a714411921e0aa090f9563c5f0f5725996cc0594d0e9563d3a161d0e91bf98d5b04258c0e75281733c28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ada03f4f-f7e4-4c0d-ba71-197019078014.vbs

Filesize
751B

MD5
c68ade7bd3cd1cf31ba57e39267a91fb

SHA1
4bf0a5bf847ad7f6580ec9945a86fb3deed05044

SHA256
08051289541efd9d431341268d1f0809a0e336eeb2aad304fa2aa842cfdfb433

SHA512
55297de94a4794059217d4bf3d5aea680339eccabfe61d09252bbdcfe4e47901c7a23cb0e3e4739f9444fdba066e1ae946fd5cf50c0cdeb23f608be8ca0faf5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b927920a-4dd8-4cd7-8563-07aeed6e407b.vbs

Filesize
751B

MD5
e7ce1f1e9f2fde9fe30c592fa616cce7

SHA1
cbf3301f4bc097b64f518b634646b110ae110312

SHA256
51164631daa969bfa8930cd11f83942ebf30f7d312f507b5724005da41ce9c36

SHA512
a6b85e84c4fe39f366735231cf8c1694513152f6f5a6dc42cd845070229f18fe0a92fb47192f2ec7c59760ba46949f7b22f785446aec04adab80a881a4dbec1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf5e3421-9acf-40cd-93f7-03792479286e.vbs

Filesize
751B

MD5
674f9d1550ab9f9ebc013f7938acd086

SHA1
5e5a39dbfc003a68706e22e83c80d272c81b7e57

SHA256
62aafdaaf758506b83ccc29a264480ed335fbc3ccfbe55bb8a4b46bc8a9d8af9

SHA512
37650c130760bfc0284bdd2ef3d9c2cf59f10a648d4cdc96493067c2b47b3df679581500944200a7a8ad5d609f80640e52a9853b3d3e62b2beab3c71dbefae01

Download Submit
C:\Users\Admin\AppData\Local\Temp\f051171a-2585-48f2-b19d-2c3107f85309.vbs

Filesize
751B

MD5
4407fb83594de56ac2b67443cad9725c

SHA1
a4bc385ecd7569d3b2ecbeee27c2c8b227187d08

SHA256
168bd3cedaf0840f3238a326f1ad5ac2959d2cd1ae002c5ee751977db6582c88

SHA512
9f0187aee563d17cc60345ac631f4228e1956c563c424c2c51e5a8f902d85b7eda97ec0c9bde1e25eb06b54c552db3908c1bff3235e5097e74495ad1bfd84a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lY2uCtHdrf.bat

Filesize
240B

MD5
394a53ef1b489f42336c6486eab9f636

SHA1
2818f4308c57705de6b4e9cd8a8a6dc37275e5c5

SHA256
b31bac260e6028494e010e86bc7091121810829ecd86f41aae648f1c7ec2a2db

SHA512
f434f7a07fe4b4e5996ee3956ffc62558dec915a9c0807dcd90e66e98868cb3f9a56c2756550302ddb1660f61aec5cf78c0cb5d70cf2c18727db830c01fbafe5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QTMSB7AGY6N3DFJPKPMB.temp

Filesize
7KB

MD5
aa104cbef81daddb0f16db1262cccb23

SHA1
7c625ee3183cd3fe5bc8fc0d95222d3d41e3380c

SHA256
8630e2bdefc9cd8e9a57ea5978cc88d718093d8af99284fb8f08cb8eff1e1b08

SHA512
0096a8873f883f5212ea7100010b71f59496d48ae1f4bdcabcfc2a3753a58e87baaaea15c443bc1c6720d3049c67a8a5d241357836bd5ad36ca90bcdbe354cd7

Download Submit
memory/1600-244-0x000007FEED150000-0x000007FEEDAED000-memory.dmp

Filesize
9.6MB

Download
memory/1600-234-0x000000000236B000-0x00000000023D2000-memory.dmp

Filesize
412KB

Download
memory/1600-258-0x0000000002364000-0x0000000002367000-memory.dmp

Filesize
12KB

Download
memory/1604-267-0x000007FEED150000-0x000007FEEDAED000-memory.dmp

Filesize
9.6MB

Download
memory/1604-265-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1604-266-0x000000000292B000-0x0000000002992000-memory.dmp

Filesize
412KB

Download
memory/1604-269-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1888-235-0x000000000240B000-0x0000000002472000-memory.dmp

Filesize
412KB

Download
memory/1888-242-0x000007FEED150000-0x000007FEEDAED000-memory.dmp

Filesize
9.6MB

Download
memory/1888-252-0x0000000002404000-0x0000000002407000-memory.dmp

Filesize
12KB

Download
memory/2040-268-0x0000000002A6B000-0x0000000002AD2000-memory.dmp

Filesize
412KB

Download
memory/2088-200-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/2088-232-0x000007FEED150000-0x000007FEEDAED000-memory.dmp

Filesize
9.6MB

Download
memory/2088-229-0x00000000025CB000-0x0000000002632000-memory.dmp

Filesize
412KB

Download
memory/2088-224-0x000007FEED150000-0x000007FEEDAED000-memory.dmp

Filesize
9.6MB

Download
memory/2088-226-0x00000000025C4000-0x00000000025C7000-memory.dmp

Filesize
12KB

Download
memory/2088-223-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/2088-171-0x000000001B1A0000-0x000000001B482000-memory.dmp

Filesize
2.9MB

Download
memory/2088-225-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/2088-222-0x000007FEED150000-0x000007FEEDAED000-memory.dmp

Filesize
9.6MB

Download
memory/2140-251-0x0000000002454000-0x0000000002457000-memory.dmp

Filesize
12KB

Download
memory/2140-255-0x000000000245B000-0x00000000024C2000-memory.dmp

Filesize
412KB

Download
memory/2140-241-0x000007FEED150000-0x000007FEEDAED000-memory.dmp

Filesize
9.6MB

Download
memory/2200-9-0x0000000000860000-0x000000000086E000-memory.dmp

Filesize
56KB

Download
memory/2200-8-0x0000000000850000-0x000000000085E000-memory.dmp

Filesize
56KB

Download
memory/2200-1-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/2200-11-0x0000000000C30000-0x0000000000C38000-memory.dmp

Filesize
32KB

Download
memory/2200-12-0x0000000000C60000-0x0000000000C6C000-memory.dmp

Filesize
48KB

Download
memory/2200-170-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/2200-2-0x000000001B130000-0x000000001B1B0000-memory.dmp

Filesize
512KB

Download
memory/2200-3-0x00000000002C0000-0x00000000002DC000-memory.dmp

Filesize
112KB

Download
memory/2200-7-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/2200-10-0x0000000000870000-0x000000000087C000-memory.dmp

Filesize
48KB

Download
memory/2200-0-0x0000000001240000-0x00000000013CA000-memory.dmp

Filesize
1.5MB

Download
memory/2200-5-0x0000000000620000-0x0000000000636000-memory.dmp

Filesize
88KB

Download
memory/2200-6-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/2200-4-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/2348-227-0x000007FEED150000-0x000007FEEDAED000-memory.dmp

Filesize
9.6MB

Download
memory/2348-228-0x00000000021E0000-0x0000000002260000-memory.dmp

Filesize
512KB

Download
memory/2348-247-0x00000000021EB000-0x0000000002252000-memory.dmp

Filesize
412KB

Download
memory/2348-238-0x000007FEED150000-0x000007FEEDAED000-memory.dmp

Filesize
9.6MB

Download
memory/2348-243-0x00000000021E0000-0x0000000002260000-memory.dmp

Filesize
512KB

Download
memory/2392-249-0x0000000002414000-0x0000000002417000-memory.dmp

Filesize
12KB

Download
memory/2392-253-0x000000000241B000-0x0000000002482000-memory.dmp

Filesize
412KB

Download
memory/2392-240-0x000007FEED150000-0x000007FEEDAED000-memory.dmp

Filesize
9.6MB

Download
memory/2404-254-0x00000000029EB000-0x0000000002A52000-memory.dmp

Filesize
412KB

Download
memory/2404-248-0x00000000029E4000-0x00000000029E7000-memory.dmp

Filesize
12KB

Download
memory/2404-239-0x000007FEED150000-0x000007FEEDAED000-memory.dmp

Filesize
9.6MB

Download
memory/2664-250-0x000000000251B000-0x0000000002582000-memory.dmp

Filesize
412KB

Download
memory/2664-245-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/2664-233-0x000007FEED150000-0x000007FEEDAED000-memory.dmp

Filesize
9.6MB

Download
memory/2664-231-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/2664-237-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/2664-230-0x000007FEED150000-0x000007FEEDAED000-memory.dmp

Filesize
9.6MB

Download
memory/2664-236-0x000007FEED150000-0x000007FEEDAED000-memory.dmp

Filesize
9.6MB

Download
memory/2680-256-0x000007FEED150000-0x000007FEEDAED000-memory.dmp

Filesize
9.6MB

Download
memory/2680-263-0x000007FEED150000-0x000007FEEDAED000-memory.dmp

Filesize
9.6MB

Download
memory/2680-246-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2680-257-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2680-262-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2680-264-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2764-261-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/2764-259-0x000000000294B000-0x00000000029B2000-memory.dmp

Filesize
412KB

Download
memory/2764-260-0x000007FEED150000-0x000007FEEDAED000-memory.dmp

Filesize
9.6MB

Download