dcrat | 794c1b48e399a4ac173dcb4a6a619ad53cfa99f52b9685dc62d922dd879acb29

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-12-2024 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Paranoid Checker 4.1.7/Paranoid Checker 4.1.7.exe
Size

2.9MB
MD5

441eb07e3d375468662db04b5892aad0
SHA1

119a7c0f7bd7e1aca6778f5a6f0acee8658b6b81
SHA256

9229a657f2e08d32136781c3923385b2dafd37ede0081b5b6341f8b6d6c87ebb
SHA512

fc46a2540ac5e5754f88c10c9bf281726dd1130140ecf9b45ff305ef98d462e008ca1cb2b0d50fd6810c2f304e56afc9b160d05714307c53c154226e6f6674d2
SSDEEP

49152:5bA3/l6mCrumolIDrgUs5WjuAGaXXCzcCEXBw123/GogkLcqeKav/aBzOP:5bg8mCrumozVAXnIes23Odk4qBBzOP

Score

10^/10

dcrat discovery evasion infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2328	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2328	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral11/files/0x0005000000019c4a-12.dat	dcrat
behavioral11/memory/2220-13-0x0000000000DC0000-0x0000000001030000-memory.dmp	dcrat
behavioral11/memory/2096-68-0x0000000000F30000-0x00000000011A0000-memory.dmp	dcrat
behavioral11/memory/1500-93-0x0000000000380000-0x00000000005F0000-memory.dmp	dcrat
behavioral11/memory/2464-105-0x0000000001220000-0x0000000001490000-memory.dmp	dcrat
behavioral11/memory/2356-118-0x0000000001380000-0x00000000015F0000-memory.dmp	dcrat
behavioral11/memory/952-143-0x0000000000340000-0x00000000005B0000-memory.dmp	dcrat
behavioral11/memory/1520-155-0x0000000000310000-0x0000000000580000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Executes dropped EXE 9 IoCs

pid	Process
2220	msComponentsaves.exe
2096	services.exe
2036	services.exe
1500	services.exe
2464	services.exe
2356	services.exe
348	services.exe
952	services.exe
1520	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2728	cmd.exe
2728	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
14	pastebin.com
16	pastebin.com
18	pastebin.com
20	pastebin.com
5	pastebin.com
8	pastebin.com
10	pastebin.com
12	pastebin.com

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Sync Framework\sppsvc.exe	msComponentsaves.exe
File created	C:\Program Files (x86)\Windows NT\conhost.exe	msComponentsaves.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\7a0fd90576e088	msComponentsaves.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\audiodg.exe	msComponentsaves.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\42af1c969fbb7b	msComponentsaves.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\42af1c969fbb7b	msComponentsaves.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\audiodg.exe	msComponentsaves.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\0a1fd5f707cd16	msComponentsaves.exe
File created	C:\Program Files (x86)\Windows NT\088424020bedd6	msComponentsaves.exe
File created	C:\Program Files (x86)\Common Files\Services\msComponentsaves.exe	msComponentsaves.exe
File created	C:\Program Files (x86)\Common Files\Services\0bee7b80e28804	msComponentsaves.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\explorer.exe	msComponentsaves.exe
File created	C:\Program Files\Windows Media Player\Icons\spoolsv.exe	msComponentsaves.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paranoid Checker 4.1.7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2820	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1204	schtasks.exe
1652	schtasks.exe
992	schtasks.exe
1052	schtasks.exe
988	schtasks.exe
348	schtasks.exe
1680	schtasks.exe
2460	schtasks.exe
2072	schtasks.exe
2500	schtasks.exe
1136	schtasks.exe
108	schtasks.exe
2748	schtasks.exe
1976	schtasks.exe
2716	schtasks.exe
2152	schtasks.exe
1612	schtasks.exe
1232	schtasks.exe
2064	schtasks.exe
2108	schtasks.exe
2672	schtasks.exe
1716	schtasks.exe
2228	schtasks.exe
2800	schtasks.exe
2684	schtasks.exe
2980	schtasks.exe
1332	schtasks.exe
560	schtasks.exe
2760	schtasks.exe
1856	schtasks.exe
2512	schtasks.exe
2324	schtasks.exe
2404	schtasks.exe
1344	schtasks.exe
2496	schtasks.exe
1580	schtasks.exe
1040	schtasks.exe
2580	schtasks.exe
1984	schtasks.exe
1860	schtasks.exe
1440	schtasks.exe
932	schtasks.exe
444	schtasks.exe
900	schtasks.exe
2432	schtasks.exe
2620	schtasks.exe
1812	schtasks.exe
1004	schtasks.exe
2380	schtasks.exe
2596	schtasks.exe
2832	schtasks.exe
2036	schtasks.exe
840	schtasks.exe
1312	schtasks.exe
2948	schtasks.exe
800	schtasks.exe
2232	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2220	msComponentsaves.exe
2220	msComponentsaves.exe
2220	msComponentsaves.exe
2096	services.exe
2036	services.exe
1500	services.exe
2464	services.exe
2356	services.exe
348	services.exe
952	services.exe
1520	services.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	msComponentsaves.exe
Token: SeDebugPrivilege	2096	services.exe
Token: SeDebugPrivilege	2036	services.exe
Token: SeDebugPrivilege	1500	services.exe
Token: SeDebugPrivilege	2464	services.exe
Token: SeDebugPrivilege	2356	services.exe
Token: SeDebugPrivilege	348	services.exe
Token: SeDebugPrivilege	952	services.exe
Token: SeDebugPrivilege	1520	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2736	3012	Paranoid Checker 4.1.7.exe	30
PID 3012 wrote to memory of 2736	3012	Paranoid Checker 4.1.7.exe	30
PID 3012 wrote to memory of 2736	3012	Paranoid Checker 4.1.7.exe	30
PID 3012 wrote to memory of 2736	3012	Paranoid Checker 4.1.7.exe	30
PID 2736 wrote to memory of 2728	2736	WScript.exe	31
PID 2736 wrote to memory of 2728	2736	WScript.exe	31
PID 2736 wrote to memory of 2728	2736	WScript.exe	31
PID 2736 wrote to memory of 2728	2736	WScript.exe	31
PID 2728 wrote to memory of 2220	2728	cmd.exe	33
PID 2728 wrote to memory of 2220	2728	cmd.exe	33
PID 2728 wrote to memory of 2220	2728	cmd.exe	33
PID 2728 wrote to memory of 2220	2728	cmd.exe	33
PID 2220 wrote to memory of 2096	2220	msComponentsaves.exe	92
PID 2220 wrote to memory of 2096	2220	msComponentsaves.exe	92
PID 2220 wrote to memory of 2096	2220	msComponentsaves.exe	92
PID 2728 wrote to memory of 2820	2728	cmd.exe	93
PID 2728 wrote to memory of 2820	2728	cmd.exe	93
PID 2728 wrote to memory of 2820	2728	cmd.exe	93
PID 2728 wrote to memory of 2820	2728	cmd.exe	93
PID 2096 wrote to memory of 1352	2096	services.exe	94
PID 2096 wrote to memory of 1352	2096	services.exe	94
PID 2096 wrote to memory of 1352	2096	services.exe	94
PID 2096 wrote to memory of 112	2096	services.exe	95
PID 2096 wrote to memory of 112	2096	services.exe	95
PID 2096 wrote to memory of 112	2096	services.exe	95
PID 1352 wrote to memory of 2036	1352	WScript.exe	96
PID 1352 wrote to memory of 2036	1352	WScript.exe	96
PID 1352 wrote to memory of 2036	1352	WScript.exe	96
PID 2036 wrote to memory of 3052	2036	services.exe	97
PID 2036 wrote to memory of 3052	2036	services.exe	97
PID 2036 wrote to memory of 3052	2036	services.exe	97
PID 2036 wrote to memory of 2436	2036	services.exe	98
PID 2036 wrote to memory of 2436	2036	services.exe	98
PID 2036 wrote to memory of 2436	2036	services.exe	98
PID 3052 wrote to memory of 1500	3052	WScript.exe	99
PID 3052 wrote to memory of 1500	3052	WScript.exe	99
PID 3052 wrote to memory of 1500	3052	WScript.exe	99
PID 1500 wrote to memory of 2740	1500	services.exe	100
PID 1500 wrote to memory of 2740	1500	services.exe	100
PID 1500 wrote to memory of 2740	1500	services.exe	100
PID 1500 wrote to memory of 1572	1500	services.exe	101
PID 1500 wrote to memory of 1572	1500	services.exe	101
PID 1500 wrote to memory of 1572	1500	services.exe	101
PID 2740 wrote to memory of 2464	2740	WScript.exe	102
PID 2740 wrote to memory of 2464	2740	WScript.exe	102
PID 2740 wrote to memory of 2464	2740	WScript.exe	102
PID 2464 wrote to memory of 2860	2464	services.exe	103
PID 2464 wrote to memory of 2860	2464	services.exe	103
PID 2464 wrote to memory of 2860	2464	services.exe	103
PID 2464 wrote to memory of 608	2464	services.exe	104
PID 2464 wrote to memory of 608	2464	services.exe	104
PID 2464 wrote to memory of 608	2464	services.exe	104
PID 2860 wrote to memory of 2356	2860	WScript.exe	106
PID 2860 wrote to memory of 2356	2860	WScript.exe	106
PID 2860 wrote to memory of 2356	2860	WScript.exe	106
PID 2356 wrote to memory of 1432	2356	services.exe	107
PID 2356 wrote to memory of 1432	2356	services.exe	107
PID 2356 wrote to memory of 1432	2356	services.exe	107
PID 2356 wrote to memory of 1732	2356	services.exe	108
PID 2356 wrote to memory of 1732	2356	services.exe	108
PID 2356 wrote to memory of 1732	2356	services.exe	108
PID 1432 wrote to memory of 348	1432	WScript.exe	109
PID 1432 wrote to memory of 348	1432	WScript.exe	109
PID 1432 wrote to memory of 348	1432	WScript.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Paranoid Checker 4.1.7\Paranoid Checker 4.1.7.exe
"C:\Users\Admin\AppData\Local\Temp\Paranoid Checker 4.1.7\Paranoid Checker 4.1.7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ServerwebRefmonitorDhcp\Oj1Ch.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\ServerwebRefmonitorDhcp\z0DwzT959mUKovxD5GIlvgUprT.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\ServerwebRefmonitorDhcp\msComponentsaves.exe
      "C:\ServerwebRefmonitorDhcp\msComponentsaves.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2220
    - - C:\Users\Admin\services.exe
        
        "C:\Users\Admin\services.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2096
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87ec0edb-6c26-4170-bf75-12f696265cc7.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Users\Admin\services.exe
        
        C:\Users\Admin\services.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b1b553d-ba1e-496b-b0cb-b4c70233e940.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Users\Admin\services.exe
        
        C:\Users\Admin\services.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\480074fd-6742-4cf8-97a7-eb321624f64b.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Users\Admin\services.exe
        
        C:\Users\Admin\services.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd1a5de4-7a41-46e7-9e8e-3704005eba56.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Users\Admin\services.exe
        
        C:\Users\Admin\services.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\689233a1-8b2a-4db7-9933-6182ef552efe.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Users\Admin\services.exe
        
        C:\Users\Admin\services.exe
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebad8531-a38f-4689-aab6-3663f778fead.vbs"
        16⤵
        
        PID:2444
        
        C:\Users\Admin\services.exe
        
        C:\Users\Admin\services.exe
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\738907e1-5f97-4fdf-afc4-2662de5dc5e8.vbs"
        18⤵
        
        PID:2892
        
        C:\Users\Admin\services.exe
        
        C:\Users\Admin\services.exe
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6ba6401-3fe7-4a91-b7f8-2a6ef134c645.vbs"
        20⤵
        
        PID:1940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c71a20db-6dcf-4394-8335-833500fba7b7.vbs"
        20⤵
        
        PID:1760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88996508-0b38-486a-8a0c-df925108fba2.vbs"
        18⤵
        
        PID:2584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75896d79-c5cf-4d8e-a89a-481d4eac89a6.vbs"
        16⤵
        
        PID:3064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3dc5eb91-4142-4c6e-93aa-59cc20ba3bf2.vbs"
        14⤵
        
        PID:1732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6a1d5be-f44f-404d-acdd-342f15fdfd61.vbs"
        12⤵
        
        PID:608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79ef96ce-db9f-4c8c-b684-a9fec21f3a4e.vbs"
        10⤵
        
        PID:1572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e35fd67a-4a83-4227-9103-e2b7092fa59c.vbs"
        8⤵
        
        PID:2436
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c42b84ae-3c85-4480-a565-9f94e159d304.vbs"
        6⤵
        
        PID:112
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\ServerwebRefmonitorDhcp\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\ServerwebRefmonitorDhcp\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\ServerwebRefmonitorDhcp\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msComponentsavesm" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\msComponentsaves.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msComponentsaves" /sc ONLOGON /tr "'C:\Users\Default User\msComponentsaves.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msComponentsavesm" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\msComponentsaves.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msComponentsavesm" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Services\msComponentsaves.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msComponentsaves" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\msComponentsaves.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msComponentsavesm" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Services\msComponentsaves.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\de-DE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\Temp\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Temp\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\Temp\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\ServerwebRefmonitorDhcp\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\ServerwebRefmonitorDhcp\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\ServerwebRefmonitorDhcp\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\ServerwebRefmonitorDhcp\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ServerwebRefmonitorDhcp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\ServerwebRefmonitorDhcp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ServerwebRefmonitorDhcp\Oj1Ch.vbe

Filesize
227B

MD5
c4f52c0631a8695b0f14c2448f58e817

SHA1
fcc2ad52443c7dcaa844b66f87e3b138a153baf9

SHA256
cda56d62ea26565c81d7cb150204b59e7e9ceee957462fd3c2ff044d97aac2f4

SHA512
0360a9bec265aa978cd0dc4ab80bedb00285ef966434f2d57c04d6b943673d29eac419035025dafce002c2c577b5b2882ce5ead6f79fb84df4e52db2d4a6c4c3

Download Submit
C:\ServerwebRefmonitorDhcp\msComponentsaves.exe

Filesize
2.4MB

MD5
e426d3b62c5478e7270a4b8c72c71539

SHA1
d65a844d8f8dd1655aba5a0927d6373480b79632

SHA256
4023c7f0a9dc47dcbefc20bf92423a1c4a80de962f79ff78fd6cdca64def73b5

SHA512
21401403a59d79f619316a34a247d752f56d1172fe70934a872e37253e9a3c99defbf3f5b08ff079cab5e2fbb4648b0428e253e402c6627ef55edb5951614454

Download Submit
C:\ServerwebRefmonitorDhcp\z0DwzT959mUKovxD5GIlvgUprT.bat

Filesize
161B

MD5
a5249d8d9ac9a994fb125f32d6e61ef7

SHA1
f2df0aeb2f44fe19e352a83851c1f6f1c1717920

SHA256
e1e77331eaf029bdf0b48562314dfd82c47cc85b28e2a66c506d388056713f55

SHA512
5e47c5e6b475a3b9eeb6414311eccf39b04067fe06d7ff91d6327f61656f6ba1d2a52addd96afa27a7a036164e539f37ffde24c76c6896e4b82ef1d978839532

Download Submit
C:\Users\Admin\AppData\Local\Temp\480074fd-6742-4cf8-97a7-eb321624f64b.vbs

Filesize
703B

MD5
64496fbf01e7d0889d4f0a1afc2fd334

SHA1
95579eb86e2b24c2a5b0285c99671e5695740af7

SHA256
2258c18bd22eaf8623b1f5cde4b0bc71dc59ae0bbf736ed021ef0f2a5caf444b

SHA512
1e999e8dedf4829935337ed147e00b8607f3848690c222b5ce6dc1096d1801175be2fbfdfbeb4703574c5736af7e349fc396270429d73b188292337739e43543

Download Submit
C:\Users\Admin\AppData\Local\Temp\689233a1-8b2a-4db7-9933-6182ef552efe.vbs

Filesize
703B

MD5
ba55dd7ab3e9d347ae9e05987a42ab88

SHA1
c10da1c4b87fe3c99da00f3fb61f9e78f98d2918

SHA256
ec338a891edb4d16e5e6f21815a4ce820dc864833557c88b65d26c44a53222d8

SHA512
f29f12efb23e9d8ba744562e03a39edba70689713d1124458385a3c1f379082ae2797ec265df763a262b198280ea3fa6e9af3030cb2743bb524543e6b958f31b

Download Submit
C:\Users\Admin\AppData\Local\Temp\738907e1-5f97-4fdf-afc4-2662de5dc5e8.vbs

Filesize
702B

MD5
24a02eb47252b080cdeaacc0d1e68897

SHA1
9f44bcc09dc751e90ab6e34e5d61b0d1d232fa93

SHA256
82b474c1d3e53a3e2f6ce7aba605353f155f6833bf6ba1f1f3df638a8d07422e

SHA512
bce137b73efbc3aa3bd7031ba61a3b8bc158bbbec19648f4b776bb609344c8ac8f46e7b4e192bb1b5d1d9af756edbd5f9a9ec17ad7dbccf436b082b2e4207cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\87ec0edb-6c26-4170-bf75-12f696265cc7.vbs

Filesize
703B

MD5
ff0ff3bad5cf85a4d78cbcdb893b867f

SHA1
16e6a2444c9edb88eb2bb40c75461dd97f905894

SHA256
6c7b3601b93f9337c20d7bc03301dd133e8a54f1535e42f932655152dde3ec89

SHA512
d307f4ee2fa7ada1d8f3636d2cbc1d34ca8976d7b9bec78b22edf5e19cd58569934dd1d92353b1558fbcfe4be111f086143a672453a1c6b9922439351a66f960

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b1b553d-ba1e-496b-b0cb-b4c70233e940.vbs

Filesize
703B

MD5
a20625c637b2fbdd8f3bfb60875875cd

SHA1
525fc33bdee787056e7d2ec19c05cb6f89f306bd

SHA256
17286b249d52e846729903b26643f10db545396f7c84331d02d4fe39dd46283a

SHA512
39af64ffe322e614d64dc05b9a8b6648dcc0c7ef8b42f700721ad1bbe7085bdb547d0ed287882f5f79a321679d51ca5b74b165ac854d3d4c9dbb037c16514448

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6ba6401-3fe7-4a91-b7f8-2a6ef134c645.vbs

Filesize
703B

MD5
54f355933fb44ac5455d67312726fa3e

SHA1
61b12bce79ce10393be6f2835438ed3305bd970e

SHA256
987e8cfda5f124f7bd6d8273901d15bc41e44b4029ccbe1d17ab5384e43f5135

SHA512
66771056c4f9ea0c026a8c02d5d79c97f618bf7f6453d13bf0d996b2c9b8f28ca591c30697e46fc0f6464f05d2d803e1aa659d9cb83f4fdd1c53a0be5df136c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\c42b84ae-3c85-4480-a565-9f94e159d304.vbs

Filesize
479B

MD5
3348f72e7e5f440abe2de5a9bb748033

SHA1
d65a67dd9cc6f021c14bc3f505097cc811758873

SHA256
5b4d9a97b6de953e7bea92ab7726f4bb4d33ab1587119469063a452c34cd55da

SHA512
b915183a92e03101ee02da7c48ad30703d8f5b40f7ed3c18a55c794b0ae38811eff66ae3eb86533b21e634b61905ccf3814e08ce2edf7f95a6768d652e786628

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd1a5de4-7a41-46e7-9e8e-3704005eba56.vbs

Filesize
703B

MD5
b29ba8736df849ea75053473557e6efa

SHA1
5507e1d600291d39acb7e399ff5501cee790801f

SHA256
28a760f98b3a9bb36cef811f38f7f68536f067565108b4ff0d57837619b8b065

SHA512
d54886ab136a281193ff7705c27f6ed9115d90db0a99e3f7035f364e05e4e21a29cf28fe157b739f9006e1899ed20628edc06b5b0047067b9be9791b11b0deb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebad8531-a38f-4689-aab6-3663f778fead.vbs

Filesize
702B

MD5
4e69d3097ae31c533e278819361731d5

SHA1
ce7ffd0b1d4ef03e20ba8f6c79e4ba08cd883894

SHA256
780a98265be82c023c34792c53dec17d501b63a347009dd470e6b364102631ae

SHA512
adf18143c5fa4178afa33a76042719fbd5404bf9af112d7f2ed35d7a30d0b9484e9bbbad9355ce8b0e8f44ab1f6863ae9c7ec9dc6a6c4892813f104b7edd1da3

Download Submit
memory/348-131-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/952-143-0x0000000000340000-0x00000000005B0000-memory.dmp

Filesize
2.4MB

Download
memory/1500-93-0x0000000000380000-0x00000000005F0000-memory.dmp

Filesize
2.4MB

Download
memory/1520-155-0x0000000000310000-0x0000000000580000-memory.dmp

Filesize
2.4MB

Download
memory/2036-80-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2036-81-0x0000000000A40000-0x0000000000A96000-memory.dmp

Filesize
344KB

Download
memory/2096-68-0x0000000000F30000-0x00000000011A0000-memory.dmp

Filesize
2.4MB

Download
memory/2096-69-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/2220-18-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/2220-16-0x0000000000330000-0x0000000000346000-memory.dmp

Filesize
88KB

Download
memory/2220-22-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

Filesize
32KB

Download
memory/2220-13-0x0000000000DC0000-0x0000000001030000-memory.dmp

Filesize
2.4MB

Download
memory/2220-15-0x0000000000170000-0x0000000000178000-memory.dmp

Filesize
32KB

Download
memory/2220-21-0x0000000000AC0000-0x0000000000ACE000-memory.dmp

Filesize
56KB

Download
memory/2220-14-0x0000000000150000-0x000000000016C000-memory.dmp

Filesize
112KB

Download
memory/2220-23-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

Filesize
48KB

Download
memory/2220-20-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

Filesize
40KB

Download
memory/2220-19-0x0000000002510000-0x0000000002566000-memory.dmp

Filesize
344KB

Download
memory/2220-17-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2356-119-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2356-118-0x0000000001380000-0x00000000015F0000-memory.dmp

Filesize
2.4MB

Download
memory/2464-106-0x0000000000310000-0x0000000000322000-memory.dmp

Filesize
72KB

Download
memory/2464-105-0x0000000001220000-0x0000000001490000-memory.dmp

Filesize
2.4MB

Download