dcrat | 37393231ee6c2f1e4e81bb820867302f509abe5108d7e6eac891fe1ab4b66ca5

Analysis

max time kernel
152s
max time network
156s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4f9f36ada3d9d3cf8af85679ea3a007.exe
Size

885KB
MD5

b4f9f36ada3d9d3cf8af85679ea3a007
SHA1

521a77168a7fd708991a4fd42c9057928f99eb2d
SHA256

4c40fe8d556366b3bed82a8bca55eebee2c93c9b880059ef3d9323af81ff2769
SHA512

483f516bc3ad4de0f98d0d321f5d53685c0099a21284a39471de9419cce2d412c0b96869c815a52d96c95cadb5f0edbbce55040f3eb3fe0f58cae14e2f76c0cf
SSDEEP

12288:0lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:0lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2908	schtasks.exe	30

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral5/memory/816-1-0x0000000000B30000-0x0000000000C14000-memory.dmp	dcrat
behavioral5/files/0x0005000000019e92-18.dat	dcrat
behavioral5/files/0x000800000001a48a-131.dat	dcrat
behavioral5/memory/1712-230-0x00000000008C0000-0x00000000009A4000-memory.dmp	dcrat
behavioral5/memory/2756-241-0x0000000000B90000-0x0000000000C74000-memory.dmp	dcrat
behavioral5/memory/2720-264-0x0000000000110000-0x00000000001F4000-memory.dmp	dcrat
behavioral5/memory/2232-276-0x00000000000D0000-0x00000000001B4000-memory.dmp	dcrat
behavioral5/memory/2888-288-0x0000000000040000-0x0000000000124000-memory.dmp	dcrat
behavioral5/memory/2752-300-0x0000000000070000-0x0000000000154000-memory.dmp	dcrat
behavioral5/memory/2192-312-0x0000000000220000-0x0000000000304000-memory.dmp	dcrat
behavioral5/memory/1792-346-0x0000000001070000-0x0000000001154000-memory.dmp	dcrat

Executes dropped EXE 11 IoCs

pid	Process
1712	dllhost.exe
2756	dllhost.exe
1124	dllhost.exe
2720	dllhost.exe
2232	dllhost.exe
2888	dllhost.exe
2752	dllhost.exe
2192	dllhost.exe
2060	dllhost.exe
2984	dllhost.exe
1792	dllhost.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Sync Framework\explorer.exe	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\0a1fd5f707cd16	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\RCXF55D.tmp	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\RCXF6C2.tmp	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\RCXF714.tmp	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\RCXF736.tmp	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File created	C:\Program Files\DVD Maker\fr-FR\1610b97d3ab4a7	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\RCXF56D.tmp	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\27d1bcfc3c54e0	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\RCXF715.tmp	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\RCXF726.tmp	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\System.exe	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\7a0fd90576e088	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File created	C:\Program Files\DVD Maker\fr-FR\OSPPSVC.exe	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\sppsvc.exe	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\RCXF6C3.tmp	b4f9f36ada3d9d3cf8af85679ea3a007.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\es-ES\RCXF737.tmp	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File opened for modification	C:\Windows\es-ES\RCXF748.tmp	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File opened for modification	C:\Windows\Prefetch\RCXF749.tmp	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File opened for modification	C:\Windows\Prefetch\RCXF74A.tmp	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File created	C:\Windows\CSC\5940a34987c991	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File opened for modification	C:\Windows\AppCompat\Programs\RCXF580.tmp	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File opened for modification	C:\Windows\CSC\RCXF601.tmp	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File opened for modification	C:\Windows\es-ES\RCXF6B0.tmp	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File created	C:\Windows\CSC\dllhost.exe	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File created	C:\Windows\es-ES\explorer.exe	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File opened for modification	C:\Windows\es-ES\RCXF6C1.tmp	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File created	C:\Windows\AppCompat\Programs\services.exe	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File created	C:\Windows\AppCompat\Programs\c5b4cb5e9653cc	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File created	C:\Windows\es-ES\69ddcba757bf72	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File created	C:\Windows\es-ES\7a0fd90576e088	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File created	C:\Windows\Prefetch\System.exe	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File created	C:\Windows\Prefetch\27d1bcfc3c54e0	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File opened for modification	C:\Windows\AppCompat\Programs\RCXF581.tmp	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File opened for modification	C:\Windows\CSC\RCXF602.tmp	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File created	C:\Windows\es-ES\smss.exe	b4f9f36ada3d9d3cf8af85679ea3a007.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1672	schtasks.exe
2096	schtasks.exe
2124	schtasks.exe
2280	schtasks.exe
2904	schtasks.exe
2988	schtasks.exe
1432	schtasks.exe
2420	schtasks.exe
2664	schtasks.exe
1736	schtasks.exe
1460	schtasks.exe
1420	schtasks.exe
1788	schtasks.exe
1008	schtasks.exe
1972	schtasks.exe
2568	schtasks.exe
1608	schtasks.exe
1616	schtasks.exe
1408	schtasks.exe
2612	schtasks.exe
376	schtasks.exe
2336	schtasks.exe
1016	schtasks.exe
2896	schtasks.exe
1484	schtasks.exe
1820	schtasks.exe
1168	schtasks.exe
2436	schtasks.exe
436	schtasks.exe
2008	schtasks.exe
2504	schtasks.exe
1064	schtasks.exe
2804	schtasks.exe
2084	schtasks.exe
3044	schtasks.exe
2220	schtasks.exe
2836	schtasks.exe
2820	schtasks.exe
2152	schtasks.exe
1044	schtasks.exe
2372	schtasks.exe
1724	schtasks.exe
2224	schtasks.exe
2912	schtasks.exe
2772	schtasks.exe
2576	schtasks.exe
1636	schtasks.exe
1260	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
816	b4f9f36ada3d9d3cf8af85679ea3a007.exe
1712	dllhost.exe
2756	dllhost.exe
1124	dllhost.exe
2720	dllhost.exe
2232	dllhost.exe
2888	dllhost.exe
2752	dllhost.exe
2192	dllhost.exe
2060	dllhost.exe
2984	dllhost.exe
1792	dllhost.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	816	b4f9f36ada3d9d3cf8af85679ea3a007.exe
Token: SeDebugPrivilege	1712	dllhost.exe
Token: SeDebugPrivilege	2756	dllhost.exe
Token: SeDebugPrivilege	1124	dllhost.exe
Token: SeDebugPrivilege	2720	dllhost.exe
Token: SeDebugPrivilege	2232	dllhost.exe
Token: SeDebugPrivilege	2888	dllhost.exe
Token: SeDebugPrivilege	2752	dllhost.exe
Token: SeDebugPrivilege	2192	dllhost.exe
Token: SeDebugPrivilege	2060	dllhost.exe
Token: SeDebugPrivilege	2984	dllhost.exe
Token: SeDebugPrivilege	1792	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 2668	816	b4f9f36ada3d9d3cf8af85679ea3a007.exe	79
PID 816 wrote to memory of 2668	816	b4f9f36ada3d9d3cf8af85679ea3a007.exe	79
PID 816 wrote to memory of 2668	816	b4f9f36ada3d9d3cf8af85679ea3a007.exe	79
PID 2668 wrote to memory of 2608	2668	cmd.exe	81
PID 2668 wrote to memory of 2608	2668	cmd.exe	81
PID 2668 wrote to memory of 2608	2668	cmd.exe	81
PID 2668 wrote to memory of 1712	2668	cmd.exe	82
PID 2668 wrote to memory of 1712	2668	cmd.exe	82
PID 2668 wrote to memory of 1712	2668	cmd.exe	82
PID 1712 wrote to memory of 2656	1712	dllhost.exe	83
PID 1712 wrote to memory of 2656	1712	dllhost.exe	83
PID 1712 wrote to memory of 2656	1712	dllhost.exe	83
PID 1712 wrote to memory of 2996	1712	dllhost.exe	84
PID 1712 wrote to memory of 2996	1712	dllhost.exe	84
PID 1712 wrote to memory of 2996	1712	dllhost.exe	84
PID 2656 wrote to memory of 2756	2656	WScript.exe	85
PID 2656 wrote to memory of 2756	2656	WScript.exe	85
PID 2656 wrote to memory of 2756	2656	WScript.exe	85
PID 2756 wrote to memory of 660	2756	dllhost.exe	86
PID 2756 wrote to memory of 660	2756	dllhost.exe	86
PID 2756 wrote to memory of 660	2756	dllhost.exe	86
PID 2756 wrote to memory of 572	2756	dllhost.exe	87
PID 2756 wrote to memory of 572	2756	dllhost.exe	87
PID 2756 wrote to memory of 572	2756	dllhost.exe	87
PID 660 wrote to memory of 1124	660	WScript.exe	88
PID 660 wrote to memory of 1124	660	WScript.exe	88
PID 660 wrote to memory of 1124	660	WScript.exe	88
PID 1124 wrote to memory of 1688	1124	dllhost.exe	89
PID 1124 wrote to memory of 1688	1124	dllhost.exe	89
PID 1124 wrote to memory of 1688	1124	dllhost.exe	89
PID 1124 wrote to memory of 2804	1124	dllhost.exe	90
PID 1124 wrote to memory of 2804	1124	dllhost.exe	90
PID 1124 wrote to memory of 2804	1124	dllhost.exe	90
PID 1688 wrote to memory of 2720	1688	WScript.exe	91
PID 1688 wrote to memory of 2720	1688	WScript.exe	91
PID 1688 wrote to memory of 2720	1688	WScript.exe	91
PID 2720 wrote to memory of 1960	2720	dllhost.exe	92
PID 2720 wrote to memory of 1960	2720	dllhost.exe	92
PID 2720 wrote to memory of 1960	2720	dllhost.exe	92
PID 2720 wrote to memory of 1596	2720	dllhost.exe	93
PID 2720 wrote to memory of 1596	2720	dllhost.exe	93
PID 2720 wrote to memory of 1596	2720	dllhost.exe	93
PID 1960 wrote to memory of 2232	1960	WScript.exe	94
PID 1960 wrote to memory of 2232	1960	WScript.exe	94
PID 1960 wrote to memory of 2232	1960	WScript.exe	94
PID 2232 wrote to memory of 2116	2232	dllhost.exe	95
PID 2232 wrote to memory of 2116	2232	dllhost.exe	95
PID 2232 wrote to memory of 2116	2232	dllhost.exe	95
PID 2232 wrote to memory of 3056	2232	dllhost.exe	96
PID 2232 wrote to memory of 3056	2232	dllhost.exe	96
PID 2232 wrote to memory of 3056	2232	dllhost.exe	96
PID 2116 wrote to memory of 2888	2116	WScript.exe	97
PID 2116 wrote to memory of 2888	2116	WScript.exe	97
PID 2116 wrote to memory of 2888	2116	WScript.exe	97
PID 2888 wrote to memory of 1832	2888	dllhost.exe	98
PID 2888 wrote to memory of 1832	2888	dllhost.exe	98
PID 2888 wrote to memory of 1832	2888	dllhost.exe	98
PID 2888 wrote to memory of 2788	2888	dllhost.exe	99
PID 2888 wrote to memory of 2788	2888	dllhost.exe	99
PID 2888 wrote to memory of 2788	2888	dllhost.exe	99
PID 1832 wrote to memory of 2752	1832	WScript.exe	100
PID 1832 wrote to memory of 2752	1832	WScript.exe	100
PID 1832 wrote to memory of 2752	1832	WScript.exe	100
PID 2752 wrote to memory of 1940	2752	dllhost.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b4f9f36ada3d9d3cf8af85679ea3a007.exe
"C:\Users\Admin\AppData\Local\Temp\b4f9f36ada3d9d3cf8af85679ea3a007.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vXuZTDYvwI.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2608
- - C:\Windows\CSC\dllhost.exe
    "C:\Windows\CSC\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5868a0f1-96fe-4400-8089-def596f680bc.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\CSC\dllhost.exe
        
        C:\Windows\CSC\dllhost.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2042be3f-90da-42d6-992f-1f7ab876a641.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Windows\CSC\dllhost.exe
        
        C:\Windows\CSC\dllhost.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\caed7270-038d-44fa-ac48-facdc1f34353.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\CSC\dllhost.exe
        
        C:\Windows\CSC\dllhost.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c77c8248-842d-4415-9946-5e1203ade085.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\CSC\dllhost.exe
        
        C:\Windows\CSC\dllhost.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9f0592c-ed20-43e0-b6c2-6144f3ece473.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\CSC\dllhost.exe
        
        C:\Windows\CSC\dllhost.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f56ba58d-f596-403c-a062-c3d15fef067b.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\CSC\dllhost.exe
        
        C:\Windows\CSC\dllhost.exe
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fce81e8-3aa0-4fac-bc7a-f055fd81ea69.vbs"
        16⤵
        
        PID:1940
        
        C:\Windows\CSC\dllhost.exe
        
        C:\Windows\CSC\dllhost.exe
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aaa944b6-c41b-4441-b867-0ae1f2b6c759.vbs"
        18⤵
        
        PID:1004
        
        C:\Windows\CSC\dllhost.exe
        
        C:\Windows\CSC\dllhost.exe
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\753b0479-573b-4725-b88e-9dbd1c51cf9b.vbs"
        20⤵
        
        PID:2540
        
        C:\Windows\CSC\dllhost.exe
        
        C:\Windows\CSC\dllhost.exe
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53aec2f1-7681-437e-9312-27871dcb83c4.vbs"
        22⤵
        
        PID:1692
        
        C:\Windows\CSC\dllhost.exe
        
        C:\Windows\CSC\dllhost.exe
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eda7838a-12ab-4c48-93aa-269c0be01b65.vbs"
        24⤵
        
        PID:2556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b011228-d368-456e-91b4-a6386d32fc12.vbs"
        24⤵
        
        PID:1376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd45b4b7-4aac-4682-9036-91fcacf14bca.vbs"
        22⤵
        
        PID:2120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fcc7143-62d7-4187-bff1-ce6646bc5bd9.vbs"
        20⤵
        
        PID:2876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5867be9-fec0-4a4f-8c9a-1756e8b1a3cb.vbs"
        18⤵
        
        PID:2848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d3b9d23-c36a-4e2f-8249-5ef554a75579.vbs"
        16⤵
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dffacc3d-e736-42d0-b8a3-b5c00645fc53.vbs"
        14⤵
        
        PID:2788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fb01418-81c2-4310-9e41-fd28c2b35e5b.vbs"
        12⤵
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78391185-f2b4-49be-ac5a-1ebdbafbd84f.vbs"
        10⤵
        
        PID:1596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91a1f81c-c994-47ef-912e-fc599d385df5.vbs"
        8⤵
        
        PID:2804
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c70d297c-db76-42d4-b54c-d5325a5fbb1e.vbs"
        6⤵
        
        PID:572
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90fa339a-139b-43aa-8077-c2028699f66a.vbs"
      4⤵
      PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Recent\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Recent\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Recent\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\AppCompat\Programs\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\AppCompat\Programs\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\CSC\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\CSC\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\CSC\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\fr-FR\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\es-ES\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Prefetch\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Prefetch\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Favorites\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Favorites\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Favorites\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe

Filesize
885KB

MD5
6c76aa55476e767b76b988935733d1dd

SHA1
3c8ce02ff5b6aaec37780796c553f16f99d2b6f9

SHA256
b336e4ebe5561f2a73dcec4fa175a6ad9cccf938994fabaa80058f6b73d84d9b

SHA512
a3098ac5dbd8f1b0acfcad1789c9ebb8909652abc9033f8ad1485d6f95285d5f42e2a72489184fd1c44e2fe0a502ea0be3ef014d0d42835d174cc4269611ca9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2042be3f-90da-42d6-992f-1f7ab876a641.vbs

Filesize
702B

MD5
c30899a85ccc733117ebd5ee87fdaf5e

SHA1
c97355c082348b8d549394e38a5e084a42b5f6e3

SHA256
511d26cae050d3b7d54a56a7c908bff05a32c83aae4da337e1c18629a9f3ec9d

SHA512
66bebed381a767c1a46e4cc4afea68230504f565311e030bf2bdf9674d6aa44d3bc8580a4fcb04a4b0192ad77abc145f5c4937e452945c1a75fafcc241dbe247

Download Submit
C:\Users\Admin\AppData\Local\Temp\53aec2f1-7681-437e-9312-27871dcb83c4.vbs

Filesize
702B

MD5
aa6d5afd2367d3c507bb10056ceb105c

SHA1
be317aef9f60f9bdbecdbadf0ee49829d6f1ebaa

SHA256
5d0b91b891460d3675e12b7039746258f74420900489f3be6ffc3a3f738bea66

SHA512
2cdc7abc2a2f7af9ac23441943e3182158f57069e0b547d2cbe1e29f27da17d9e913220bdad4bc30007107626363e28b40a52d3519cde2462f066a99af89263a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5868a0f1-96fe-4400-8089-def596f680bc.vbs

Filesize
702B

MD5
cab7fcd89688633e941e92adbad7e0a6

SHA1
0221a7d014a1c725fe042a681c93505605ede0cc

SHA256
42d3f445888272340ccd614582e3ac21f42ce58acba3a5874e38fd37ee2a12fe

SHA512
d7477a5d8d9bd534456ab96c56cd9c3dd00ae74c38827de1c96ec254081263cd86ee63751c050d29dd8e391ce85fde7f391eea692ea4e2dfcb31fbe12054651d

Download Submit
C:\Users\Admin\AppData\Local\Temp\753b0479-573b-4725-b88e-9dbd1c51cf9b.vbs

Filesize
702B

MD5
12d46e6301dd217116636c8bbb813cba

SHA1
34298bbe4325a87d10f701daf3c9981e389c38b1

SHA256
e5c79347ee644017f2dc2ffca2d09d16d1589c6728cd003ab2c4fc37f07547ac

SHA512
481f59a6c39c40506798f334f77041b1e7d326bdac775de144af067a90c080e616796bf1a7d1b43569ababfdca8d64b9ad48f6f86cdc826c4457efb10739255b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7fce81e8-3aa0-4fac-bc7a-f055fd81ea69.vbs

Filesize
702B

MD5
6ab4c34ece4e624029d14b14ea280db7

SHA1
541eca4cb77896e586ad575c8e2c575f60240ea8

SHA256
a3cb4b5afd99c00c05cd0afed2d39dff11ad6126bbf70a61fc8c90e4d07abb97

SHA512
251460f5b9fbb362708c3f1106f92ee87d536841353492c4bc13341d51043bc31599120cd446a3d8e6ef2d489ba92720e28b0dabf5ca1ef6dad59715e80eb942

Download Submit
C:\Users\Admin\AppData\Local\Temp\90fa339a-139b-43aa-8077-c2028699f66a.vbs

Filesize
478B

MD5
06d3b13e56fb7181b540b0e68de15b75

SHA1
02035c3ac93637512d230022403384f19e4830c6

SHA256
a120555f2d46cc3a363abe573cde4c58df35ff0684af05db2cf8ba13d11d92bc

SHA512
68d4c606189feca682a90fa6b959b32c2ad7050b6bd65b4f30fbb7f5cb8b6d28759410e9aa7381e4d6983d087ddd7b9b93574da66feea32975d8f26101191d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaa944b6-c41b-4441-b867-0ae1f2b6c759.vbs

Filesize
702B

MD5
e198b4757778e358e4fa2c2be9f55717

SHA1
eedaf47c96d012e12b8dddb7aa098b017c80cd51

SHA256
6230f179bc20a85aac4921c9a153cfeaf77d3d33e431b9421fdb7c8242824203

SHA512
1aaa962ef131cab5b2a9181d0b63881cd3c4e22b9cd124c975d3951df4ed4c411651fc8f1bec8df08c135710c883c8fe54e97af586a73a1e5addcf83fa29783f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9f0592c-ed20-43e0-b6c2-6144f3ece473.vbs

Filesize
702B

MD5
c6bcfe9dff306bf04b85af4d88b6b9da

SHA1
1825f1f3e7f03b31bf68d023438d981da64e36c3

SHA256
c329b6a2b3cb1002669c7cfbdce4e1268ecf01ecce11605225d703c16e66a941

SHA512
354721220ea52404e43feb04aeae5cf8c044c51782194c250160b4fb231cd98a5f4c9444ec4ae6c09aab15d538db49db69f6e7c8f38c352d84e79d6845517c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\c77c8248-842d-4415-9946-5e1203ade085.vbs

Filesize
702B

MD5
2be804422a66aedcb58c54482235a4be

SHA1
32a716112ca9d92c952bf71065d14d5b0ef99111

SHA256
1180b18d1712d33410ba76518aaadaeeb55018c818eb74d5a35dce7bca6757b1

SHA512
881e5f845320af3b5cde460347b5b18517f49b22e638eb8568389b15df5dea9c29c77dcccff9e41ad742d595b8cd1e9a87b069c2fffdddf1ea61bbedaa265081

Download Submit
C:\Users\Admin\AppData\Local\Temp\caed7270-038d-44fa-ac48-facdc1f34353.vbs

Filesize
702B

MD5
8ea63e5a00050df0da9460f6849122d4

SHA1
e82fd780506536e37ec7f1db84b09018d86c03f7

SHA256
cbcf8bea6d861e238c74e7fa316892407624e55cdd53313fa7acde19a597d41c

SHA512
e1ae91376021732b8c5b56763f8d133dbe7df15ad06c63d0cfa647eec1303fb86be7801cd1573dcbd8f44a0fca980e2b876a84fe3cd5989ef6a099f1fa43344f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eda7838a-12ab-4c48-93aa-269c0be01b65.vbs

Filesize
702B

MD5
ca2dc746c15e41890b9121001203d256

SHA1
ed7072e38375aebdd34fa1928048086826078708

SHA256
949b273c4aca218bbf9bd5c8d705950f3d124a8f762dc0c168faceb960967838

SHA512
07dc828529feb6e30eaa49ca426df43390ee83b69af4ed611c7b9eeb7afc6e810ab1eb85d0c341c91f7d8ce06b9585f7157e3cf886832a2085e91d34feeb57f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\f56ba58d-f596-403c-a062-c3d15fef067b.vbs

Filesize
702B

MD5
cdb7ac46e10fda547bad231fbd99c104

SHA1
8b598523961967491b96898f65b14834bd5aa9ca

SHA256
48c00ad733d560454180db53cea1d2392dde2f647b438495678e15dc92e46203

SHA512
c0d5683695858d4125edc96845ddd9d71ad2eb04bbd0281873fdb91786deeb33c9eedc1b2af74b5a677af8c655b1c6651e4f2f0077804244d61a6848ba59c38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vXuZTDYvwI.bat

Filesize
191B

MD5
122a042ffb43a371fa4e28bc484e836e

SHA1
7dfae92b3c835dbfcda4116d6a40c0fb38d59b5b

SHA256
ac481505476ad658312ce15cdf953d4922eb1a7a7416091b787a3b782d9b1b8f

SHA512
8c7177b13c00aea2c0bf74cf4102c62b279e60036ea6309a3e1f2a419ed7079f08622ecd8f27ff669faeb36953788accb169df0dc13e430d51044b07f0b0b266

Download Submit
C:\Windows\AppCompat\Programs\services.exe

Filesize
885KB

MD5
b4f9f36ada3d9d3cf8af85679ea3a007

SHA1
521a77168a7fd708991a4fd42c9057928f99eb2d

SHA256
4c40fe8d556366b3bed82a8bca55eebee2c93c9b880059ef3d9323af81ff2769

SHA512
483f516bc3ad4de0f98d0d321f5d53685c0099a21284a39471de9419cce2d412c0b96869c815a52d96c95cadb5f0edbbce55040f3eb3fe0f58cae14e2f76c0cf

Download Submit
memory/816-8-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/816-6-0x0000000002130000-0x000000000213A000-memory.dmp

Filesize
40KB

Download
memory/816-1-0x0000000000B30000-0x0000000000C14000-memory.dmp

Filesize
912KB

Download
memory/816-227-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download
memory/816-9-0x00000000021E0000-0x00000000021EC000-memory.dmp

Filesize
48KB

Download
memory/816-4-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/816-0-0x000007FEF5163000-0x000007FEF5164000-memory.dmp

Filesize
4KB

Download
memory/816-7-0x0000000002140000-0x000000000214E000-memory.dmp

Filesize
56KB

Download
memory/816-5-0x0000000000B10000-0x0000000000B26000-memory.dmp

Filesize
88KB

Download
memory/816-2-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download
memory/816-3-0x0000000000AF0000-0x0000000000B0C000-memory.dmp

Filesize
112KB

Download
memory/1712-230-0x00000000008C0000-0x00000000009A4000-memory.dmp

Filesize
912KB

Download
memory/1792-346-0x0000000001070000-0x0000000001154000-memory.dmp

Filesize
912KB

Download
memory/2192-312-0x0000000000220000-0x0000000000304000-memory.dmp

Filesize
912KB

Download
memory/2232-276-0x00000000000D0000-0x00000000001B4000-memory.dmp

Filesize
912KB

Download
memory/2720-264-0x0000000000110000-0x00000000001F4000-memory.dmp

Filesize
912KB

Download
memory/2752-300-0x0000000000070000-0x0000000000154000-memory.dmp

Filesize
912KB

Download
memory/2756-241-0x0000000000B90000-0x0000000000C74000-memory.dmp

Filesize
912KB

Download
memory/2888-288-0x0000000000040000-0x0000000000124000-memory.dmp

Filesize
912KB

Download