dcrat | 37393231ee6c2f1e4e81bb820867302f509abe5108d7e6eac891fe1ab4b66ca5

Analysis

max time kernel
50s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4f9f36ada3d9d3cf8af85679ea3a007.exe
Size

885KB
MD5

b4f9f36ada3d9d3cf8af85679ea3a007
SHA1

521a77168a7fd708991a4fd42c9057928f99eb2d
SHA256

4c40fe8d556366b3bed82a8bca55eebee2c93c9b880059ef3d9323af81ff2769
SHA512

483f516bc3ad4de0f98d0d321f5d53685c0099a21284a39471de9419cce2d412c0b96869c815a52d96c95cadb5f0edbbce55040f3eb3fe0f58cae14e2f76c0cf
SSDEEP

12288:0lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:0lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5840	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5268	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5848	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6016	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	4612	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	4612	schtasks.exe	87

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral6/memory/2364-1-0x0000000000680000-0x0000000000764000-memory.dmp	dcrat
behavioral6/files/0x000700000002426c-19.dat	dcrat
behavioral6/files/0x0013000000024284-160.dat	dcrat
behavioral6/memory/3408-195-0x0000000000C20000-0x0000000000D04000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	b4f9f36ada3d9d3cf8af85679ea3a007.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	unsecapp.exe

Executes dropped EXE 5 IoCs

pid	Process
3408	unsecapp.exe
2952	unsecapp.exe
4640	unsecapp.exe
2004	unsecapp.exe
5440	unsecapp.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lt-LT\sppsvc.exe	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File created	C:\Windows\SysWOW64\lt-LT\0a1fd5f707cd16	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File opened for modification	C:\Windows\SysWOW64\lt-LT\RCX6978.tmp	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File opened for modification	C:\Windows\SysWOW64\lt-LT\RCX6979.tmp	b4f9f36ada3d9d3cf8af85679ea3a007.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\edge_BITS_4568_1800704037\RCX6A2B.tmp	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File created	C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File created	C:\Program Files\edge_BITS_4568_1800704037\29c1c3cc0f7685	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File opened for modification	C:\Program Files\edge_BITS_4568_1800704037\RCX69AD.tmp	b4f9f36ada3d9d3cf8af85679ea3a007.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\de-DE\services.exe	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File created	C:\Windows\PolicyDefinitions\de-DE\c5b4cb5e9653cc	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\RCX6A2C.tmp	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\RCX6A3D.tmp	b4f9f36ada3d9d3cf8af85679ea3a007.exe
File created	C:\Windows\rescache\_merged\3937681233\wininit.exe	b4f9f36ada3d9d3cf8af85679ea3a007.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	b4f9f36ada3d9d3cf8af85679ea3a007.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	unsecapp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4744	schtasks.exe
3104	schtasks.exe
5084	schtasks.exe
3392	schtasks.exe
2964	schtasks.exe
4604	schtasks.exe
4640	schtasks.exe
5848	schtasks.exe
3580	schtasks.exe
3428	schtasks.exe
4728	schtasks.exe
4888	schtasks.exe
5000	schtasks.exe
5072	schtasks.exe
1176	schtasks.exe
4236	schtasks.exe
2268	schtasks.exe
4624	schtasks.exe
4792	schtasks.exe
5268	schtasks.exe
5076	schtasks.exe
3676	schtasks.exe
4920	schtasks.exe
4104	schtasks.exe
3404	schtasks.exe
4800	schtasks.exe
5020	schtasks.exe
4972	schtasks.exe
5004	schtasks.exe
6016	schtasks.exe
4780	schtasks.exe
4676	schtasks.exe
2940	schtasks.exe
4384	schtasks.exe
5840	schtasks.exe
4572	schtasks.exe
1344	schtasks.exe
4600	schtasks.exe
4832	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2364	b4f9f36ada3d9d3cf8af85679ea3a007.exe
3408	unsecapp.exe
2952	unsecapp.exe
4640	unsecapp.exe
2004	unsecapp.exe
2004	unsecapp.exe
5440	unsecapp.exe
5440	unsecapp.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	b4f9f36ada3d9d3cf8af85679ea3a007.exe
Token: SeDebugPrivilege	3408	unsecapp.exe
Token: SeDebugPrivilege	2952	unsecapp.exe
Token: SeDebugPrivilege	4640	unsecapp.exe
Token: SeDebugPrivilege	2004	unsecapp.exe
Token: SeDebugPrivilege	5440	unsecapp.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 6008	2364	b4f9f36ada3d9d3cf8af85679ea3a007.exe	127
PID 2364 wrote to memory of 6008	2364	b4f9f36ada3d9d3cf8af85679ea3a007.exe	127
PID 6008 wrote to memory of 5804	6008	cmd.exe	129
PID 6008 wrote to memory of 5804	6008	cmd.exe	129
PID 6008 wrote to memory of 3408	6008	cmd.exe	133
PID 6008 wrote to memory of 3408	6008	cmd.exe	133
PID 3408 wrote to memory of 5480	3408	unsecapp.exe	135
PID 3408 wrote to memory of 5480	3408	unsecapp.exe	135
PID 3408 wrote to memory of 3400	3408	unsecapp.exe	136
PID 3408 wrote to memory of 3400	3408	unsecapp.exe	136
PID 5480 wrote to memory of 2952	5480	WScript.exe	139
PID 5480 wrote to memory of 2952	5480	WScript.exe	139
PID 2952 wrote to memory of 4448	2952	unsecapp.exe	140
PID 2952 wrote to memory of 4448	2952	unsecapp.exe	140
PID 2952 wrote to memory of 996	2952	unsecapp.exe	141
PID 2952 wrote to memory of 996	2952	unsecapp.exe	141
PID 4448 wrote to memory of 4640	4448	WScript.exe	143
PID 4448 wrote to memory of 4640	4448	WScript.exe	143
PID 4640 wrote to memory of 5680	4640	unsecapp.exe	144
PID 4640 wrote to memory of 5680	4640	unsecapp.exe	144
PID 4640 wrote to memory of 5268	4640	unsecapp.exe	145
PID 4640 wrote to memory of 5268	4640	unsecapp.exe	145
PID 5680 wrote to memory of 2004	5680	WScript.exe	150
PID 5680 wrote to memory of 2004	5680	WScript.exe	150
PID 2004 wrote to memory of 4536	2004	unsecapp.exe	155
PID 2004 wrote to memory of 4536	2004	unsecapp.exe	155
PID 2004 wrote to memory of 1128	2004	unsecapp.exe	156
PID 2004 wrote to memory of 1128	2004	unsecapp.exe	156
PID 4536 wrote to memory of 5440	4536	WScript.exe	157
PID 4536 wrote to memory of 5440	4536	WScript.exe	157

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b4f9f36ada3d9d3cf8af85679ea3a007.exe
"C:\Users\Admin\AppData\Local\Temp\b4f9f36ada3d9d3cf8af85679ea3a007.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XOrWkEHkVb.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6008
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5804
- - C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe
    "C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f0af692-6d3a-42e9-a0af-9714afa9d986.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5480
    - - C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe
        
        "C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89507b10-0cd4-4d9d-a1c9-4830f59361af.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe
        
        "C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55c59d52-bbe6-4eb1-bb82-a89cd29f89e0.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5680
        
        C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe
        
        "C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5be8b94-ca74-4e61-8a12-468df3af2fc7.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe
        
        "C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5715d1ef-bcc0-4c0c-96d8-3610e0c90c10.vbs"
        12⤵
        
        PID:708
        
        C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe
        
        "C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe"
        13⤵
        
        PID:5404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb661680-6f18-46b4-9965-ced7aa9de8b9.vbs"
        14⤵
        
        PID:4068
        
        C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe
        
        "C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe"
        15⤵
        
        PID:5388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38298a19-ba1c-4bcd-b25a-48b5c6e8322d.vbs"
        16⤵
        
        PID:5628
        
        C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe
        
        "C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe"
        17⤵
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebbb916c-7a18-4449-b006-f6a8baf21111.vbs"
        18⤵
        
        PID:3900
        
        C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe
        
        "C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe"
        19⤵
        
        PID:4272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed8a898a-0cc9-43c5-a7ef-3c75d1513a10.vbs"
        20⤵
        
        PID:5548
        
        C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe
        
        "C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe"
        21⤵
        
        PID:4552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c23b39a2-521a-4560-a0bb-9e96ed5bc5ad.vbs"
        22⤵
        
        PID:856
        
        C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe
        
        "C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe"
        23⤵
        
        PID:6092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\350001bd-1443-4a62-abd7-c502e92cf6d1.vbs"
        24⤵
        
        PID:4500
        
        C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe
        
        "C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe"
        25⤵
        
        PID:5816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcbc8df5-db3f-4018-b38d-6cf2b94b92b5.vbs"
        26⤵
        
        PID:2468
        
        C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe
        
        "C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe"
        27⤵
        
        PID:5264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24d9acf3-03fc-4625-a1cb-a06e1e2ff384.vbs"
        28⤵
        
        PID:1152
        
        C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe
        
        "C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe"
        29⤵
        
        PID:3404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\794c26ef-a498-4ea7-8e1a-cf8655068dee.vbs"
        30⤵
        
        PID:5768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a149f23-b8c5-487e-adee-af46c37bfdcc.vbs"
        30⤵
        
        PID:1704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b55e570f-1cae-48a5-ae8f-3b8d964285c0.vbs"
        28⤵
        
        PID:4940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf0ac942-2c1d-481a-b040-c8e719cd6425.vbs"
        26⤵
        
        PID:464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ecf3b52-3eaf-4bd5-9e71-1a602ccecac2.vbs"
        24⤵
        
        PID:3760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a23c771c-cf4c-4275-85ca-8ab9385e8322.vbs"
        22⤵
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5a6ab09-5258-44f5-9f68-523b729920dd.vbs"
        20⤵
        
        PID:5988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f33f8297-7971-4f67-85c1-f557b739ed46.vbs"
        18⤵
        
        PID:1248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b72c2d33-4614-4c98-b1a0-07bde2e6d8bd.vbs"
        16⤵
        
        PID:5276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbe6a5ce-9006-4e1f-ac92-543b019dbb72.vbs"
        14⤵
        
        PID:3868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02b274e4-0534-41bf-9eb4-491f172e8478.vbs"
        12⤵
        
        PID:2724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ea0a312-b767-4c51-abfd-6efbb0fcf7f1.vbs"
        10⤵
        
        PID:1128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2ba47ce-d6d0-499a-afff-679f5f5705ab.vbs"
        8⤵
        
        PID:5268
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34ea615a-7479-4486-a3a1-ef80e16642b1.vbs"
        6⤵
        
        PID:996
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4eb02f1-6327-40fa-bfb8-db72f8c4f02d.vbs"
      4⤵
      PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\aff403968f1bfcc42131676322798b50\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\aff403968f1bfcc42131676322798b50\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\f9532e701a889cdd91b8\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\f9532e701a889cdd91b8\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b4f9f36ada3d9d3cf8af85679ea3a007b" /sc MINUTE /mo 9 /tr "'C:\f9532e701a889cdd91b8\b4f9f36ada3d9d3cf8af85679ea3a007.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b4f9f36ada3d9d3cf8af85679ea3a007" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\b4f9f36ada3d9d3cf8af85679ea3a007.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b4f9f36ada3d9d3cf8af85679ea3a007b" /sc MINUTE /mo 9 /tr "'C:\f9532e701a889cdd91b8\b4f9f36ada3d9d3cf8af85679ea3a007.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\aff403968f1bfcc42131676322798b50\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\aff403968f1bfcc42131676322798b50\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b4f9f36ada3d9d3cf8af85679ea3a007b" /sc MINUTE /mo 7 /tr "'C:\f9532e701a889cdd91b8\b4f9f36ada3d9d3cf8af85679ea3a007.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b4f9f36ada3d9d3cf8af85679ea3a007" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\b4f9f36ada3d9d3cf8af85679ea3a007.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b4f9f36ada3d9d3cf8af85679ea3a007b" /sc MINUTE /mo 14 /tr "'C:\f9532e701a889cdd91b8\b4f9f36ada3d9d3cf8af85679ea3a007.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Downloads\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\SysWOW64\lt-LT\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\SysWOW64\lt-LT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\SysWOW64\lt-LT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\aff403968f1bfcc42131676322798b50\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\aff403968f1bfcc42131676322798b50\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\de-DE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\aff403968f1bfcc42131676322798b50\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\aff403968f1bfcc42131676322798b50\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\edge_BITS_4568_1800704037\unsecapp.exe

Filesize
885KB

MD5
8f51cdb93456607189bed1644dbf824e

SHA1
fe5a36902adc67111eb1728e25452d7869447907

SHA256
b1623d4c0564906f8465b07e77b84804c84dc8851d9de6f34d83fce9678fd4a1

SHA512
4ef243e2d6a11c59f633f8af2820ce8cdc26c8b993d26382fae93c0b38062c2d6068eeead4b94854625b73f4a1ff70e07d86bf38e42f5208e335eb3214f53b9a

Download Submit
C:\Recovery\WindowsRE\Idle.exe

Filesize
885KB

MD5
b4f9f36ada3d9d3cf8af85679ea3a007

SHA1
521a77168a7fd708991a4fd42c9057928f99eb2d

SHA256
4c40fe8d556366b3bed82a8bca55eebee2c93c9b880059ef3d9323af81ff2769

SHA512
483f516bc3ad4de0f98d0d321f5d53685c0099a21284a39471de9419cce2d412c0b96869c815a52d96c95cadb5f0edbbce55040f3eb3fe0f58cae14e2f76c0cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\24d9acf3-03fc-4625-a1cb-a06e1e2ff384.vbs

Filesize
731B

MD5
2db1c307050889a39de9a6526eb2c4e9

SHA1
cf33bfdd585a609cffcfce83bc2bc1607e4f94e6

SHA256
6c1ed9e336d9dacb3ac1f040b910202ad7ac3b4cb1870bc0ca2763ee4038ef18

SHA512
8274295c97e1d7f15d275c5b6500e81a92f9f6da60ca761c05cece707740e44bf7d4559c8838622f89058aed6e6c848bf570feb150780779ae9f320da5cec9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\350001bd-1443-4a62-abd7-c502e92cf6d1.vbs

Filesize
731B

MD5
3787e5b2eb670d7eab821dbe28e08085

SHA1
a3cf2240481f6aae61741848edb0d7d88bd0fe28

SHA256
b0449bb00882730576ef2b8aa224dc9b942e11919b51e82222ed8935b9460178

SHA512
99d08da95ba352f1d9a41edc1655a8402489309260c1c301d4bf769c20a9e8b5c0d30c134158140a991aeb090855027847a6083c79249a7df55c3b0e3eebb62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\38298a19-ba1c-4bcd-b25a-48b5c6e8322d.vbs

Filesize
731B

MD5
3bc8bc0aced60f9d1efbba27caa104af

SHA1
a26c479ffea26bc6c789bc089b762907f96465a3

SHA256
836b2d88f883182b87ac2a1df0cc2794a413a6c23d075a87bd1bf3ab36ad9b46

SHA512
a6cd3208d12acf02d4ce78099a3fd6d3c38893c4a85c8a2991cd7d09f08af158e13e626393e4c0232b8184f7bb3b499616877899b066712a9cb65c1d44d3dc1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\55c59d52-bbe6-4eb1-bb82-a89cd29f89e0.vbs

Filesize
731B

MD5
e66207d23ac9535219add93cc0d84fb6

SHA1
97689b96b48e9572cf3cfd8012f91c6e48ec2645

SHA256
bf626ed5fb9dd4c66cc2b0e8432f91156f9274eaa1a059063e446571c3a3cdbd

SHA512
3af9d70e2fc1b89db9478c06da1977428b3161d277010756bd3db1b15fccee1885983dd20cfb625679ea1426b82f8011338928e23944f54884d777689898e1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\5715d1ef-bcc0-4c0c-96d8-3610e0c90c10.vbs

Filesize
731B

MD5
62f9be72b17bf9cc5230ba93633ce8ae

SHA1
660c4928ecf8d2fc9af759d9b30aa883b7f81e9d

SHA256
07131b39323f9fcdb2499ae401251100c91e371fa34be98c88e6d4f915384ca3

SHA512
ad7bc5406cfebaeb387ba63c5d793ab80c84c616a2ea4df289e66a7f13af72f00ac009e73bac92fcbc6154992a1571f9b176722a0b1834badc4fcb57d218d972

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f0af692-6d3a-42e9-a0af-9714afa9d986.vbs

Filesize
731B

MD5
64078a1ce71474d578fabae01379e8b8

SHA1
7b72d9ff3575b27c00f6d2523674776359214479

SHA256
625f24121992da2d7117cf415f5e9d6cba67bf2d15dfdca3c77165c9b3da4121

SHA512
5a38fc5ec63b9cf2c55b8489de20d9581fbed3e8a59af4b4f0e3f84156b7bec56211278cf59f86fde20d76038371386973d5e9721086d1fdc86e39a79c7dde0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\794c26ef-a498-4ea7-8e1a-cf8655068dee.vbs

Filesize
731B

MD5
e02836f71c4854ca8f87b9342b2923f0

SHA1
96ecb9b9a76ec9a178c7e1e0ee5684cd99bcb35a

SHA256
3f07eba35059cff78d1124344289c32360a72fe619ebfcf9bf23ee6c1783910f

SHA512
312045e0e160ad07992a6a54be6dcbbc9127b6ddf14d5edc1c30e47b2dfb2bf6a59b44dd8a9a09353720785ede7ec8db8c90090f115c2da782f78818d90029a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\89507b10-0cd4-4d9d-a1c9-4830f59361af.vbs

Filesize
731B

MD5
5fec5eafc013969d1b8dc8b40fd9cae9

SHA1
bf93dfbf44b417eabe63b3915a0e6675597cb497

SHA256
f53e5fd6484e4cea38f177c7cebc8386c98b09a56a006e7e2dee96f304c09612

SHA512
f5a51c86db1492aacf590f2dce15a34c457fd5f6d65ab5f9b756d99242aef5414d8079e73d0143f8d1c3b1b4029b051df4026d881b9e43d849428c18811cb32d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XOrWkEHkVb.bat

Filesize
220B

MD5
c9e4a0a3034e9c33a8449c14101e41ad

SHA1
f658587e2d49f28882ac95545b50287423e16894

SHA256
358664e21bad61221c8abf0b207d3bd3289f335c085b1f23bb4bdee2e261e08c

SHA512
e521838dd3820b30fade31c2c106e760a024b716ef122fc7113fda544914ec70d813ee046f5985e2649d8ab8472c1c513c347a7ebfdc3c78806d24d36b5567c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5be8b94-ca74-4e61-8a12-468df3af2fc7.vbs

Filesize
731B

MD5
29a521cbd7756bd5221d47de600141b0

SHA1
bc5a0df4301b1165297ff0dc489209d75caf2fd9

SHA256
7e935e6626325924f23dc690bb6b5dd8fcfd6c7326feb454c56b63b557c701e5

SHA512
eb1a6152b96483adae390360ce06bda9f04a184ac17c685d89d31c9f3a50a49b41684d49148483e3381e86f6e6231e7f1aae7afbdb5b631d36c816873a0a2089

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcbc8df5-db3f-4018-b38d-6cf2b94b92b5.vbs

Filesize
731B

MD5
f618486fb2b40fe348542905aca10b12

SHA1
090eb2333e7e7d212a4968d25ff048afeb56bd74

SHA256
0da595d3080efdac109178a8a11f9fe0d87b687fc63be449698b33116afef2fa

SHA512
39ceb7d3ffb5900f8420c825cdf17ed3083fc0d949f98ec9da4f07776320deaf0c68f2d6f8cf53359af6f9e55d56fd6fe198af7f11790c83d67a285f69b96c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\c23b39a2-521a-4560-a0bb-9e96ed5bc5ad.vbs

Filesize
731B

MD5
89123e0c6e513ef77a83960ef110481f

SHA1
f1a421cfedaaea2cb61d288d066ba2113e896400

SHA256
b0fa8afbf52cfe3225de2b1bce9a9888f7d814ce5d97f22ac0e10eb21bdc534a

SHA512
8daceeec6fc1d05e005c202a8aa53b4d9abff5fba4bff6570cba6ef4da8b4182eb5c6cdf8b6ab35af64eea091620b407b29e72d3b2db195c0a344912388a23b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4eb02f1-6327-40fa-bfb8-db72f8c4f02d.vbs

Filesize
507B

MD5
0cdcc4e60923610b2c06ac5e1eff9923

SHA1
171680e20895e4ceb4fe01cff542c1fdd29ab293

SHA256
5250709f84668d263c09bc6e32e20e9dc20cf4360cfd817e9d9fd383af4f3aac

SHA512
d516b83bd542b04a5c76c210b7223f2a9dda5a997e18a3f359747fab55415c863df7ad261ca1f3bda3fbace4498fcd430558fc1b776a35a88473a8bdf35eb948

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb661680-6f18-46b4-9965-ced7aa9de8b9.vbs

Filesize
731B

MD5
6d1c55b4ad24751fb240c47936084ab2

SHA1
82117c9eac2e37ebe104c53c54e56f6737bb5204

SHA256
063a5ba6cb20d617fe617cb1f31b55c76907cb117681be5bccdeb33b785924c9

SHA512
dec1b348407b36c27e22990b9be573e4a558850de757539a9b0becac3ec981bd81b43b7eb81bc34ccf48ad25d474663fefab0d97d797d5ecb7f69dcf257f3530

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebbb916c-7a18-4449-b006-f6a8baf21111.vbs

Filesize
731B

MD5
7297c1484014d376c282295f1b616763

SHA1
d379dacf68896cb8b20679c4f55d197e66b0b94c

SHA256
91b7379424716ecc4377aa157afac794966748ca2959374ecd95182f027b0deb

SHA512
ba723bd22215397f0f6991ef6c1fcfc9e6572b03b50c72c28aca3096e0078d1f0bb359d2a36bd0dd9b53c9fbdf3cfd6a7e872a2ae369f346cd35d656e1da22ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed8a898a-0cc9-43c5-a7ef-3c75d1513a10.vbs

Filesize
731B

MD5
bdca0f83ecd11595dece1bac126488b1

SHA1
453a1d9b60c97d78a9434cb8c7c487870caed02c

SHA256
3fae3c2569611494850897e2a3add445c0152e71b8940cce7f8c76295ccb8d90

SHA512
f313d533729186a0fccfbd6456a8a73b620e3fb7f8842c250af7b6eb619ea5748e0cb10168f1bab968e84e3ba7b1d38f177d824069d06cf18604d40e43bd4794

Download Submit
memory/2364-191-0x00007FF98C570000-0x00007FF98D031000-memory.dmp

Filesize
10.8MB

Download
memory/2364-3-0x000000001B250000-0x000000001B26C000-memory.dmp

Filesize
112KB

Download
memory/2364-6-0x000000001B280000-0x000000001B296000-memory.dmp

Filesize
88KB

Download
memory/2364-4-0x000000001B2C0000-0x000000001B310000-memory.dmp

Filesize
320KB

Download
memory/2364-0-0x00007FF98C573000-0x00007FF98C575000-memory.dmp

Filesize
8KB

Download
memory/2364-5-0x000000001B270000-0x000000001B280000-memory.dmp

Filesize
64KB

Download
memory/2364-9-0x000000001B320000-0x000000001B328000-memory.dmp

Filesize
32KB

Download
memory/2364-7-0x000000001B2A0000-0x000000001B2AA000-memory.dmp

Filesize
40KB

Download
memory/2364-2-0x00007FF98C570000-0x00007FF98D031000-memory.dmp

Filesize
10.8MB

Download
memory/2364-10-0x000000001B330000-0x000000001B33C000-memory.dmp

Filesize
48KB

Download
memory/2364-1-0x0000000000680000-0x0000000000764000-memory.dmp

Filesize
912KB

Download
memory/2364-8-0x000000001B2B0000-0x000000001B2BE000-memory.dmp

Filesize
56KB

Download
memory/3408-195-0x0000000000C20000-0x0000000000D04000-memory.dmp

Filesize
912KB

Download