dcrat | 5de218dd00c5b6536a8ea373bbe9b9f2079f788a113b847fbd5c39932170a6e6

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1ec8c3742e4e01173d709df1353dc5d.exe
Size

885KB
MD5

d1ec8c3742e4e01173d709df1353dc5d
SHA1

30c91b20f0ced765718860cbb2a9f39ca19cf20b
SHA256

e50d685dc91548b2786aaff53e3b0e3a0779a6e41304a59607c042a2ad12482d
SHA512

1ba0dc8ff62291ca5d6213a1b7b6e473ee34b3b5dd5e56d6e6880c9a954f4682144785bd43f5e0e357913e465f53b9e78424dc8bb4146b479303597ecd2e3b65
SSDEEP

12288:+lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:+lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5996	2208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	2208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5908	2208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6108	2208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	2208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	2208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	2208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	2208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	2208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	2208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	2208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	2208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	2208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	2208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	2208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	2208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	2208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3280	2208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2208	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	2208	schtasks.exe	87

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral18/memory/5568-1-0x0000000000890000-0x0000000000974000-memory.dmp	dcrat
behavioral18/files/0x000700000002430c-19.dat	dcrat
behavioral18/files/0x000c000000024321-103.dat	dcrat

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	d1ec8c3742e4e01173d709df1353dc5d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	winlogon.exe

Executes dropped EXE 15 IoCs

pid	Process
3552	winlogon.exe
1432	winlogon.exe
6004	winlogon.exe
884	winlogon.exe
4544	winlogon.exe
5556	winlogon.exe
2408	winlogon.exe
4148	winlogon.exe
4256	winlogon.exe
1972	winlogon.exe
872	winlogon.exe
2572	winlogon.exe
1080	winlogon.exe
1140	winlogon.exe
1220	winlogon.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe	d1ec8c3742e4e01173d709df1353dc5d.exe
File created	C:\Program Files\edge_BITS_4588_1354277851\cc11b995f2a76d	d1ec8c3742e4e01173d709df1353dc5d.exe
File opened for modification	C:\Program Files\edge_BITS_4588_1354277851\RCX7D42.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe
File opened for modification	C:\Program Files\edge_BITS_4588_1354277851\RCX7D43.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\ab4e1169d06499b26dcd454f8e05b3a6\unsecapp.exe	d1ec8c3742e4e01173d709df1353dc5d.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\ab4e1169d06499b26dcd454f8e05b3a6\29c1c3cc0f7685	d1ec8c3742e4e01173d709df1353dc5d.exe
File opened for modification	C:\Windows\appcompat\encapsulation\RCX7D79.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe
File opened for modification	C:\Windows\appcompat\encapsulation\RCX7D8A.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\ab4e1169d06499b26dcd454f8e05b3a6\RCX7DCD.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\ab4e1169d06499b26dcd454f8e05b3a6\RCX7DCE.tmp	d1ec8c3742e4e01173d709df1353dc5d.exe
File created	C:\Windows\appcompat\encapsulation\SppExtComObj.exe	d1ec8c3742e4e01173d709df1353dc5d.exe
File created	C:\Windows\appcompat\encapsulation\e1ef82546f0b02	d1ec8c3742e4e01173d709df1353dc5d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	winlogon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4628	schtasks.exe
4640	schtasks.exe
2964	schtasks.exe
5996	schtasks.exe
2296	schtasks.exe
6108	schtasks.exe
1372	schtasks.exe
4840	schtasks.exe
4704	schtasks.exe
4112	schtasks.exe
5908	schtasks.exe
4856	schtasks.exe
3612	schtasks.exe
2444	schtasks.exe
1924	schtasks.exe
4824	schtasks.exe
4816	schtasks.exe
4768	schtasks.exe
4560	schtasks.exe
4036	schtasks.exe
3280	schtasks.exe
1940	schtasks.exe
2248	schtasks.exe
1972	schtasks.exe
4964	schtasks.exe
4524	schtasks.exe
4588	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
5568	d1ec8c3742e4e01173d709df1353dc5d.exe
5568	d1ec8c3742e4e01173d709df1353dc5d.exe
5568	d1ec8c3742e4e01173d709df1353dc5d.exe
5568	d1ec8c3742e4e01173d709df1353dc5d.exe
5568	d1ec8c3742e4e01173d709df1353dc5d.exe
5568	d1ec8c3742e4e01173d709df1353dc5d.exe
5568	d1ec8c3742e4e01173d709df1353dc5d.exe
3552	winlogon.exe
1432	winlogon.exe
6004	winlogon.exe
884	winlogon.exe
4544	winlogon.exe
5556	winlogon.exe
5556	winlogon.exe
2408	winlogon.exe
2408	winlogon.exe
4148	winlogon.exe
4148	winlogon.exe
4256	winlogon.exe
1972	winlogon.exe
872	winlogon.exe
2572	winlogon.exe
1080	winlogon.exe
1140	winlogon.exe
1220	winlogon.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	5568	d1ec8c3742e4e01173d709df1353dc5d.exe
Token: SeDebugPrivilege	3552	winlogon.exe
Token: SeDebugPrivilege	1432	winlogon.exe
Token: SeDebugPrivilege	6004	winlogon.exe
Token: SeDebugPrivilege	884	winlogon.exe
Token: SeDebugPrivilege	4544	winlogon.exe
Token: SeDebugPrivilege	5556	winlogon.exe
Token: SeDebugPrivilege	2408	winlogon.exe
Token: SeDebugPrivilege	4148	winlogon.exe
Token: SeDebugPrivilege	4256	winlogon.exe
Token: SeDebugPrivilege	1972	winlogon.exe
Token: SeDebugPrivilege	872	winlogon.exe
Token: SeDebugPrivilege	2572	winlogon.exe
Token: SeDebugPrivilege	1080	winlogon.exe
Token: SeDebugPrivilege	1140	winlogon.exe
Token: SeDebugPrivilege	1220	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5568 wrote to memory of 3552	5568	d1ec8c3742e4e01173d709df1353dc5d.exe	115
PID 5568 wrote to memory of 3552	5568	d1ec8c3742e4e01173d709df1353dc5d.exe	115
PID 3552 wrote to memory of 3212	3552	winlogon.exe	118
PID 3552 wrote to memory of 3212	3552	winlogon.exe	118
PID 3552 wrote to memory of 4980	3552	winlogon.exe	119
PID 3552 wrote to memory of 4980	3552	winlogon.exe	119
PID 3212 wrote to memory of 1432	3212	WScript.exe	122
PID 3212 wrote to memory of 1432	3212	WScript.exe	122
PID 1432 wrote to memory of 3616	1432	winlogon.exe	124
PID 1432 wrote to memory of 3616	1432	winlogon.exe	124
PID 1432 wrote to memory of 5096	1432	winlogon.exe	125
PID 1432 wrote to memory of 5096	1432	winlogon.exe	125
PID 3616 wrote to memory of 6004	3616	WScript.exe	127
PID 3616 wrote to memory of 6004	3616	WScript.exe	127
PID 6004 wrote to memory of 2824	6004	winlogon.exe	128
PID 6004 wrote to memory of 2824	6004	winlogon.exe	128
PID 6004 wrote to memory of 5764	6004	winlogon.exe	129
PID 6004 wrote to memory of 5764	6004	winlogon.exe	129
PID 2824 wrote to memory of 884	2824	WScript.exe	130
PID 2824 wrote to memory of 884	2824	WScript.exe	130
PID 884 wrote to memory of 5240	884	winlogon.exe	131
PID 884 wrote to memory of 5240	884	winlogon.exe	131
PID 884 wrote to memory of 5236	884	winlogon.exe	132
PID 884 wrote to memory of 5236	884	winlogon.exe	132
PID 5240 wrote to memory of 4544	5240	WScript.exe	135
PID 5240 wrote to memory of 4544	5240	WScript.exe	135
PID 4544 wrote to memory of 4832	4544	winlogon.exe	136
PID 4544 wrote to memory of 4832	4544	winlogon.exe	136
PID 4544 wrote to memory of 4672	4544	winlogon.exe	137
PID 4544 wrote to memory of 4672	4544	winlogon.exe	137
PID 4832 wrote to memory of 5556	4832	WScript.exe	144
PID 4832 wrote to memory of 5556	4832	WScript.exe	144
PID 5556 wrote to memory of 2712	5556	winlogon.exe	145
PID 5556 wrote to memory of 2712	5556	winlogon.exe	145
PID 5556 wrote to memory of 2524	5556	winlogon.exe	146
PID 5556 wrote to memory of 2524	5556	winlogon.exe	146
PID 2712 wrote to memory of 2408	2712	WScript.exe	147
PID 2712 wrote to memory of 2408	2712	WScript.exe	147
PID 2408 wrote to memory of 6096	2408	winlogon.exe	148
PID 2408 wrote to memory of 6096	2408	winlogon.exe	148
PID 2408 wrote to memory of 4068	2408	winlogon.exe	149
PID 2408 wrote to memory of 4068	2408	winlogon.exe	149
PID 6096 wrote to memory of 4148	6096	WScript.exe	150
PID 6096 wrote to memory of 4148	6096	WScript.exe	150
PID 4148 wrote to memory of 3252	4148	winlogon.exe	151
PID 4148 wrote to memory of 3252	4148	winlogon.exe	151
PID 4148 wrote to memory of 2992	4148	winlogon.exe	152
PID 4148 wrote to memory of 2992	4148	winlogon.exe	152
PID 3252 wrote to memory of 4256	3252	WScript.exe	153
PID 3252 wrote to memory of 4256	3252	WScript.exe	153
PID 4256 wrote to memory of 848	4256	winlogon.exe	154
PID 4256 wrote to memory of 848	4256	winlogon.exe	154
PID 4256 wrote to memory of 5052	4256	winlogon.exe	155
PID 4256 wrote to memory of 5052	4256	winlogon.exe	155
PID 848 wrote to memory of 1972	848	WScript.exe	157
PID 848 wrote to memory of 1972	848	WScript.exe	157
PID 1972 wrote to memory of 2536	1972	winlogon.exe	158
PID 1972 wrote to memory of 2536	1972	winlogon.exe	158
PID 1972 wrote to memory of 4192	1972	winlogon.exe	159
PID 1972 wrote to memory of 4192	1972	winlogon.exe	159
PID 2536 wrote to memory of 872	2536	WScript.exe	160
PID 2536 wrote to memory of 872	2536	WScript.exe	160
PID 872 wrote to memory of 4668	872	winlogon.exe	161
PID 872 wrote to memory of 4668	872	winlogon.exe	161

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d1ec8c3742e4e01173d709df1353dc5d.exe
"C:\Users\Admin\AppData\Local\Temp\d1ec8c3742e4e01173d709df1353dc5d.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5568
- C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe
  "C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\042aa893-8643-48bf-8d10-89e37209a67f.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3212
  - - C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe
      "C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1432
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06515665-d37e-4bd2-a187-bd19832bde42.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3616
      - C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe
        
        "C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\530edbc6-9402-450e-b5cf-013923ec52a7.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe
        
        "C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f1e9a06-d3c8-44ad-be94-1cb5ec877784.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5240
        
        C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe
        
        "C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a2b234c-1d79-44b9-8533-e46b56866895.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe
        
        "C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06e0dc40-a07c-4ffe-984c-8c2b95ba35c5.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe
        
        "C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fce02d26-89fd-4740-910e-36ca1593d16a.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:6096
        
        C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe
        
        "C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79f67346-a2bc-4b82-9c8a-a34c4b2c3c09.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe
        
        "C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8282d8c-bd5c-4d10-88bf-59e281e31041.vbs"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe
        
        "C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc771dcf-cc0e-4b4e-ad6b-caa4137e58c2.vbs"
        21⤵
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe
        
        "C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd83379c-1a19-4e44-a5ae-6d8c3f2b38e7.vbs"
        23⤵
        
        PID:4668
        
        C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe
        
        "C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f8330da-904c-4652-a09f-2443820d1f9c.vbs"
        25⤵
        
        PID:5488
        
        C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe
        
        "C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33928026-112e-443b-b800-96d4cf6e95e8.vbs"
        27⤵
        
        PID:2648
        
        C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe
        
        "C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2a83c59-2ab8-4d3c-9335-bc4c205ec2f5.vbs"
        29⤵
        
        PID:2212
        
        C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe
        
        "C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ad30a21-7014-447c-8a5a-1aa8c6ccc1e8.vbs"
        31⤵
        
        PID:1868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18af398d-749b-4751-a8f0-0398fcab5bba.vbs"
        31⤵
        
        PID:5084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49437980-d11b-4fa9-9b16-8ad1b8134f6a.vbs"
        29⤵
        
        PID:540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5242015a-47e9-4d19-b6b9-53a63f46444a.vbs"
        27⤵
        
        PID:1776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15d44947-f54a-4c8f-b767-b8b157aa7b6b.vbs"
        25⤵
        
        PID:4816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7152998-4611-4fa7-a085-46168f8438c6.vbs"
        23⤵
        
        PID:5036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4889ab94-c813-45bb-b45f-534e2c2408c3.vbs"
        21⤵
        
        PID:4192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf6e9adf-79b5-49a9-b3ef-bbb4851e4210.vbs"
        19⤵
        
        PID:5052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85eea381-a639-42c2-8031-0557c6eca767.vbs"
        17⤵
        
        PID:2992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\078c1642-cf48-4a90-be28-4b17cd6be9f6.vbs"
        15⤵
        
        PID:4068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53e0c397-b997-4e91-8a12-e487a23b8d3d.vbs"
        13⤵
        
        PID:2524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee9e4cf9-0446-4e08-b932-6ef8903e8c2d.vbs"
        11⤵
        
        PID:4672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e88c822a-f6ce-4168-b30c-1ba6d9875d00.vbs"
        9⤵
        
        PID:5236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f222bec-2b5a-4f38-8d07-3599e8344037.vbs"
        7⤵
        
        PID:5764
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12290ba9-955c-4ef5-b691-be0567fcb374.vbs"
        5⤵
        
        PID:5096
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f12c3bf-be39-4d2e-8131-a7d6ebd2cead.vbs"
    3⤵
    PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\edge_BITS_4588_1354277851\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\d25f591a00514bc9ba8441\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\d25f591a00514bc9ba8441\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d1ec8c3742e4e01173d709df1353dc5dd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\d1ec8c3742e4e01173d709df1353dc5d.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d1ec8c3742e4e01173d709df1353dc5d" /sc ONLOGON /tr "'C:\Users\All Users\d1ec8c3742e4e01173d709df1353dc5d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d1ec8c3742e4e01173d709df1353dc5dd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\d1ec8c3742e4e01173d709df1353dc5d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Windows\appcompat\encapsulation\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\appcompat\encapsulation\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Windows\appcompat\encapsulation\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Pictures\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default\Pictures\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Pictures\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\ab4e1169d06499b26dcd454f8e05b3a6\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\ab4e1169d06499b26dcd454f8e05b3a6\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\ab4e1169d06499b26dcd454f8e05b3a6\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\d1ec8c3742e4e01173d709df1353dc5d.exe

Filesize
885KB

MD5
d1ec8c3742e4e01173d709df1353dc5d

SHA1
30c91b20f0ced765718860cbb2a9f39ca19cf20b

SHA256
e50d685dc91548b2786aaff53e3b0e3a0779a6e41304a59607c042a2ad12482d

SHA512
1ba0dc8ff62291ca5d6213a1b7b6e473ee34b3b5dd5e56d6e6880c9a954f4682144785bd43f5e0e357913e465f53b9e78424dc8bb4146b479303597ecd2e3b65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\042aa893-8643-48bf-8d10-89e37209a67f.vbs

Filesize
731B

MD5
491460662c062cc79ab81222ab3d8798

SHA1
514d85fb5295b3d64279a07405b29049ce815566

SHA256
19059e1b9dc9d0ae90c52eabae33886809b1386fe52b90203074a7e02da5f8c5

SHA512
651ac2d8935c835c5a96682e87f0027b934d8effe303c59aaff936b9f08a0e5df03ca62da7188bafb6db1964c3de6497ea45d3312bd4c662ba3254f90b67a998

Download Submit
C:\Users\Admin\AppData\Local\Temp\06515665-d37e-4bd2-a187-bd19832bde42.vbs

Filesize
731B

MD5
3ccf44e4c6ecbfeb90dd63ca11859fbb

SHA1
2370cc7bb4e629da143775a86ac54a57a8d72844

SHA256
a2f3c1f4c897a9bf0a751b213d6596cef3ca612c4c3ff0a211232b25eb907d6e

SHA512
3af5b06c20e5adca7ef700a4430151c853f77f2ea42fcc8075d111cda08f1dc15cc36366b2ceb378caed2f810247bc0fd432606f5fecb8218976ba83ff235e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\06e0dc40-a07c-4ffe-984c-8c2b95ba35c5.vbs

Filesize
731B

MD5
371a3c396ad5170fadfde8e0d934a6ac

SHA1
16b5efc891aa9102c60ee4832af2ac58ab350a26

SHA256
f29790d2a6c66739fc3a5349c3ba414200331b440e79790b18e5b578bba12c5c

SHA512
66c17ad75ef02d47d9a8ca431138af50fddc45adf21d3aeb93067ab83ba98e726f88c3ef84771e4d677ff0fa228add9b19558fd102f3a865eaabf1e855b7d270

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f12c3bf-be39-4d2e-8131-a7d6ebd2cead.vbs

Filesize
507B

MD5
52c23ab817b8216c7f3a250ba01a2f2d

SHA1
d5be7c8ca96e0d3bfe5bd7f7ff6908b49939ca35

SHA256
d06529e98f3c0a5c514e2443bc1eab284d3690929bb03655a1dc7e7b4e52b418

SHA512
c96b5948bc733bcda16bba539a7294beabe0957ff96ea24bb182746e8013cf72131f5af8d1f008f232b921f51b27b7be97b854f1160dae10fd61c6ec7af4d3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\33928026-112e-443b-b800-96d4cf6e95e8.vbs

Filesize
731B

MD5
93a1e1703171e5dbd18fac3caaa2e5d7

SHA1
26a2d0fb85db3d91ba3f4eac7dec6c28f43b18b0

SHA256
6725f7b72098715bec4d148586b143a467d946c692e64d884c8c2e6346a5bd93

SHA512
543860d7a26d1ac7b2053dd513102e97b45a24ef4cb4e62e22974272c12dc569d114b686376caddddabccf470f137693c6d562c27c053e34d0ac723a6df801c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f1e9a06-d3c8-44ad-be94-1cb5ec877784.vbs

Filesize
730B

MD5
787be5223f668c19fec4e2ade0210164

SHA1
bec0ecec3366bf2d3643495608acb605ba83757c

SHA256
de5508ed5d40fbdeb01c84520d7483f4dd97650d664aa1fa75ad50c97150e903

SHA512
818b93d2ef67689cc6b8981641f05385132ef720722b2213760557f03150c17d1c96d4a243aea03d5d9618819676628761630f769ddd912f69ada6357bbd40e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f8330da-904c-4652-a09f-2443820d1f9c.vbs

Filesize
731B

MD5
ab0bbf4308699e1a9bad8d724e1d522f

SHA1
ab178ca38172491778e658274da8e3d9ed45693d

SHA256
b9e8b71dfe2100fcd1d52e3ade33a5521ec4adcdbf4ebbb761fea8be8a8abe09

SHA512
d93a24b5ef5de3e49d856ab23ad2ad7940311049c369e4393a145e70e66fcacea0fa0dfcd93587653c255e13b09c313dab60608ae4f5a2415c84e47ddeaa5091

Download Submit
C:\Users\Admin\AppData\Local\Temp\530edbc6-9402-450e-b5cf-013923ec52a7.vbs

Filesize
731B

MD5
4a4ebdcca9930d94237c15e421d548d8

SHA1
4c883e8b18f2398744350edeeb5f73525e4465ff

SHA256
6f366c1f53f4d8dcf62c3bdf8dda9d36f0527d475fb5af5be2b66c6b80b6a2b6

SHA512
404f06f6aa7d30228f0356bf76d754f690da95e087c7aad19904bcba2444d5c6bd2fbb8434f2235b43f643da33adad92426fadd138b4fa7b497f6b67df2aa323

Download Submit
C:\Users\Admin\AppData\Local\Temp\79f67346-a2bc-4b82-9c8a-a34c4b2c3c09.vbs

Filesize
731B

MD5
194ab174c1fa113761a08e8070821a1b

SHA1
93f881920dbb50ba5a76f0dc4cd1371d0f41f2ed

SHA256
8e43aceca93a7f9ee93406a9b0972c09bc765d97c4537a4b9f022e517cf3dabb

SHA512
e40ba8f5306b1a7d05f714b17a5212cd2d1e0f0a8d0d728ef808a7dedb7b69d025b2c1da9bdd39196da6f8b8c18f0a5ecbcf0ab075f333dee054d1c811e9a2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a2b234c-1d79-44b9-8533-e46b56866895.vbs

Filesize
731B

MD5
1ccbf020223a78655b8060398961abb5

SHA1
3fcb50fcd31e3cea49fc9784f21384ec9613ff49

SHA256
34043c0a3e91d369acf6a0929defc560dff7fed0d76daa6a3aa5ca8095615b69

SHA512
34c7cec3ff3b50aa815da7f5e864ec2c930f6e22adaf22e345aa558e154232dcf01bc80a50ec5a3a7982c889210738975dd8a64114b3798f39c61f0108195365

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ad30a21-7014-447c-8a5a-1aa8c6ccc1e8.vbs

Filesize
731B

MD5
982cb0189fab585d1ab7ab1dfcf8e67f

SHA1
c2e912b1a95b42ee825ae016032b517191342bd7

SHA256
c7ab9aaef943fd5c82e4f88ebad8d883f1eec9aafe530aa07db5f62bf99823cb

SHA512
b5b06ecb50bf3487230478748134137b2a953e015ba310c915f1e38ebddbe75c0fa58ce792a8dd36b9525d2d927e726ea815b9cb828a869a397cbcd27d3d831d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2a83c59-2ab8-4d3c-9335-bc4c205ec2f5.vbs

Filesize
731B

MD5
913bbca066b4277896eebcf1ad45db76

SHA1
a282e1f95857df63e63e35ff368fa40e57fa5d67

SHA256
75994c627ca72b8a8f548e9ed8e62ed4d5e22d851a4b4babde55db555317590f

SHA512
8ffe7a0a85fb84f064798b209039ad97110e0ee598243ca56fad28fd8621f83acd175e9c96e76f6e7b66cf4d8f38c20786d9c66228e16c0e79cb96ac3b6c9236

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8282d8c-bd5c-4d10-88bf-59e281e31041.vbs

Filesize
731B

MD5
557b40d6da9f6258efce2e1b5baf782b

SHA1
faf122858827579d41820aada906923d33f89486

SHA256
79544092eab7bf13ecea6be81a1e1df1bf9103f6c07ca7d760395a9c0951f132

SHA512
ba1f8894511f831d268a2239d1077a194e3e45c87edc60d5044bbf69a98fa8fd49ffbc58da96e081d41b4fdf21c4104fb38d9c3ad5118abe684b9a2ebf3b4e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc771dcf-cc0e-4b4e-ad6b-caa4137e58c2.vbs

Filesize
731B

MD5
c48e4cd182095ba5f2628315bd0cc170

SHA1
a9924d014a561cb08c07cc5f7b9a1b795d50dffa

SHA256
ad051ed717237a98a93f2bb463334528fa949ca6bfd9842888a5976ef8fed986

SHA512
151f91bf9ccae6f407e3714e5feee680fa021b19475df265bc0bf4af097d96804120b74e5bccbb27961835a3fbe1c36c39685047e3d526674e6875fbeb543dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\fce02d26-89fd-4740-910e-36ca1593d16a.vbs

Filesize
731B

MD5
306f3363e985cee6aba0f758e48cef58

SHA1
1801ab4f9949725af74a9581bdb5ea389adb1aaa

SHA256
26b9eac307b6af65f77c912291acd049f7e84a9f875656efa85c458bb1d8ea62

SHA512
c8390324cf60a678e54faeecc54df463c4ec870351276b7f8ba29ab5087721639ee50433b849af8df0c9ef1bc8307bcaab0559d511e92804ca45e1698491166d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd83379c-1a19-4e44-a5ae-6d8c3f2b38e7.vbs

Filesize
730B

MD5
7a4a649bfdb7d43ae7da580949b2b12a

SHA1
aba875ca5e76232439f2ccfeeb19e23fb01be478

SHA256
902b7bb77a18ad37e6917970f0e73ee29ca21fe3e741cb198ff2415f036539e6

SHA512
69918bbfbac3f8fa5a928fc10fb5a64929d9d09f4c9fb3bb9e797cac272574344f8070fa3810543382004d92e80f8d898b3f5e6ae75a8ff1de88e05beca13148

Download Submit
C:\Users\Default\Pictures\RCX7D9A.tmp

Filesize
885KB

MD5
b598fe735d92e420b2113d8d3949e1ce

SHA1
3e4dd6467419d5e05d9fc3999cc960c6fdc57ede

SHA256
6fcd5d0f0d4c4b8a11879157011a0704a3af6d33182533b6e6c92099b61350a5

SHA512
7af7234808cfaae0d7735855a4914ba17fd9083fdbee43bbbe8bc4a2fea4e7b86dfbffe716db8b05b43f9030d33e9f682358efebf483a5e02c48be6fdf642351

Download Submit
memory/5568-4-0x000000001BB70000-0x000000001BBC0000-memory.dmp

Filesize
320KB

Download
memory/5568-1-0x0000000000890000-0x0000000000974000-memory.dmp

Filesize
912KB

Download
memory/5568-0-0x00007FFA83C23000-0x00007FFA83C25000-memory.dmp

Filesize
8KB

Download
memory/5568-2-0x00007FFA83C20000-0x00007FFA846E1000-memory.dmp

Filesize
10.8MB

Download
memory/5568-3-0x00000000029A0000-0x00000000029BC000-memory.dmp

Filesize
112KB

Download
memory/5568-145-0x00007FFA83C20000-0x00007FFA846E1000-memory.dmp

Filesize
10.8MB

Download
memory/5568-5-0x00000000011A0000-0x00000000011B0000-memory.dmp

Filesize
64KB

Download
memory/5568-6-0x00000000029C0000-0x00000000029D6000-memory.dmp

Filesize
88KB

Download
memory/5568-7-0x00000000029E0000-0x00000000029EA000-memory.dmp

Filesize
40KB

Download
memory/5568-9-0x0000000002A00000-0x0000000002A08000-memory.dmp

Filesize
32KB

Download
memory/5568-10-0x0000000002A10000-0x0000000002A1C000-memory.dmp

Filesize
48KB

Download
memory/5568-8-0x00000000029F0000-0x00000000029FE000-memory.dmp

Filesize
56KB

Download