dcrat | 249f9bd035685660ae45fc4138334e744c30ce7e1038c140a98529b90c4270c5

Analysis

max time kernel
148s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de7c6ded508e6b46e7f6b385572c426f.exe
Size

885KB
MD5

de7c6ded508e6b46e7f6b385572c426f
SHA1

13cb214fcfaca4c85c59c002ea2769d8db3fccc0
SHA256

aa8cbabea544c7e766f4a2096cf7aa8ebc23e4677812b23910524d0a089d2502
SHA512

c98b77f486f1d0c607eab5b9776dbbd1fc97581e313302d03cc9b18cf5af53196cc280503acdb8c91cd7a44906001bb24fa423cb8eb8a732562fffdb18dc7b0c
SSDEEP

12288:8lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyxT:8lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	6028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	6028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	6028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	6028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	6028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5528	6028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	6028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6128	6028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	6028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	6028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	6028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	6028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	6028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	6028	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	6028	schtasks.exe	87

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral10/memory/4976-1-0x00000000007B0000-0x0000000000894000-memory.dmp	dcrat
behavioral10/files/0x0007000000024279-19.dat	dcrat

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	de7c6ded508e6b46e7f6b385572c426f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	spoolsv.exe

Executes dropped EXE 15 IoCs

pid	Process
1964	spoolsv.exe
3872	spoolsv.exe
5924	spoolsv.exe
4760	spoolsv.exe
2296	spoolsv.exe
3932	spoolsv.exe
1540	spoolsv.exe
4740	spoolsv.exe
264	spoolsv.exe
316	spoolsv.exe
880	spoolsv.exe
1572	spoolsv.exe
2716	spoolsv.exe
4840	spoolsv.exe
1816	spoolsv.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\upfc.exe	de7c6ded508e6b46e7f6b385572c426f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\ea1d8f6d871115	de7c6ded508e6b46e7f6b385572c426f.exe
File created	C:\Program Files\edge_BITS_4468_1015215246\5b884080fd4f94	de7c6ded508e6b46e7f6b385572c426f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX7989.tmp	de7c6ded508e6b46e7f6b385572c426f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX799A.tmp	de7c6ded508e6b46e7f6b385572c426f.exe
File opened for modification	C:\Program Files\edge_BITS_4468_1015215246\RCX79CC.tmp	de7c6ded508e6b46e7f6b385572c426f.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sihost.exe	de7c6ded508e6b46e7f6b385572c426f.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\66fc9ff0ee96c2	de7c6ded508e6b46e7f6b385572c426f.exe
File created	C:\Program Files\edge_BITS_4468_1015215246\fontdrvhost.exe	de7c6ded508e6b46e7f6b385572c426f.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX79AA.tmp	de7c6ded508e6b46e7f6b385572c426f.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX79BB.tmp	de7c6ded508e6b46e7f6b385572c426f.exe
File opened for modification	C:\Program Files\edge_BITS_4468_1015215246\RCX79DC.tmp	de7c6ded508e6b46e7f6b385572c426f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	de7c6ded508e6b46e7f6b385572c426f.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	spoolsv.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5052	schtasks.exe
4608	schtasks.exe
1200	schtasks.exe
4524	schtasks.exe
4572	schtasks.exe
1460	schtasks.exe
412	schtasks.exe
316	schtasks.exe
6128	schtasks.exe
3424	schtasks.exe
2392	schtasks.exe
2168	schtasks.exe
5528	schtasks.exe
4544	schtasks.exe
4552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
4976	de7c6ded508e6b46e7f6b385572c426f.exe
1964	spoolsv.exe
3872	spoolsv.exe
5924	spoolsv.exe
4760	spoolsv.exe
4760	spoolsv.exe
2296	spoolsv.exe
3932	spoolsv.exe
1540	spoolsv.exe
4740	spoolsv.exe
264	spoolsv.exe
316	spoolsv.exe
880	spoolsv.exe
1572	spoolsv.exe
2716	spoolsv.exe
4840	spoolsv.exe
1816	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4976	de7c6ded508e6b46e7f6b385572c426f.exe
Token: SeDebugPrivilege	1964	spoolsv.exe
Token: SeDebugPrivilege	3872	spoolsv.exe
Token: SeDebugPrivilege	5924	spoolsv.exe
Token: SeDebugPrivilege	4760	spoolsv.exe
Token: SeDebugPrivilege	2296	spoolsv.exe
Token: SeDebugPrivilege	3932	spoolsv.exe
Token: SeDebugPrivilege	1540	spoolsv.exe
Token: SeDebugPrivilege	4740	spoolsv.exe
Token: SeDebugPrivilege	264	spoolsv.exe
Token: SeDebugPrivilege	316	spoolsv.exe
Token: SeDebugPrivilege	880	spoolsv.exe
Token: SeDebugPrivilege	1572	spoolsv.exe
Token: SeDebugPrivilege	2716	spoolsv.exe
Token: SeDebugPrivilege	4840	spoolsv.exe
Token: SeDebugPrivilege	1816	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 4892	4976	de7c6ded508e6b46e7f6b385572c426f.exe	103
PID 4976 wrote to memory of 4892	4976	de7c6ded508e6b46e7f6b385572c426f.exe	103
PID 4892 wrote to memory of 920	4892	cmd.exe	105
PID 4892 wrote to memory of 920	4892	cmd.exe	105
PID 4892 wrote to memory of 1964	4892	cmd.exe	109
PID 4892 wrote to memory of 1964	4892	cmd.exe	109
PID 1964 wrote to memory of 1936	1964	spoolsv.exe	111
PID 1964 wrote to memory of 1936	1964	spoolsv.exe	111
PID 1964 wrote to memory of 5980	1964	spoolsv.exe	112
PID 1964 wrote to memory of 5980	1964	spoolsv.exe	112
PID 1936 wrote to memory of 3872	1936	WScript.exe	115
PID 1936 wrote to memory of 3872	1936	WScript.exe	115
PID 3872 wrote to memory of 1300	3872	spoolsv.exe	116
PID 3872 wrote to memory of 1300	3872	spoolsv.exe	116
PID 3872 wrote to memory of 1232	3872	spoolsv.exe	117
PID 3872 wrote to memory of 1232	3872	spoolsv.exe	117
PID 1300 wrote to memory of 5924	1300	WScript.exe	119
PID 1300 wrote to memory of 5924	1300	WScript.exe	119
PID 5924 wrote to memory of 6100	5924	spoolsv.exe	120
PID 5924 wrote to memory of 6100	5924	spoolsv.exe	120
PID 5924 wrote to memory of 5416	5924	spoolsv.exe	121
PID 5924 wrote to memory of 5416	5924	spoolsv.exe	121
PID 6100 wrote to memory of 4760	6100	WScript.exe	129
PID 6100 wrote to memory of 4760	6100	WScript.exe	129
PID 4760 wrote to memory of 2116	4760	spoolsv.exe	131
PID 4760 wrote to memory of 2116	4760	spoolsv.exe	131
PID 4760 wrote to memory of 4876	4760	spoolsv.exe	132
PID 4760 wrote to memory of 4876	4760	spoolsv.exe	132
PID 2116 wrote to memory of 2296	2116	WScript.exe	133
PID 2116 wrote to memory of 2296	2116	WScript.exe	133
PID 2296 wrote to memory of 3612	2296	spoolsv.exe	134
PID 2296 wrote to memory of 3612	2296	spoolsv.exe	134
PID 2296 wrote to memory of 5572	2296	spoolsv.exe	135
PID 2296 wrote to memory of 5572	2296	spoolsv.exe	135
PID 3612 wrote to memory of 3932	3612	WScript.exe	136
PID 3612 wrote to memory of 3932	3612	WScript.exe	136
PID 3932 wrote to memory of 2820	3932	spoolsv.exe	137
PID 3932 wrote to memory of 2820	3932	spoolsv.exe	137
PID 3932 wrote to memory of 840	3932	spoolsv.exe	138
PID 3932 wrote to memory of 840	3932	spoolsv.exe	138
PID 2820 wrote to memory of 1540	2820	WScript.exe	139
PID 2820 wrote to memory of 1540	2820	WScript.exe	139
PID 1540 wrote to memory of 956	1540	spoolsv.exe	140
PID 1540 wrote to memory of 956	1540	spoolsv.exe	140
PID 1540 wrote to memory of 3684	1540	spoolsv.exe	141
PID 1540 wrote to memory of 3684	1540	spoolsv.exe	141
PID 956 wrote to memory of 4740	956	WScript.exe	142
PID 956 wrote to memory of 4740	956	WScript.exe	142
PID 4740 wrote to memory of 5796	4740	spoolsv.exe	144
PID 4740 wrote to memory of 5796	4740	spoolsv.exe	144
PID 4740 wrote to memory of 1612	4740	spoolsv.exe	145
PID 4740 wrote to memory of 1612	4740	spoolsv.exe	145
PID 5796 wrote to memory of 264	5796	WScript.exe	146
PID 5796 wrote to memory of 264	5796	WScript.exe	146
PID 264 wrote to memory of 5204	264	spoolsv.exe	147
PID 264 wrote to memory of 5204	264	spoolsv.exe	147
PID 264 wrote to memory of 2224	264	spoolsv.exe	148
PID 264 wrote to memory of 2224	264	spoolsv.exe	148
PID 5204 wrote to memory of 316	5204	WScript.exe	149
PID 5204 wrote to memory of 316	5204	WScript.exe	149
PID 316 wrote to memory of 5552	316	spoolsv.exe	150
PID 316 wrote to memory of 5552	316	spoolsv.exe	150
PID 316 wrote to memory of 4724	316	spoolsv.exe	151
PID 316 wrote to memory of 4724	316	spoolsv.exe	151

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\de7c6ded508e6b46e7f6b385572c426f.exe
"C:\Users\Admin\AppData\Local\Temp\de7c6ded508e6b46e7f6b385572c426f.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nvl7Sxgh1S.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:920
- - C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
    "C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42e68e84-e436-433e-95b2-9b3bf1aaf39b.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1936
    - - C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
        
        C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3872
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff519822-f9d7-4cf7-9760-61b09c08b4e7.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
        
        C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fcebaa5-ede3-4ffb-9c5c-6db1bb6478e4.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:6100
        
        C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
        
        C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1df27a04-2ebe-43b5-a206-7b90754bba50.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
        
        C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61f473bf-22cf-4c60-adce-366b01c3cd3d.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
        
        C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cd28038-17d4-4132-b487-352415cace62.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
        
        C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3786b320-85a6-4c8d-9647-5956e3bab687.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
        
        C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ac76434-af31-4961-a9e9-55bf51d239a1.vbs"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:5796
        
        C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
        
        C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bef38ec9-eb0a-49fd-babb-b4fd384e616c.vbs"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:5204
        
        C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
        
        C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e700b00-20ce-4e47-a775-9b516a75a785.vbs"
        22⤵
        
        PID:5552
        
        C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
        
        C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1f7331d-011b-4850-a8be-5d310fab3731.vbs"
        24⤵
        
        PID:3620
        
        C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
        
        C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1e6fe37-c854-4e9a-ada4-95f398deae20.vbs"
        26⤵
        
        PID:4896
        
        C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
        
        C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5d181c5-d9f9-430c-b1e5-f9e27cce4989.vbs"
        28⤵
        
        PID:4536
        
        C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
        
        C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c014198e-2988-4efb-b148-a6f1726163aa.vbs"
        30⤵
        
        PID:1884
        
        C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
        
        C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a530981-e538-4a67-8d6f-d4e83f2d3906.vbs"
        32⤵
        
        PID:384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f61c2a5-166f-4e18-a050-04b894aa6371.vbs"
        32⤵
        
        PID:2772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6969128-1357-4bdc-a382-6eda7326a2e4.vbs"
        30⤵
        
        PID:5388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9fe297b-ecb2-4ed7-bc05-4a4ae54aa669.vbs"
        28⤵
        
        PID:4308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0749fbda-0548-4078-8b1f-41dd2bca5bd6.vbs"
        26⤵
        
        PID:3000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\336e3cfa-bcc4-484f-8e4e-1c61c892d1fb.vbs"
        24⤵
        
        PID:2044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebd5efc9-7dcf-4362-aeab-e313f79cc569.vbs"
        22⤵
        
        PID:4724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b344344-aa2a-4572-8cfe-4d7f915e39d3.vbs"
        20⤵
        
        PID:2224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27a8a15f-c8b0-4bf5-9e86-e04d2943d550.vbs"
        18⤵
        
        PID:1612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\816dae47-3305-45f7-8a5a-899a102095d3.vbs"
        16⤵
        
        PID:3684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c4e31f4-7b25-4f64-be9e-6d4d952abd51.vbs"
        14⤵
        
        PID:840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1d9aee9-ec15-4c07-bd1b-d0d5a9eda002.vbs"
        12⤵
        
        PID:5572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\620382ea-58cb-4e36-8bc5-5113763e9d93.vbs"
        10⤵
        
        PID:4876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b018396e-1fa3-4519-a831-a50b3b4cbbfe.vbs"
        8⤵
        
        PID:5416
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95677e14-38f1-469c-bdaa-1e60cf84ea14.vbs"
        6⤵
        
        PID:1232
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b6202d8-65fb-4d79-a4a7-05ca9518ffa9.vbs"
      4⤵
      PID:5980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\edge_BITS_4468_1015215246\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4468_1015215246\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\edge_BITS_4468_1015215246\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\4d7dcf6448637544ea7e961be1ad\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\4d7dcf6448637544ea7e961be1ad\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4d7dcf6448637544ea7e961be1ad\SppExtComObj.exe

Filesize
885KB

MD5
de7c6ded508e6b46e7f6b385572c426f

SHA1
13cb214fcfaca4c85c59c002ea2769d8db3fccc0

SHA256
aa8cbabea544c7e766f4a2096cf7aa8ebc23e4677812b23910524d0a089d2502

SHA512
c98b77f486f1d0c607eab5b9776dbbd1fc97581e313302d03cc9b18cf5af53196cc280503acdb8c91cd7a44906001bb24fa423cb8eb8a732562fffdb18dc7b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ac76434-af31-4961-a9e9-55bf51d239a1.vbs

Filesize
723B

MD5
b48c81f7635aab781c6821a7b83c9f90

SHA1
6cebde5563811f4d5b5eb3ab74b765e4d55db48b

SHA256
59579a191676c76f01662f8582793cf67792194aae2ccac43abca345ccf648d3

SHA512
10488e84f6d1c5fa878aff46dc5c9d392fd73f865c40e455524a15b91703e0daaff820d9c40fbee69d4469d6347becc52205e0a429889fb775ccd8d2d72eecd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1df27a04-2ebe-43b5-a206-7b90754bba50.vbs

Filesize
723B

MD5
77502536181f9077d3a2739d30a4f2e4

SHA1
2aadcc30382f60b17bc85bac683cf2664dbef48e

SHA256
649246df024dd471dca73f51d738b1f69c60e3a0acb037fe31ff650f7fb66fad

SHA512
a6a88ae6814a728266ef505ed386da92acac03ce7ff16237b42100fcbb2deeed366431c7cc54f7f503f0e7d688a24397d0ce382f91007032604e191a1ddbaff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3786b320-85a6-4c8d-9647-5956e3bab687.vbs

Filesize
723B

MD5
3f488a94d55f8a5ae9cab39f3eb04d6a

SHA1
e6be4b37526ab39569d27eb119ecfb97c652bd49

SHA256
cb1d661dbf374f6919231a163ea10d40f87e488e366e1ca7f696a0ee51d17050

SHA512
7da018437f310046d7da45b22acd9a020798c83bd31ad6fbde93f8ac1f3af1cfb79cbfc8522edb4970035203de53bda655e8751c3d288850313cc26969f2f22d

Download Submit
C:\Users\Admin\AppData\Local\Temp\42e68e84-e436-433e-95b2-9b3bf1aaf39b.vbs

Filesize
723B

MD5
99eeb0544897b961cbef22f35b67ebc4

SHA1
77e828da6c1494eead0564c8772b3b36e3f985fa

SHA256
cc119b47922afe8e348d290bf13b5d61fdba2b664d8078be00b1d87cdaf97abf

SHA512
1338a0beed3546350f045ead10acf1dce5979c0f32f39521980d9765601a8f29fccbc64a6cbd29b22e871963e63fd82b585650eb5919dbb6f90c9fb04b78071e

Download Submit
C:\Users\Admin\AppData\Local\Temp\61f473bf-22cf-4c60-adce-366b01c3cd3d.vbs

Filesize
723B

MD5
34292579723d19254ec3a349b130ed34

SHA1
c250b1845224cc926a70dfb0e8441637a0517e8d

SHA256
d87c1f4434c2400d6378851e6efba0505b55fe60712a236e058b3b3edbd95c88

SHA512
e8f4781b31c1a233dff85d79d3b98b8bb80fd4dc371712db9be2dfc4ed52dea229c7e737abc07a03848935cf5f5870eed755b0b5faa8a7b09f5f241fedcd642a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a530981-e538-4a67-8d6f-d4e83f2d3906.vbs

Filesize
723B

MD5
2b86ec2854e6e1b5da61e33522968619

SHA1
ddcdbd364f92c71d6c96b13652c9abd291be4c44

SHA256
1fc164d3a4c917ee6d1fbd5bbe5f95c56b3963a51cf165b6cac84ffe9b034cb1

SHA512
99b153f670ff020602ffa6f67005d563e479c311efec3fbe1c62f7f877ffbd991df4202dc06b94692a7cdc65ca517ba1ace287351ab301076d3a46f538987105

Download Submit
C:\Users\Admin\AppData\Local\Temp\8e700b00-20ce-4e47-a775-9b516a75a785.vbs

Filesize
722B

MD5
6c63acb645224f1e28060e020feecc06

SHA1
c9419cdcb32c00fe176193d6921d2f028b7c03d4

SHA256
84810c8c5712faea8eeb6ddb1b3a315fefb61bacdeae0873bcf6d570092ac873

SHA512
6c41a38f29c9a484c204907ab3126ca7317f54ec786c526bcac7a5b1c1bea4dad1c306f9b73bcf7fb19e65d4f6706d344423359b387be8ad6e85eac7419d6b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8fcebaa5-ede3-4ffb-9c5c-6db1bb6478e4.vbs

Filesize
723B

MD5
2db19759f20bfd65a6b8bb7ddf6efe70

SHA1
e45ed9d0b1311793454742c3ff07a30294954d5f

SHA256
8b58e882071418143bb00bb487523d9d7dfdcea60a50465ab654e64c185cf626

SHA512
e9f7b7000eea1efa956b1613fc645c9444d27a32cfe92d0c67e8885e52072725e41c0669d9548299252eb42ea546c8d5f7f6a2cb625c0e454e1f338e13fa0a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b6202d8-65fb-4d79-a4a7-05ca9518ffa9.vbs

Filesize
499B

MD5
9f7a324e5e806eca202c3fd9e35506e7

SHA1
dadaea9a002daf5160172b65cb28994e46b456a9

SHA256
d2831a5d0d096a5db475f4cb257fadf6a2c0b1dd71266729d0a4d1182a38dd17

SHA512
68ae7d442465e16ffeeb6abbf9553a95f28bc43951c8599949a26544a970f78b3b5f7323c21c7cb6977cfd1c44d73e29b3d04cf26fe351cac2e7d5b9a0ec2bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\9cd28038-17d4-4132-b487-352415cace62.vbs

Filesize
723B

MD5
a68b9cb230483cf65bbcd52926667b59

SHA1
21cf83967be1e320f121be8ff707dfb8dffaec25

SHA256
6d4b7d4b2689239ea583705f8df1b21c60e6418679b903d6a6fcab004eec62a4

SHA512
e91395045f204c51cf4014b8b08ba09f4881292357f0bcfc6f8e06e9ce73c9a0a96b0d7f0a8efc8c3d18b22e647ea0049fdcb3dc0c7c9572f8c8c31cf748dbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5d181c5-d9f9-430c-b1e5-f9e27cce4989.vbs

Filesize
723B

MD5
921647700e5b076e525d0d25b9823eb8

SHA1
4197a01f61d122c4f8b83688c1c1eb951eee1276

SHA256
ac9a721b00be0d6d8f73e4e542aa29824dc97d03b1b66704eef064e2e6f9dff9

SHA512
90bc14f5868ea33339cfed3ba81921d602751a6f82db9b0a3163cea4073e45cfebf4293024e28ca6d8ebf0540c56c4f2a28aeb510874c6b93fd493a5c6f4f9fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\bef38ec9-eb0a-49fd-babb-b4fd384e616c.vbs

Filesize
722B

MD5
8fb2b33fec6f671bb2dcb934d8d4aac0

SHA1
6a772248e23cde50b176d520e4edf4d57dc04bd2

SHA256
8c7e2c13e00781bf14b9d6eb132bf8d244687cd1a60456c80e1b8bf4d2105260

SHA512
57ffee1957615d21a7e66802dd2101a7b6a7540cb98b51d2e03e28ff9b0043e598fc350002d0b5a82ba6d246c08f145f280a1e5bbf41fd5faa585dcd369c801c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c014198e-2988-4efb-b148-a6f1726163aa.vbs

Filesize
723B

MD5
6cd26acb25f6e6fbd8e7fd6fa566e649

SHA1
5a405e25647976033a6d4f60911ff87b9f967769

SHA256
34420e0f15518fed189757ce83aafe8830c8150a457e950d14db7dba42f02e0d

SHA512
9eceba5d42b25af6612f5cc6620ef2ac313e279a6e8fd64fbb20f536eb4c18453cb571eff8b7fc48eb4256f4d8bedb05e84cbeabc3622d5c533410b76e711532

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1e6fe37-c854-4e9a-ada4-95f398deae20.vbs

Filesize
723B

MD5
9d521a9012f4d253abe93c87171fe55b

SHA1
228650587bf80c58e5097d35951ae89c0f834eef

SHA256
25cf92874e4a8619ad44a61277425668bfe2f9d3471f0b6f044cc05645f6b2cd

SHA512
442379eaea70534e6a5b0b1566459652e67c13fa020a52f7ac19f512058678811e20568242f4f17ce87f43a797d2ddce6d14cc9a52b2df3ad4888beabb0ea812

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1f7331d-011b-4850-a8be-5d310fab3731.vbs

Filesize
722B

MD5
6d9957a7d55e819c45c54c8b40a7bfe2

SHA1
a88293ec9c4d42884ffa4f4112cc43dcd83a2ca4

SHA256
7aeffbfe648088bbb6869bc7dc696a88d181f247cd568681e0bfe782dea621d2

SHA512
162a531dd3f4fde41c9995688fb7cf92f9115a6173743b587a41fa9a4c2db85024e58a847427feda26c33c35eb139e7c894f411dcfe9deb4d0d2c30f80494a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff519822-f9d7-4cf7-9760-61b09c08b4e7.vbs

Filesize
723B

MD5
33ad65315206d0bb382f9096cd671dcd

SHA1
32a9be1eb5e7bcd52a2bfe519a0edf79e9dbcd65

SHA256
ec723744bb9c494b6f811384b2ade4fa04afded74f553b936e417f24392be90c

SHA512
a4880441a4c8ee177d777fc8cfd8eb71b5691ae8856b47bf6006706dc2c316094b0dbfdd64366cd81b996b9b8d70f326a96b8a9e4ea0110d01a2b3137a799643

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvl7Sxgh1S.bat

Filesize
212B

MD5
021eb082f000a2136eb41b7b234ba015

SHA1
d78fbaaedc70da34ec69914c28057958ea1951bc

SHA256
f26a260330ec2b324bd324cb0c520b9d98351c9f2b2aabf85f843fb4b0afd799

SHA512
8d3376c447bea6ab56c9872d1f07592c81361c3850fb6b709a8db8f39fc6099457a95764a3c744c9ed4a40aec283fc52053260f2cd9ed6237c2ba44f52018066

Download Submit
memory/4976-9-0x000000001BA20000-0x000000001BA28000-memory.dmp

Filesize
32KB

Download
memory/4976-4-0x000000001BA30000-0x000000001BA80000-memory.dmp

Filesize
320KB

Download
memory/4976-0-0x00007FFAC84C3000-0x00007FFAC84C5000-memory.dmp

Filesize
8KB

Download
memory/4976-5-0x000000001B4C0000-0x000000001B4D0000-memory.dmp

Filesize
64KB

Download
memory/4976-3-0x000000001B4A0000-0x000000001B4BC000-memory.dmp

Filesize
112KB

Download
memory/4976-8-0x000000001BA10000-0x000000001BA1E000-memory.dmp

Filesize
56KB

Download
memory/4976-2-0x00007FFAC84C0000-0x00007FFAC8F81000-memory.dmp

Filesize
10.8MB

Download
memory/4976-10-0x000000001BA80000-0x000000001BA8C000-memory.dmp

Filesize
48KB

Download
memory/4976-87-0x00007FFAC84C0000-0x00007FFAC8F81000-memory.dmp

Filesize
10.8MB

Download
memory/4976-7-0x000000001BA00000-0x000000001BA0A000-memory.dmp

Filesize
40KB

Download
memory/4976-6-0x000000001B9E0000-0x000000001B9F6000-memory.dmp

Filesize
88KB

Download
memory/4976-1-0x00000000007B0000-0x0000000000894000-memory.dmp

Filesize
912KB

Download