dcrat | 8e52ba8956d643c96cdeb75c43492302cf710a3d2acc852442930dedbe9ea1bb

Analysis

max time kernel
148s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eac98ebb342782d2e8ef453b3d4006f5.exe
Size

885KB
MD5

eac98ebb342782d2e8ef453b3d4006f5
SHA1

b8bfb2496a72d101e9c8f0a86c6a838615b99b72
SHA256

554055083c7aee5ed747c7fad8cd8232365485281f84a05ffb757732b0f323f4
SHA512

f4778728326651083824f1e0023b04959077a722ef333d981e614c8cd45824c357a341d757e0a6427ebd6ac00f7c2b8204f6706f4a047e775ff70269d1112dc2
SSDEEP

12288:0lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:0lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2664	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2664	schtasks.exe	30

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral13/memory/2820-1-0x0000000000300000-0x00000000003E4000-memory.dmp	dcrat
behavioral13/files/0x000600000001873d-21.dat	dcrat
behavioral13/memory/2132-74-0x0000000000C90000-0x0000000000D74000-memory.dmp	dcrat
behavioral13/files/0x0006000000019c57-123.dat	dcrat
behavioral13/memory/1860-189-0x0000000000FA0000-0x0000000001084000-memory.dmp	dcrat
behavioral13/memory/2960-277-0x0000000000350000-0x0000000000434000-memory.dmp	dcrat
behavioral13/memory/1192-289-0x00000000013B0000-0x0000000001494000-memory.dmp	dcrat
behavioral13/memory/2680-323-0x0000000000170000-0x0000000000254000-memory.dmp	dcrat

Executes dropped EXE 13 IoCs

pid	Process
1860	WmiPrvSE.exe
2908	WmiPrvSE.exe
1764	WmiPrvSE.exe
1968	WmiPrvSE.exe
2780	WmiPrvSE.exe
2132	WmiPrvSE.exe
1748	WmiPrvSE.exe
2384	WmiPrvSE.exe
2960	WmiPrvSE.exe
1192	WmiPrvSE.exe
2820	WmiPrvSE.exe
2600	WmiPrvSE.exe
2680	WmiPrvSE.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\101b941d020240	eac98ebb342782d2e8ef453b3d4006f5.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe	eac98ebb342782d2e8ef453b3d4006f5.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\24dbde2999530e	eac98ebb342782d2e8ef453b3d4006f5.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX8107.tmp	eac98ebb342782d2e8ef453b3d4006f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\RCX81BE.tmp	eac98ebb342782d2e8ef453b3d4006f5.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\audiodg.exe	eac98ebb342782d2e8ef453b3d4006f5.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\RCX69BE.tmp	eac98ebb342782d2e8ef453b3d4006f5.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX8106.tmp	eac98ebb342782d2e8ef453b3d4006f5.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCX81AA.tmp	eac98ebb342782d2e8ef453b3d4006f5.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\42af1c969fbb7b	eac98ebb342782d2e8ef453b3d4006f5.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\RCX69BD.tmp	eac98ebb342782d2e8ef453b3d4006f5.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe	eac98ebb342782d2e8ef453b3d4006f5.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCX81AB.tmp	eac98ebb342782d2e8ef453b3d4006f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\RCX81BF.tmp	eac98ebb342782d2e8ef453b3d4006f5.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\audiodg.exe	eac98ebb342782d2e8ef453b3d4006f5.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\27d1bcfc3c54e0	eac98ebb342782d2e8ef453b3d4006f5.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\lsm.exe	eac98ebb342782d2e8ef453b3d4006f5.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\DigitalLocker\es-ES\1610b97d3ab4a7	eac98ebb342782d2e8ef453b3d4006f5.exe
File opened for modification	C:\Windows\AppCompat\Programs\RCX69BF.tmp	eac98ebb342782d2e8ef453b3d4006f5.exe
File opened for modification	C:\Windows\AppCompat\Programs\RCX69C0.tmp	eac98ebb342782d2e8ef453b3d4006f5.exe
File opened for modification	C:\Windows\DigitalLocker\es-ES\RCX69D1.tmp	eac98ebb342782d2e8ef453b3d4006f5.exe
File opened for modification	C:\Windows\DigitalLocker\es-ES\RCX69D2.tmp	eac98ebb342782d2e8ef453b3d4006f5.exe
File created	C:\Windows\AppCompat\Programs\dwm.exe	eac98ebb342782d2e8ef453b3d4006f5.exe
File created	C:\Windows\AppCompat\Programs\6cb0b6c459d5d3	eac98ebb342782d2e8ef453b3d4006f5.exe
File created	C:\Windows\DigitalLocker\es-ES\OSPPSVC.exe	eac98ebb342782d2e8ef453b3d4006f5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2884	schtasks.exe
2624	schtasks.exe
2612	schtasks.exe
2696	schtasks.exe
568	schtasks.exe
1748	schtasks.exe
2388	schtasks.exe
2164	schtasks.exe
1404	schtasks.exe
2576	schtasks.exe
2172	schtasks.exe
2268	schtasks.exe
912	schtasks.exe
1772	schtasks.exe
2156	schtasks.exe
1700	schtasks.exe
856	schtasks.exe
2360	schtasks.exe
876	schtasks.exe
1648	schtasks.exe
1584	schtasks.exe
2092	schtasks.exe
2744	schtasks.exe
2920	schtasks.exe
1944	schtasks.exe
2532	schtasks.exe
1296	schtasks.exe
1776	schtasks.exe
1896	schtasks.exe
2244	schtasks.exe
760	schtasks.exe
1264	schtasks.exe
1660	schtasks.exe
1216	schtasks.exe
1436	schtasks.exe
532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2820	eac98ebb342782d2e8ef453b3d4006f5.exe
2132	eac98ebb342782d2e8ef453b3d4006f5.exe
1860	WmiPrvSE.exe
2908	WmiPrvSE.exe
1764	WmiPrvSE.exe
1968	WmiPrvSE.exe
2780	WmiPrvSE.exe
2132	WmiPrvSE.exe
1748	WmiPrvSE.exe
2384	WmiPrvSE.exe
2960	WmiPrvSE.exe
1192	WmiPrvSE.exe
2820	WmiPrvSE.exe
2600	WmiPrvSE.exe
2680	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	eac98ebb342782d2e8ef453b3d4006f5.exe
Token: SeDebugPrivilege	2132	eac98ebb342782d2e8ef453b3d4006f5.exe
Token: SeDebugPrivilege	1860	WmiPrvSE.exe
Token: SeDebugPrivilege	2908	WmiPrvSE.exe
Token: SeDebugPrivilege	1764	WmiPrvSE.exe
Token: SeDebugPrivilege	1968	WmiPrvSE.exe
Token: SeDebugPrivilege	2780	WmiPrvSE.exe
Token: SeDebugPrivilege	2132	WmiPrvSE.exe
Token: SeDebugPrivilege	1748	WmiPrvSE.exe
Token: SeDebugPrivilege	2384	WmiPrvSE.exe
Token: SeDebugPrivilege	2960	WmiPrvSE.exe
Token: SeDebugPrivilege	1192	WmiPrvSE.exe
Token: SeDebugPrivilege	2820	WmiPrvSE.exe
Token: SeDebugPrivilege	2600	WmiPrvSE.exe
Token: SeDebugPrivilege	2680	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2800	2820	eac98ebb342782d2e8ef453b3d4006f5.exe	43
PID 2820 wrote to memory of 2800	2820	eac98ebb342782d2e8ef453b3d4006f5.exe	43
PID 2820 wrote to memory of 2800	2820	eac98ebb342782d2e8ef453b3d4006f5.exe	43
PID 2800 wrote to memory of 1712	2800	cmd.exe	45
PID 2800 wrote to memory of 1712	2800	cmd.exe	45
PID 2800 wrote to memory of 1712	2800	cmd.exe	45
PID 2800 wrote to memory of 2132	2800	cmd.exe	46
PID 2800 wrote to memory of 2132	2800	cmd.exe	46
PID 2800 wrote to memory of 2132	2800	cmd.exe	46
PID 2132 wrote to memory of 1860	2132	eac98ebb342782d2e8ef453b3d4006f5.exe	71
PID 2132 wrote to memory of 1860	2132	eac98ebb342782d2e8ef453b3d4006f5.exe	71
PID 2132 wrote to memory of 1860	2132	eac98ebb342782d2e8ef453b3d4006f5.exe	71
PID 1860 wrote to memory of 2012	1860	WmiPrvSE.exe	72
PID 1860 wrote to memory of 2012	1860	WmiPrvSE.exe	72
PID 1860 wrote to memory of 2012	1860	WmiPrvSE.exe	72
PID 1860 wrote to memory of 524	1860	WmiPrvSE.exe	73
PID 1860 wrote to memory of 524	1860	WmiPrvSE.exe	73
PID 1860 wrote to memory of 524	1860	WmiPrvSE.exe	73
PID 2012 wrote to memory of 2908	2012	WScript.exe	74
PID 2012 wrote to memory of 2908	2012	WScript.exe	74
PID 2012 wrote to memory of 2908	2012	WScript.exe	74
PID 2908 wrote to memory of 2184	2908	WmiPrvSE.exe	75
PID 2908 wrote to memory of 2184	2908	WmiPrvSE.exe	75
PID 2908 wrote to memory of 2184	2908	WmiPrvSE.exe	75
PID 2908 wrote to memory of 1616	2908	WmiPrvSE.exe	76
PID 2908 wrote to memory of 1616	2908	WmiPrvSE.exe	76
PID 2908 wrote to memory of 1616	2908	WmiPrvSE.exe	76
PID 2184 wrote to memory of 1764	2184	WScript.exe	78
PID 2184 wrote to memory of 1764	2184	WScript.exe	78
PID 2184 wrote to memory of 1764	2184	WScript.exe	78
PID 1764 wrote to memory of 1660	1764	WmiPrvSE.exe	79
PID 1764 wrote to memory of 1660	1764	WmiPrvSE.exe	79
PID 1764 wrote to memory of 1660	1764	WmiPrvSE.exe	79
PID 1764 wrote to memory of 892	1764	WmiPrvSE.exe	80
PID 1764 wrote to memory of 892	1764	WmiPrvSE.exe	80
PID 1764 wrote to memory of 892	1764	WmiPrvSE.exe	80
PID 1660 wrote to memory of 1968	1660	WScript.exe	81
PID 1660 wrote to memory of 1968	1660	WScript.exe	81
PID 1660 wrote to memory of 1968	1660	WScript.exe	81
PID 1968 wrote to memory of 1572	1968	WmiPrvSE.exe	82
PID 1968 wrote to memory of 1572	1968	WmiPrvSE.exe	82
PID 1968 wrote to memory of 1572	1968	WmiPrvSE.exe	82
PID 1968 wrote to memory of 1428	1968	WmiPrvSE.exe	83
PID 1968 wrote to memory of 1428	1968	WmiPrvSE.exe	83
PID 1968 wrote to memory of 1428	1968	WmiPrvSE.exe	83
PID 1572 wrote to memory of 2780	1572	WScript.exe	84
PID 1572 wrote to memory of 2780	1572	WScript.exe	84
PID 1572 wrote to memory of 2780	1572	WScript.exe	84
PID 2780 wrote to memory of 2968	2780	WmiPrvSE.exe	85
PID 2780 wrote to memory of 2968	2780	WmiPrvSE.exe	85
PID 2780 wrote to memory of 2968	2780	WmiPrvSE.exe	85
PID 2780 wrote to memory of 2504	2780	WmiPrvSE.exe	86
PID 2780 wrote to memory of 2504	2780	WmiPrvSE.exe	86
PID 2780 wrote to memory of 2504	2780	WmiPrvSE.exe	86
PID 2968 wrote to memory of 2132	2968	WScript.exe	87
PID 2968 wrote to memory of 2132	2968	WScript.exe	87
PID 2968 wrote to memory of 2132	2968	WScript.exe	87
PID 2132 wrote to memory of 1140	2132	WmiPrvSE.exe	88
PID 2132 wrote to memory of 1140	2132	WmiPrvSE.exe	88
PID 2132 wrote to memory of 1140	2132	WmiPrvSE.exe	88
PID 2132 wrote to memory of 2292	2132	WmiPrvSE.exe	89
PID 2132 wrote to memory of 2292	2132	WmiPrvSE.exe	89
PID 2132 wrote to memory of 2292	2132	WmiPrvSE.exe	89
PID 1140 wrote to memory of 1748	1140	WScript.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\eac98ebb342782d2e8ef453b3d4006f5.exe
"C:\Users\Admin\AppData\Local\Temp\eac98ebb342782d2e8ef453b3d4006f5.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ch42KhDkBi.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1712
- - C:\Users\Admin\AppData\Local\Temp\eac98ebb342782d2e8ef453b3d4006f5.exe
    "C:\Users\Admin\AppData\Local\Temp\eac98ebb342782d2e8ef453b3d4006f5.exe"
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe
      "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1860
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\988d2dab-bd23-4ab8-9961-460a6a18f565.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2012
      - C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8da18423-3d96-46d3-84e3-a125182e3dc0.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba108a8e-d940-4b86-a715-37220283e31b.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d6aa47a-66f9-4f5a-b0a8-54949b0da865.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28bed97e-01ca-4994-a8ab-87601c995afd.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c939948-62ef-42b9-83c0-c9a60bd92fdd.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e342c0d-6558-4352-adc9-f1e4f8ca3660.vbs"
        17⤵
        
        PID:2380
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f0fd805-dcbd-40dd-b492-62085143e5cc.vbs"
        19⤵
        
        PID:1500
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa5b020f-1a33-4aa8-bb80-6148d30e02f4.vbs"
        21⤵
        
        PID:1852
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16793e21-abe5-4057-8b05-60a421ebbe61.vbs"
        23⤵
        
        PID:2376
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29a85cfc-5131-4300-a19d-c42f9e19188b.vbs"
        25⤵
        
        PID:480
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27865048-e96e-42fc-b3ef-1ec0dcca171f.vbs"
        27⤵
        
        PID:2612
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7320f890-ecb5-458d-9e68-07116299514e.vbs"
        29⤵
        
        PID:992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\712dc413-1713-40b6-8988-bf98bfe86e4a.vbs"
        29⤵
        
        PID:1564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f38dde3-119f-4b12-842d-315574357826.vbs"
        27⤵
        
        PID:2364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9558a727-cadc-4fce-9699-89912eba6185.vbs"
        25⤵
        
        PID:2408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73014af7-d35d-4c2d-baba-54cf4121fffb.vbs"
        23⤵
        
        PID:1496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ee7845c-3c9a-4d7b-b21f-c272d5fbd7dd.vbs"
        21⤵
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fef94fd-cae4-44f1-92ee-08dcb767fbab.vbs"
        19⤵
        
        PID:1540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c91a3cef-537b-4372-aedf-5c8077cc3c78.vbs"
        17⤵
        
        PID:3012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e292846e-2fca-4890-a434-2b5393887687.vbs"
        15⤵
        
        PID:2292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6086734-cdd8-42ca-b0e8-d86f9d946f2a.vbs"
        13⤵
        
        PID:2504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba32f78a-a546-4a21-bc07-7da1c6a3885f.vbs"
        11⤵
        
        PID:1428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d6c2349-43ac-48f4-8be4-cd08d28c2a2f.vbs"
        9⤵
        
        PID:892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6b79d97-b526-483c-b337-ccb9c56e48bd.vbs"
        7⤵
        
        PID:1616
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44d4fc22-9083-4d99-995f-3005de7372ac.vbs"
        5⤵
        
        PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\AppCompat\Programs\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\AppCompat\Programs\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Windows\DigitalLocker\es-ES\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "eac98ebb342782d2e8ef453b3d4006f5e" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\eac98ebb342782d2e8ef453b3d4006f5.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "eac98ebb342782d2e8ef453b3d4006f5" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\eac98ebb342782d2e8ef453b3d4006f5.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "eac98ebb342782d2e8ef453b3d4006f5e" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\eac98ebb342782d2e8ef453b3d4006f5.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Templates\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Templates\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Templates\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSPPSVC.exe

Filesize
885KB

MD5
2d7af82c78621c76888076ccf2e3f531

SHA1
a1ae056a6b1b3b35385dcc86f62deba18d6aba94

SHA256
90dbe3e987a0bbe502807bd049d681f4f577aa183152feaf01b266b0df850672

SHA512
f86bf327a819163c777a7ca16d4ad88a82522c59a192f7b6cffc790dc0afef373372ed39e1978c8b61aa8017c61b30d8196a006f7cff310122a94454b562dfff

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d6aa47a-66f9-4f5a-b0a8-54949b0da865.vbs

Filesize
749B

MD5
6974ba0984a61e9fc4cfaf1f911304d5

SHA1
a5d74efa0bf3c3b06c2a41bf7ef5fa07cfd40d84

SHA256
605ceb1f1a45c8beb9cbcce47351ca012a3e9a0e84b1265cc54a917614353d52

SHA512
8793f788b983ab34273b3e7bede12c15c11010dff2712bb437058b06e0a5a849da99ef5803e3c9d38aba3de93e6eeedac0e93017df2e51b7f0ffecd76b5bd191

Download Submit
C:\Users\Admin\AppData\Local\Temp\16793e21-abe5-4057-8b05-60a421ebbe61.vbs

Filesize
749B

MD5
05adc6ed979581b1acc300cc8a494e83

SHA1
eae77f6b40e9f5b9df726945e48676fe8bdbbc7e

SHA256
33f861b5334e0b7325badf9ebac0aa96dd467bdb7132a560b6829299c3d4dfb5

SHA512
b947ea5688f74d8ff5f53aa991a3a8665a9954da5e5c91da17129a50bd50f3975fb9f6cb7a83e88710f93ce3200a4d442ffe953a160c2a20fe883e632e293388

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f0fd805-dcbd-40dd-b492-62085143e5cc.vbs

Filesize
749B

MD5
0c53066c1aa3e76baebe7924206e85ed

SHA1
56926927c3b632e49bf53cc16c54a3d7b754469a

SHA256
bed37823b0cead6330e9967ac552cad18dcb587fbc8d3c069f6f9fdff0425ee4

SHA512
2f1e946f5d6ee5c39183dd95de2b041bde37a580aa7f7e5a14474ebf1a3af29159ec4343cdfe521bd1adf82fe68c34867e78797b47f56aa4cecfce0818a20dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\27865048-e96e-42fc-b3ef-1ec0dcca171f.vbs

Filesize
749B

MD5
154f1e3ddb7f21b613bd51a7ff271d84

SHA1
c6c30ec8faa47be1feba1aec0b0935ccb951d6f6

SHA256
527312ae6162055cdfa58724c7d46cc8c9f8624ac3c60a272e40ceee976d8c85

SHA512
a18fdc03b3cab4d87d93e8941762b4d5159c1d0818cec54cc5b347b40dbe95c15f32815889e882c1323ced4c865df2f2f20f230b52d35d491b7ec6f9cd420818

Download Submit
C:\Users\Admin\AppData\Local\Temp\28bed97e-01ca-4994-a8ab-87601c995afd.vbs

Filesize
749B

MD5
3670b372e80d10563275954d2a8ff6a4

SHA1
5b4ffdf279c820b1963d7f61693de140bd25a03b

SHA256
c2a30b0ba780a216095aab3da0c433f78f54e45bc5c07fab7656783527b5ff12

SHA512
e7960c51a8f2527bd926b81c73f45dd82365d40a72a08a9a80d6ebbe7f2d0b1516306aae8747363a9facd28e1020b77506160263d49e12746d9462eceb59698a

Download Submit
C:\Users\Admin\AppData\Local\Temp\29a85cfc-5131-4300-a19d-c42f9e19188b.vbs

Filesize
749B

MD5
264d77fd89ff0aacc2a75b8a233c1701

SHA1
48275c23a2193a8a85a1d0425cfa504d3f05f5c9

SHA256
4461317da0348e065de3b72ae1dc590086e49a2dd336898651f93c4f90a1da55

SHA512
af1a997f86556fab196f0cf163c9b3938cfcd346565e4d5bc188625775ba2241ad4a71047cdb4a74963ea231bee8d0b422d5206833ee490fa98bdd94481f44a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e342c0d-6558-4352-adc9-f1e4f8ca3660.vbs

Filesize
749B

MD5
01743343e2fcd232818486b95b7b775e

SHA1
73ec317014ca1d7cd5f590ba2d173401c321a4d0

SHA256
5796590131d6a3be0355a243b2395e59e3bd135e82f4ab610826acf2c14aa293

SHA512
e5ad1ac76a34b037e8a9cc5413d5133c2c2781407b63d20595dfcd5e5be1479e0109588b3421c779563272a70fc1249b510be62b342a0c7d93b8ed296c6c61c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\44d4fc22-9083-4d99-995f-3005de7372ac.vbs

Filesize
525B

MD5
9c41fced89a83ab85eff76704e4f9cc1

SHA1
1352818e757b353087985690528458fd3b5c4feb

SHA256
c0784139a1513da72e68292ee6757dfb2a51b8454bb1821b5c241dfbfcf9b029

SHA512
35d66916070bd6ee424f07d9cf10e4a3c1c332a07b5cff6f2c8c3becff9748c40d0d8e00a9de3fb19336d81f970050b2c642f1cf9848f982ce1f5eb32119fc55

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c939948-62ef-42b9-83c0-c9a60bd92fdd.vbs

Filesize
749B

MD5
4931f872ac03c70af4844fe552b2cd86

SHA1
db3c75f5399d6ebff398c03f5797c5f35f75333d

SHA256
cf8fa6f043b03cefa0e0c6d0dd20c57569435ff756e53aaf98565d78ac94479f

SHA512
35240f10c6673775380f666c790c132dc6ed697451979729283ad3626e93278a5c1e195552d286096a4398137788a325172c5fce148510827e1efd0c34b22518

Download Submit
C:\Users\Admin\AppData\Local\Temp\7320f890-ecb5-458d-9e68-07116299514e.vbs

Filesize
749B

MD5
efa87e055ffcf3cfd064d36d5473f871

SHA1
81da478c6e327e6582abad1f241df3e379796816

SHA256
247dabf4458af5fa28ef67f43970adc8020df595bbc7d5411209e45904ec7002

SHA512
614be2c90f64157eb8f8f7db9b67998983b72a8fdc5a98c1b00bf4cbc09e2fafb90113894dd441d198042b114a610447a79dbb44dece48ef41ccc51549bfb17e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8da18423-3d96-46d3-84e3-a125182e3dc0.vbs

Filesize
749B

MD5
58fcc03d4c536e31cb7e54473814d321

SHA1
a95e79faef7ac04fb30e15896ccf2190b62c0f68

SHA256
f92e322e2cdbbf8a68b7e3805895cc5c122a85be8ba4fe3fd2e1c537ceeeced7

SHA512
8375cada53ecaea855358bb6a82b507c307620e05584e8d64109ba567d2bcf8ef9a982cbb6de2ca57ae4923aedfb231bfee6a695d67dc671cb50c62e591536f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\988d2dab-bd23-4ab8-9961-460a6a18f565.vbs

Filesize
749B

MD5
06d980001c604473951e2d8ee6ec5eee

SHA1
3da0cc569539402d35f7b21b59479b2de6501e31

SHA256
d3a4833c40768d0b4640fb51daf889c7bb82ea273bb78c47e03c3d3c7bbd4198

SHA512
d8c22fb311d10cb99d2862aa1422a809708701171367c578130ab1f96bc20341c4955e62786eadd4e85c7cc83f8acd0345f284089679943bf0285bfc40f3d8cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX69BC.tmp

Filesize
885KB

MD5
eac98ebb342782d2e8ef453b3d4006f5

SHA1
b8bfb2496a72d101e9c8f0a86c6a838615b99b72

SHA256
554055083c7aee5ed747c7fad8cd8232365485281f84a05ffb757732b0f323f4

SHA512
f4778728326651083824f1e0023b04959077a722ef333d981e614c8cd45824c357a341d757e0a6427ebd6ac00f7c2b8204f6706f4a047e775ff70269d1112dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa5b020f-1a33-4aa8-bb80-6148d30e02f4.vbs

Filesize
749B

MD5
761aaf7f7bed0f42dc0a5a80b2e5633c

SHA1
69bed7f8f5731db6437ba6406b48291331c32c25

SHA256
a38b99b8853038e9030f49b8bc4d6c58c3758505060cf6c2e8f463d192ae61e4

SHA512
0043820824a8fd35b64f82f11d664a62cc87542db9a84cd639bb3703de753d123fe71df1bb8c6ae7cfd79bde82f01d9928b1a04fc59e1578567708f7551d06fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba108a8e-d940-4b86-a715-37220283e31b.vbs

Filesize
749B

MD5
b1a7e218e9a084beecf9bb1c5fdc00ef

SHA1
ae9a702f4bd05d5a9b6ef0d639859313400ccfe4

SHA256
b16032156591384e2ef0e468aa1f7996f409b429b213ae3770fe89851a4a5661

SHA512
a541645197da4f387cd65048b4dce5054147d5bdb897d840ba01337b07edd42901c0daa5d0f08adacd9bce04dbb51764d1dc912c7166458c4178c068c8b58950

Download Submit
C:\Users\Admin\AppData\Local\Temp\ch42KhDkBi.bat

Filesize
235B

MD5
371abcf6d3aa2b1a0c924c57a6681878

SHA1
d1bcd070235fc85151eea272fcde3623cac6faf9

SHA256
86d9b839a90235389b5bd09c67fe6e936ee4f9ab4df2582b9a679db257a5b26c

SHA512
3448e2edbb76222a0e3bdab1a7f3b525855d6bba852d493744160fe3877bb1214638073231df6d974692f1c8906b9b9f9a55a2bdd3b7a11ca8d8b1238ec284d2

Download Submit
memory/1192-289-0x00000000013B0000-0x0000000001494000-memory.dmp

Filesize
912KB

Download
memory/1860-189-0x0000000000FA0000-0x0000000001084000-memory.dmp

Filesize
912KB

Download
memory/2132-74-0x0000000000C90000-0x0000000000D74000-memory.dmp

Filesize
912KB

Download
memory/2680-323-0x0000000000170000-0x0000000000254000-memory.dmp

Filesize
912KB

Download
memory/2820-7-0x0000000000520000-0x000000000052E000-memory.dmp

Filesize
56KB

Download
memory/2820-6-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/2820-8-0x00000000006B0000-0x00000000006B8000-memory.dmp

Filesize
32KB

Download
memory/2820-5-0x0000000000470000-0x0000000000486000-memory.dmp

Filesize
88KB

Download
memory/2820-9-0x00000000006C0000-0x00000000006CC000-memory.dmp

Filesize
48KB

Download
memory/2820-72-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2820-4-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/2820-3-0x0000000000440000-0x000000000045C000-memory.dmp

Filesize
112KB

Download
memory/2820-2-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2820-0-0x000007FEF5433000-0x000007FEF5434000-memory.dmp

Filesize
4KB

Download
memory/2820-1-0x0000000000300000-0x00000000003E4000-memory.dmp

Filesize
912KB

Download
memory/2960-277-0x0000000000350000-0x0000000000434000-memory.dmp

Filesize
912KB

Download