dcrat | 777f77c1c53c3551c89ef44c86c06cbfe0b2bb04374b7d7d9f6153d3ecc3c267

Analysis

max time kernel
84s
max time network
152s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41234e0118ba1cfc06b88d347f3a53f5.exe
Size

885KB
MD5

41234e0118ba1cfc06b88d347f3a53f5
SHA1

a0bc5bbd988def1d53cb8b74d6a19084ebec1a92
SHA256

7eaf3845dc36309ef1b4dbcf87058d55bbe2b9bdad969d53c9bf6f250981dd6f
SHA512

25f929d3197123654edfd7ba2dcad5dcc0c2fab2743c9e7b80ed2b419326f5666799d6866ed76d51f7fce1a48e1d67c0454f5a9f699c04c590366c27c313d49c
SSDEEP

12288:GlNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:GlNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	1652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	1652	schtasks.exe	31

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral3/memory/2236-1-0x0000000000DB0000-0x0000000000E94000-memory.dmp	dcrat
behavioral3/files/0x0005000000019f3f-18.dat	dcrat
behavioral3/files/0x000600000001a499-165.dat	dcrat
behavioral3/files/0x000e00000001a4f5-160.dat	dcrat
behavioral3/memory/1980-204-0x0000000000C00000-0x0000000000CE4000-memory.dmp	dcrat
behavioral3/memory/2472-215-0x00000000002A0000-0x0000000000384000-memory.dmp	dcrat
behavioral3/memory/976-227-0x0000000000AF0000-0x0000000000BD4000-memory.dmp	dcrat
behavioral3/memory/2060-238-0x0000000000230000-0x0000000000314000-memory.dmp	dcrat
behavioral3/memory/584-250-0x0000000000FB0000-0x0000000001094000-memory.dmp	dcrat
behavioral3/memory/2788-262-0x0000000000090000-0x0000000000174000-memory.dmp	dcrat
behavioral3/memory/2224-274-0x0000000000110000-0x00000000001F4000-memory.dmp	dcrat
behavioral3/memory/2716-286-0x0000000000120000-0x0000000000204000-memory.dmp	dcrat
behavioral3/memory/1864-298-0x0000000000D70000-0x0000000000E54000-memory.dmp	dcrat

Executes dropped EXE 5 IoCs

pid	Process
1980	services.exe
2472	services.exe
976	services.exe
2060	services.exe
584	services.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RCXE4CD.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\smss.exe	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RCXE3ED.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\RCXE403.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RCXE3EE.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXE4CB.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RCXE4CC.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\f3b6ecef712a24	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\69ddcba757bf72	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\101b941d020240	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\sppsvc.exe	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXE44D.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\spoolsv.exe	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\0a1fd5f707cd16	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\RCXE404.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	C:\Windows\Help\Windows\ja-JP\WMIADAP.exe	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Windows\Help\Windows\ja-JP\RCXE414.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..c-oracle-driver-dll_31bf3856ad364e35_6.1.7601.17514_none_6b16a37ea1353bb1\Idle.exe	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Windows\Help\Windows\ja-JP\75a57c1bdf437c	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Windows\Resources\Themes\Aero\en-US\smss.exe	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Windows\Offline Web Pages\RCXE36F.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Windows\Offline Web Pages\WMIADAP.exe	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Windows\Offline Web Pages\75a57c1bdf437c	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Windows\Resources\Themes\Aero\en-US\69ddcba757bf72	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Windows\Branding\ShellBrd\0a1fd5f707cd16	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Windows\Help\Windows\ja-JP\RCXE415.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Windows\Resources\Themes\Aero\en-US\RCXE416.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Windows\Branding\ShellBrd\RCXE42A.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Windows\Branding\ShellBrd\RCXE43B.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Windows\Offline Web Pages\WMIADAP.exe	41234e0118ba1cfc06b88d347f3a53f5.exe
File created	C:\Windows\Branding\ShellBrd\sppsvc.exe	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Windows\Offline Web Pages\RCXE36E.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe
File opened for modification	C:\Windows\Resources\Themes\Aero\en-US\RCXE417.tmp	41234e0118ba1cfc06b88d347f3a53f5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1932	schtasks.exe
1224	schtasks.exe
1784	schtasks.exe
2672	schtasks.exe
2044	schtasks.exe
2936	schtasks.exe
2372	schtasks.exe
2740	schtasks.exe
320	schtasks.exe
2668	schtasks.exe
1048	schtasks.exe
596	schtasks.exe
3004	schtasks.exe
2844	schtasks.exe
2724	schtasks.exe
2688	schtasks.exe
2556	schtasks.exe
1972	schtasks.exe
956	schtasks.exe
2752	schtasks.exe
2652	schtasks.exe
1984	schtasks.exe
2240	schtasks.exe
2228	schtasks.exe
2648	schtasks.exe
1616	schtasks.exe
1808	schtasks.exe
2548	schtasks.exe
2824	schtasks.exe
2776	schtasks.exe
2788	schtasks.exe
2284	schtasks.exe
832	schtasks.exe
2636	schtasks.exe
2140	schtasks.exe
684	schtasks.exe
1496	schtasks.exe
1988	schtasks.exe
2900	schtasks.exe
2912	schtasks.exe
2924	schtasks.exe
2212	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2236	41234e0118ba1cfc06b88d347f3a53f5.exe
2236	41234e0118ba1cfc06b88d347f3a53f5.exe
2236	41234e0118ba1cfc06b88d347f3a53f5.exe
2236	41234e0118ba1cfc06b88d347f3a53f5.exe
2236	41234e0118ba1cfc06b88d347f3a53f5.exe
1980	services.exe
2472	services.exe
976	services.exe
2060	services.exe
584	services.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	41234e0118ba1cfc06b88d347f3a53f5.exe
Token: SeDebugPrivilege	1980	services.exe
Token: SeDebugPrivilege	2472	services.exe
Token: SeDebugPrivilege	976	services.exe
Token: SeDebugPrivilege	2060	services.exe
Token: SeDebugPrivilege	584	services.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2688	2236	41234e0118ba1cfc06b88d347f3a53f5.exe	74
PID 2236 wrote to memory of 2688	2236	41234e0118ba1cfc06b88d347f3a53f5.exe	74
PID 2236 wrote to memory of 2688	2236	41234e0118ba1cfc06b88d347f3a53f5.exe	74
PID 2688 wrote to memory of 2212	2688	cmd.exe	76
PID 2688 wrote to memory of 2212	2688	cmd.exe	76
PID 2688 wrote to memory of 2212	2688	cmd.exe	76
PID 2688 wrote to memory of 1980	2688	cmd.exe	77
PID 2688 wrote to memory of 1980	2688	cmd.exe	77
PID 2688 wrote to memory of 1980	2688	cmd.exe	77
PID 1980 wrote to memory of 1692	1980	services.exe	78
PID 1980 wrote to memory of 1692	1980	services.exe	78
PID 1980 wrote to memory of 1692	1980	services.exe	78
PID 1980 wrote to memory of 3068	1980	services.exe	79
PID 1980 wrote to memory of 3068	1980	services.exe	79
PID 1980 wrote to memory of 3068	1980	services.exe	79
PID 1692 wrote to memory of 2472	1692	WScript.exe	80
PID 1692 wrote to memory of 2472	1692	WScript.exe	80
PID 1692 wrote to memory of 2472	1692	WScript.exe	80
PID 2472 wrote to memory of 588	2472	services.exe	81
PID 2472 wrote to memory of 588	2472	services.exe	81
PID 2472 wrote to memory of 588	2472	services.exe	81
PID 2472 wrote to memory of 1544	2472	services.exe	82
PID 2472 wrote to memory of 1544	2472	services.exe	82
PID 2472 wrote to memory of 1544	2472	services.exe	82
PID 588 wrote to memory of 976	588	WScript.exe	83
PID 588 wrote to memory of 976	588	WScript.exe	83
PID 588 wrote to memory of 976	588	WScript.exe	83
PID 976 wrote to memory of 2440	976	services.exe	84
PID 976 wrote to memory of 2440	976	services.exe	84
PID 976 wrote to memory of 2440	976	services.exe	84
PID 976 wrote to memory of 2316	976	services.exe	85
PID 976 wrote to memory of 2316	976	services.exe	85
PID 976 wrote to memory of 2316	976	services.exe	85
PID 2060 wrote to memory of 2908	2060	services.exe	87
PID 2060 wrote to memory of 2908	2060	services.exe	87
PID 2060 wrote to memory of 2908	2060	services.exe	87
PID 2060 wrote to memory of 1792	2060	services.exe	88
PID 2060 wrote to memory of 1792	2060	services.exe	88
PID 2060 wrote to memory of 1792	2060	services.exe	88
PID 2908 wrote to memory of 584	2908	WScript.exe	89
PID 2908 wrote to memory of 584	2908	WScript.exe	89
PID 2908 wrote to memory of 584	2908	WScript.exe	89
PID 584 wrote to memory of 2248	584	services.exe	90
PID 584 wrote to memory of 2248	584	services.exe	90
PID 584 wrote to memory of 2248	584	services.exe	90
PID 584 wrote to memory of 1148	584	services.exe	91
PID 584 wrote to memory of 1148	584	services.exe	91
PID 584 wrote to memory of 1148	584	services.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\41234e0118ba1cfc06b88d347f3a53f5.exe
"C:\Users\Admin\AppData\Local\Temp\41234e0118ba1cfc06b88d347f3a53f5.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Spp5Mb295B.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2212
- - C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\services.exe
    "C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\services.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec9e76a3-c15f-4c6e-bff1-02806ffaaddb.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\services.exe
        
        C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\services.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b6649ca-46c0-4ebd-bc94-ae7baab4562c.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\services.exe
        
        C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\services.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4bcd16c-4829-4450-918e-4d35020060bf.vbs"
        8⤵
        
        PID:2440
        
        C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\services.exe
        
        C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\services.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f201f284-ea71-4e1d-9a7b-833e681f3da2.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\services.exe
        
        C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\services.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\877e6385-7d7a-4689-9f92-78cf51017be4.vbs"
        12⤵
        
        PID:2248
        
        C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\services.exe
        
        C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\services.exe
        13⤵
        
        PID:2788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57b8d2d5-9ab0-4675-ab48-a0e71d503b8b.vbs"
        14⤵
        
        PID:2036
        
        C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\services.exe
        
        C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\services.exe
        15⤵
        
        PID:2224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53f706e5-c411-4284-a010-8ccada1a4050.vbs"
        16⤵
        
        PID:2880
        
        C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\services.exe
        
        C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\services.exe
        17⤵
        
        PID:2716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b796f7a2-4d71-4dfb-b982-a3cf477dd12b.vbs"
        18⤵
        
        PID:2512
        
        C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\services.exe
        
        C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\services.exe
        19⤵
        
        PID:1864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67c9da2b-dde6-4d3b-bd32-6fb63d759f98.vbs"
        20⤵
        
        PID:1568
        
        C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\services.exe
        
        C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\services.exe
        21⤵
        
        PID:2776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6432c278-44d6-45d9-a298-1f2e2fd67c05.vbs"
        22⤵
        
        PID:1308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe4183e0-dd38-4fa8-bf47-78db16c23690.vbs"
        22⤵
        
        PID:2504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f44aec5f-5663-4cb0-a039-078ac9ee64f9.vbs"
        20⤵
        
        PID:3044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\647ccda8-c00b-47f0-a362-6a9e9242efc4.vbs"
        18⤵
        
        PID:1728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9659b2f5-158d-4d4d-8e0f-e384aeb13390.vbs"
        16⤵
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6dd1b78f-9765-4240-b6ba-a40523a72308.vbs"
        14⤵
        
        PID:1064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efe4c3da-9d01-4cdf-b5a6-0f05f0c4c481.vbs"
        12⤵
        
        PID:1148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f086570-cc64-4ccb-80a9-de5e0d5268b5.vbs"
        10⤵
        
        PID:1792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24fc3e43-1d2e-409a-ae69-03679d96ceda.vbs"
        8⤵
        
        PID:2316
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdbafd9c-f885-4e47-afd3-98e060b4bbf0.vbs"
        6⤵
        
        PID:1544
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d817b32-b58a-4e9c-8066-35e3d556e8fe.vbs"
      4⤵
      PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Windows\Offline Web Pages\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\Windows\ja-JP\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\Help\Windows\ja-JP\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Windows\Help\Windows\ja-JP\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Themes\Aero\en-US\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\Resources\Themes\Aero\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\Branding\ShellBrd\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\Branding\ShellBrd\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe

Filesize
885KB

MD5
cdb342773dbf37ee702e4df29f8b038c

SHA1
06f8696948820001ee9ce20f8b5a7804de6567c9

SHA256
6950054008381b63f238b8eae575237cc7efd70f7919b2230f63d167b5f85edd

SHA512
7d677aff88f708caa751813b55746a28a773f14fb0b8fd28188b1394ee17e607042cfc53c59e04e873f46ffd83a6165fa99959bc0d798d29a33f2fb1c26dbf97

Download Submit
C:\Program Files (x86)\Windows Media Player\ja-JP\smss.exe

Filesize
885KB

MD5
41234e0118ba1cfc06b88d347f3a53f5

SHA1
a0bc5bbd988def1d53cb8b74d6a19084ebec1a92

SHA256
7eaf3845dc36309ef1b4dbcf87058d55bbe2b9bdad969d53c9bf6f250981dd6f

SHA512
25f929d3197123654edfd7ba2dcad5dcc0c2fab2743c9e7b80ed2b419326f5666799d6866ed76d51f7fce1a48e1d67c0454f5a9f699c04c590366c27c313d49c

Download Submit
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RCXE4CC.tmp

Filesize
885KB

MD5
3603e15331d1172fa6bf5e25f77460c5

SHA1
b8c617e3d51305650e8e7d45309d709c5b70f2e2

SHA256
1e596097b6e274b27f6c57166f756a8c3c9aa90a403d7d493627d05cfdef3da5

SHA512
d761add665ab924d7a19ad5f8eff12db1f2e69111b4245b7f22f00499fae1723492872b8d84e07463a85f33eb0f9289b331822315da6e78a4fbc742a87e19e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\53f706e5-c411-4284-a010-8ccada1a4050.vbs

Filesize
737B

MD5
c656a02293f018eb32adbc74eb1e1fbb

SHA1
c44ad3e9e11061936d3ddedafda19ebce3d975cb

SHA256
171409a820e39dad0900e581aa8bd580a1a698605d7ceba4400453da0b13df2b

SHA512
7db110376610e394b532ca51a87fd21da1a2a4a625b0b4ecd575fd522c4635ab980cad906dc794097ca2b35064432a7b7e815dbd82df0f1e941b79c39d7be243

Download Submit
C:\Users\Admin\AppData\Local\Temp\57b8d2d5-9ab0-4675-ab48-a0e71d503b8b.vbs

Filesize
737B

MD5
48b3ca7507c0d9e4ee0e6dd670b9fd9e

SHA1
99a63212e3481593783013094253f592a703c663

SHA256
3aff87a854553a07000562b0d6f25c43878765491355a9255271c3dceae35688

SHA512
211c19f52c0d6d1d35c938cdcad0ea88e9f568f35cc6eb379273eb7ba626ce8181babc45db77a5da47305097afbd38b65a3b191e598c8d090feeab980d5ac544

Download Submit
C:\Users\Admin\AppData\Local\Temp\6432c278-44d6-45d9-a298-1f2e2fd67c05.vbs

Filesize
737B

MD5
4aa5f4ae5c927cda8a16dba937e8a6fd

SHA1
3a9167e062a3a771af07e26fae7edaf609b980ce

SHA256
2b96f713801ad0ffba1399e96ba285c153883700923ffebd5ca5b4484daa47c2

SHA512
dacc18c6143b3a3745af3bcaf89611186793f3c8d0c91d6684c37b96fbc7efc8ded3333c81121ec0155bbab6083de778917e60459d64859c4d125bbb38c92d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\67c9da2b-dde6-4d3b-bd32-6fb63d759f98.vbs

Filesize
737B

MD5
cd02bcaad7bdff56e440c9585472915c

SHA1
22d85f5510e1f2fd24b9d759560c2987b3086c52

SHA256
d0c06bb4a1574bcc6d90ca133912a44deb3ca02fa5951ce4dd8193ca109d29d9

SHA512
0ad3907e6a53ebc551e4b79de37bdf9d818eb7fa0e23931a9e40237c2257bec2922c28cf4631533297af15a52580714f6908a844ee7ec785528790edb4775778

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b6649ca-46c0-4ebd-bc94-ae7baab4562c.vbs

Filesize
737B

MD5
095ee599f3fcff88021478ac21da9716

SHA1
1380f34ec1dcce64ec13b44205a7523975b6d1d8

SHA256
7c12cf070376dd2396bc85de39b612665b4d5361b55d1256c60b5ff725d77a7f

SHA512
1c2f0d9ed4490b385a3ff416c61ddb03729cce73aedd0ed7e3e1fdad9b69f6034cbef104d66a2b51ba20329e8c4ef79caae742af4460c57567ca1b3666b8986d

Download Submit
C:\Users\Admin\AppData\Local\Temp\877e6385-7d7a-4689-9f92-78cf51017be4.vbs

Filesize
736B

MD5
25b0e02a32c58339ce527ff9fc1bb1d5

SHA1
d832ee0d01afca8c5564c300674e1d24a7915667

SHA256
42ae10f6c5c8a1ef85e881e4647f3b56fc7db45943295cd427895b837a801408

SHA512
982e5b70b0db1acd46c92e25aa4fc393c7e90f95f54c0482d429d57164ec37468d7403a20fb1e80c45414d00cde44a1adaf67c802be35f7e479bf4fa5f74910c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d817b32-b58a-4e9c-8066-35e3d556e8fe.vbs

Filesize
513B

MD5
f70acaee9ddf8d0081fa65f0c3214097

SHA1
6e1031d69df987ba960400d0d4d90ce4de390658

SHA256
9e48abad7554fc73bbe337a2a05fe4b0618fbff77eb5bc547b0e49b62eaa89f6

SHA512
c799d210aa24a09cef3d6ed4c6b6d15df9015e967e1029b86a24ade4442eeffefadd1263f1ed7a635e9587a97ea14b129571416814b46b23a527ec34acea3a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spp5Mb295B.bat

Filesize
226B

MD5
0473cfdd15145d8e55ef519688ceaaeb

SHA1
eea6a8d6d4ec5763e9a34d97b566250a7467a7fc

SHA256
f3b4d681d7591e20abbbefe1f5145c2a676c2d7b1d73adcef8c5be10d34c203e

SHA512
f8ab1d7eb7f17ecc76b73dc936d6542d023e21c591dcf79bec8b37e5b599264933206295bc89526429cb1e4e9f2a881b7dbb660d428ed5e894933be0715a80fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\b796f7a2-4d71-4dfb-b982-a3cf477dd12b.vbs

Filesize
737B

MD5
1622a9b7e7eeb036e8edfa3faaeb4fa8

SHA1
40286e051f3c6362383894737bfca9a3ce8b2fa3

SHA256
b51ad2c006e6931e1e191b57b9e5c409162e6db35f75d5a7804f3a3e19b8436d

SHA512
4e76717e719e75dce55ef27f504e44dfa8e208d23ad3f9d6ca077f4532fb9a613f6ffcc4fab3c6c4fd9aad655e946bc348e204476ea9d2703572cc0a2ae7a703

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec9e76a3-c15f-4c6e-bff1-02806ffaaddb.vbs

Filesize
737B

MD5
a86d6dedac08f39dba1dccd22fa78e29

SHA1
841680544d4ffade95cdf35b932d56163474bbbb

SHA256
f57b85e98d29ae00918dbf4c3e83e907b7b52de9c67aa4ee56734e0a11559e18

SHA512
faaf3c660f33a2045c2f973353840391ade5d4503573bdc261712367495e8f25b8da22184b239cfbf56a131d9016fd135e219a651e801d211958ae7a4dc76f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\f201f284-ea71-4e1d-9a7b-833e681f3da2.vbs

Filesize
737B

MD5
3c6a8cbbc11b059e7ce386c4ca775720

SHA1
4e8a72a24c07d2ed8e6c6b5f2d1a305c5e1a8a27

SHA256
2337a5cb14257ee4053380820f5bda163404697261e50f6eb11dbd2cc6356119

SHA512
3ab6079c5a54ad25f8cb4a6edae3d912393906622bf087efe07e3c92e50d1b4dbc4bf9e3b61e8553eebd3fb25de034d1e2064d1a768278fefd409d4ac1b0baf0

Download Submit
memory/584-250-0x0000000000FB0000-0x0000000001094000-memory.dmp

Filesize
912KB

Download
memory/976-227-0x0000000000AF0000-0x0000000000BD4000-memory.dmp

Filesize
912KB

Download
memory/1864-298-0x0000000000D70000-0x0000000000E54000-memory.dmp

Filesize
912KB

Download
memory/1980-204-0x0000000000C00000-0x0000000000CE4000-memory.dmp

Filesize
912KB

Download
memory/2060-238-0x0000000000230000-0x0000000000314000-memory.dmp

Filesize
912KB

Download
memory/2224-274-0x0000000000110000-0x00000000001F4000-memory.dmp

Filesize
912KB

Download
memory/2236-4-0x0000000000440000-0x0000000000450000-memory.dmp

Filesize
64KB

Download
memory/2236-0-0x000007FEF5F43000-0x000007FEF5F44000-memory.dmp

Filesize
4KB

Download
memory/2236-1-0x0000000000DB0000-0x0000000000E94000-memory.dmp

Filesize
912KB

Download
memory/2236-9-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/2236-7-0x00000000004F0000-0x00000000004FE000-memory.dmp

Filesize
56KB

Download
memory/2236-2-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

Filesize
9.9MB

Download
memory/2236-5-0x00000000004C0000-0x00000000004D6000-memory.dmp

Filesize
88KB

Download
memory/2236-6-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/2236-8-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download
memory/2236-201-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

Filesize
9.9MB

Download
memory/2236-3-0x00000000004A0000-0x00000000004BC000-memory.dmp

Filesize
112KB

Download
memory/2472-215-0x00000000002A0000-0x0000000000384000-memory.dmp

Filesize
912KB

Download
memory/2716-286-0x0000000000120000-0x0000000000204000-memory.dmp

Filesize
912KB

Download
memory/2788-262-0x0000000000090000-0x0000000000174000-memory.dmp

Filesize
912KB

Download