dcrat | df025008bab8a9d1b780276526007d60abaafb894af2cca82bc633c715945ec5

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4454ceb4919130c9dd9ac71aefa53879.exe
Size

885KB
MD5

4454ceb4919130c9dd9ac71aefa53879
SHA1

718ee7efda5afef9a41513902c33a767d3eba95c
SHA256

b7c8e0d773962b93371cd3a7f5617d0ced09ed117b3082fdabe319954cc2c59d
SHA512

7a7a4f2bca12d9a518d8e5dbee655a4a210c13eb44edd1d93597bd6a010a4fe9ede1c0ef6d9baca14f411ca27524ccdee486758cfb36bc67727b9c42ecca7cd1
SSDEEP

12288:clNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:clNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5208	4484	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6044	4484	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	4484	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	4484	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	4484	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	4484	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	4484	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	4484	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	4484	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	4484	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6076	4484	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5928	4484	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5536	4484	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	4484	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	4484	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	4484	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	4484	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	4484	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	4484	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	4484	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	4484	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5464	4484	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5456	4484	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	4484	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5612	4484	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	4484	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3780	4484	schtasks.exe	89

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral10/memory/2532-1-0x00000000000E0000-0x00000000001C4000-memory.dmp	dcrat
behavioral10/files/0x000700000002436e-19.dat	dcrat
behavioral10/files/0x000700000002437d-42.dat	dcrat

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	4454ceb4919130c9dd9ac71aefa53879.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	upfc.exe

Executes dropped EXE 14 IoCs

pid	Process
4240	upfc.exe
6108	upfc.exe
4720	upfc.exe
2020	upfc.exe
5364	upfc.exe
5200	upfc.exe
4956	upfc.exe
3416	upfc.exe
2912	upfc.exe
3720	upfc.exe
3228	upfc.exe
5924	upfc.exe
2340	upfc.exe
1908	upfc.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCX8FDD.tmp	4454ceb4919130c9dd9ac71aefa53879.exe
File created	C:\Program Files\Windows Defender\Registry.exe	4454ceb4919130c9dd9ac71aefa53879.exe
File created	C:\Program Files\Windows Defender\ee2ad38f3d4382	4454ceb4919130c9dd9ac71aefa53879.exe
File created	C:\Program Files (x86)\Internet Explorer\OfficeClickToRun.exe	4454ceb4919130c9dd9ac71aefa53879.exe
File created	C:\Program Files (x86)\Internet Explorer\e6c9b481da804f	4454ceb4919130c9dd9ac71aefa53879.exe
File opened for modification	C:\Program Files\Windows Defender\RCX8F75.tmp	4454ceb4919130c9dd9ac71aefa53879.exe
File opened for modification	C:\Program Files\Windows Defender\RCX8F85.tmp	4454ceb4919130c9dd9ac71aefa53879.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX8F96.tmp	4454ceb4919130c9dd9ac71aefa53879.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX8F97.tmp	4454ceb4919130c9dd9ac71aefa53879.exe
File created	C:\Program Files\Uninstall Information\fontdrvhost.exe	4454ceb4919130c9dd9ac71aefa53879.exe
File created	C:\Program Files\Uninstall Information\5b884080fd4f94	4454ceb4919130c9dd9ac71aefa53879.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCX8FDC.tmp	4454ceb4919130c9dd9ac71aefa53879.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe	4454ceb4919130c9dd9ac71aefa53879.exe
File created	C:\Windows\SKB\LanguageModels\eddb19405b7ce1	4454ceb4919130c9dd9ac71aefa53879.exe
File opened for modification	C:\Windows\SKB\LanguageModels\RCX8FB9.tmp	4454ceb4919130c9dd9ac71aefa53879.exe
File opened for modification	C:\Windows\SKB\LanguageModels\RCX8FBA.tmp	4454ceb4919130c9dd9ac71aefa53879.exe
File created	C:\Windows\LanguageOverlayCache\csrss.exe	4454ceb4919130c9dd9ac71aefa53879.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	4454ceb4919130c9dd9ac71aefa53879.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	upfc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4744	schtasks.exe
5928	schtasks.exe
5536	schtasks.exe
5456	schtasks.exe
5208	schtasks.exe
6044	schtasks.exe
4448	schtasks.exe
4524	schtasks.exe
3652	schtasks.exe
4808	schtasks.exe
628	schtasks.exe
4692	schtasks.exe
4716	schtasks.exe
4528	schtasks.exe
6076	schtasks.exe
4696	schtasks.exe
4768	schtasks.exe
4848	schtasks.exe
4884	schtasks.exe
3780	schtasks.exe
4600	schtasks.exe
4852	schtasks.exe
5464	schtasks.exe
5612	schtasks.exe
2800	schtasks.exe
4556	schtasks.exe
4584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2532	4454ceb4919130c9dd9ac71aefa53879.exe
2532	4454ceb4919130c9dd9ac71aefa53879.exe
2532	4454ceb4919130c9dd9ac71aefa53879.exe
2532	4454ceb4919130c9dd9ac71aefa53879.exe
2532	4454ceb4919130c9dd9ac71aefa53879.exe
2532	4454ceb4919130c9dd9ac71aefa53879.exe
2532	4454ceb4919130c9dd9ac71aefa53879.exe
2532	4454ceb4919130c9dd9ac71aefa53879.exe
2532	4454ceb4919130c9dd9ac71aefa53879.exe
2532	4454ceb4919130c9dd9ac71aefa53879.exe
2532	4454ceb4919130c9dd9ac71aefa53879.exe
2532	4454ceb4919130c9dd9ac71aefa53879.exe
4240	upfc.exe
6108	upfc.exe
4720	upfc.exe
4720	upfc.exe
2020	upfc.exe
2020	upfc.exe
5364	upfc.exe
5200	upfc.exe
5200	upfc.exe
4956	upfc.exe
4956	upfc.exe
3416	upfc.exe
3416	upfc.exe
2912	upfc.exe
2912	upfc.exe
3720	upfc.exe
3720	upfc.exe
3228	upfc.exe
3228	upfc.exe
5924	upfc.exe
5924	upfc.exe
2340	upfc.exe
2340	upfc.exe
1908	upfc.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	4454ceb4919130c9dd9ac71aefa53879.exe
Token: SeDebugPrivilege	4240	upfc.exe
Token: SeDebugPrivilege	6108	upfc.exe
Token: SeDebugPrivilege	4720	upfc.exe
Token: SeDebugPrivilege	2020	upfc.exe
Token: SeDebugPrivilege	5364	upfc.exe
Token: SeDebugPrivilege	5200	upfc.exe
Token: SeDebugPrivilege	4956	upfc.exe
Token: SeDebugPrivilege	3416	upfc.exe
Token: SeDebugPrivilege	2912	upfc.exe
Token: SeDebugPrivilege	3720	upfc.exe
Token: SeDebugPrivilege	3228	upfc.exe
Token: SeDebugPrivilege	5924	upfc.exe
Token: SeDebugPrivilege	2340	upfc.exe
Token: SeDebugPrivilege	1908	upfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 1388	2532	4454ceb4919130c9dd9ac71aefa53879.exe	118
PID 2532 wrote to memory of 1388	2532	4454ceb4919130c9dd9ac71aefa53879.exe	118
PID 1388 wrote to memory of 4980	1388	cmd.exe	120
PID 1388 wrote to memory of 4980	1388	cmd.exe	120
PID 1388 wrote to memory of 4240	1388	cmd.exe	122
PID 1388 wrote to memory of 4240	1388	cmd.exe	122
PID 4240 wrote to memory of 3584	4240	upfc.exe	123
PID 4240 wrote to memory of 3584	4240	upfc.exe	123
PID 4240 wrote to memory of 1788	4240	upfc.exe	124
PID 4240 wrote to memory of 1788	4240	upfc.exe	124
PID 3584 wrote to memory of 6108	3584	WScript.exe	125
PID 3584 wrote to memory of 6108	3584	WScript.exe	125
PID 6108 wrote to memory of 1032	6108	upfc.exe	126
PID 6108 wrote to memory of 1032	6108	upfc.exe	126
PID 6108 wrote to memory of 3300	6108	upfc.exe	127
PID 6108 wrote to memory of 3300	6108	upfc.exe	127
PID 1032 wrote to memory of 4720	1032	WScript.exe	138
PID 1032 wrote to memory of 4720	1032	WScript.exe	138
PID 4720 wrote to memory of 4740	4720	upfc.exe	139
PID 4720 wrote to memory of 4740	4720	upfc.exe	139
PID 4720 wrote to memory of 4800	4720	upfc.exe	140
PID 4720 wrote to memory of 4800	4720	upfc.exe	140
PID 4740 wrote to memory of 2020	4740	WScript.exe	143
PID 4740 wrote to memory of 2020	4740	WScript.exe	143
PID 2020 wrote to memory of 3832	2020	upfc.exe	147
PID 2020 wrote to memory of 3832	2020	upfc.exe	147
PID 2020 wrote to memory of 4924	2020	upfc.exe	148
PID 2020 wrote to memory of 4924	2020	upfc.exe	148
PID 3832 wrote to memory of 5364	3832	WScript.exe	151
PID 3832 wrote to memory of 5364	3832	WScript.exe	151
PID 5364 wrote to memory of 4288	5364	upfc.exe	152
PID 5364 wrote to memory of 4288	5364	upfc.exe	152
PID 5364 wrote to memory of 2516	5364	upfc.exe	153
PID 5364 wrote to memory of 2516	5364	upfc.exe	153
PID 4288 wrote to memory of 5200	4288	WScript.exe	154
PID 4288 wrote to memory of 5200	4288	WScript.exe	154
PID 5200 wrote to memory of 5176	5200	upfc.exe	155
PID 5200 wrote to memory of 5176	5200	upfc.exe	155
PID 5200 wrote to memory of 3600	5200	upfc.exe	156
PID 5200 wrote to memory of 3600	5200	upfc.exe	156
PID 5176 wrote to memory of 4956	5176	WScript.exe	157
PID 5176 wrote to memory of 4956	5176	WScript.exe	157
PID 4956 wrote to memory of 5328	4956	upfc.exe	158
PID 4956 wrote to memory of 5328	4956	upfc.exe	158
PID 4956 wrote to memory of 5604	4956	upfc.exe	159
PID 4956 wrote to memory of 5604	4956	upfc.exe	159
PID 5328 wrote to memory of 3416	5328	WScript.exe	161
PID 5328 wrote to memory of 3416	5328	WScript.exe	161
PID 3416 wrote to memory of 5028	3416	upfc.exe	162
PID 3416 wrote to memory of 5028	3416	upfc.exe	162
PID 3416 wrote to memory of 5632	3416	upfc.exe	163
PID 3416 wrote to memory of 5632	3416	upfc.exe	163
PID 5028 wrote to memory of 2912	5028	WScript.exe	164
PID 5028 wrote to memory of 2912	5028	WScript.exe	164
PID 2912 wrote to memory of 5532	2912	upfc.exe	165
PID 2912 wrote to memory of 5532	2912	upfc.exe	165
PID 2912 wrote to memory of 4772	2912	upfc.exe	166
PID 2912 wrote to memory of 4772	2912	upfc.exe	166
PID 5532 wrote to memory of 3720	5532	WScript.exe	167
PID 5532 wrote to memory of 3720	5532	WScript.exe	167
PID 3720 wrote to memory of 1316	3720	upfc.exe	168
PID 3720 wrote to memory of 1316	3720	upfc.exe	168
PID 3720 wrote to memory of 5216	3720	upfc.exe	169
PID 3720 wrote to memory of 5216	3720	upfc.exe	169

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4454ceb4919130c9dd9ac71aefa53879.exe
"C:\Users\Admin\AppData\Local\Temp\4454ceb4919130c9dd9ac71aefa53879.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LHOIIhOOD2.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4980
- - C:\Recovery\WindowsRE\upfc.exe
    "C:\Recovery\WindowsRE\upfc.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4240
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b77f3373-9880-4a04-af14-9620e46802b0.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3584
    - - C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6108
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38a17281-285a-4b7a-b45a-f5fde7266b4e.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fdc6f02-4a14-49b7-bfd4-2f0e9afdf82a.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3d65d02-79e2-45b0-aac4-785730c54312.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34669438-761d-47f5-ab73-d59dbc95e2dd.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4840b6f1-47ac-4f61-bcb9-bbfb90e6fb21.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:5176
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2d46471-2388-4fc2-a7d8-c7eb31dc13a8.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:5328
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43b5e679-47a3-4315-ad25-aa603269b323.vbs"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1931d747-0b21-429e-b669-bdd374c402a1.vbs"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:5532
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ad791d2-26a8-43d0-84dd-a56fdf790e87.vbs"
        22⤵
        
        PID:1316
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9a0fcf1-b03f-4fa7-a1b8-c90e0a67410f.vbs"
        24⤵
        
        PID:4740
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94069bac-19cd-402d-bbf2-02797b69802b.vbs"
        26⤵
        
        PID:3960
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc678916-db82-4188-8470-53b74cc2e962.vbs"
        28⤵
        
        PID:5688
        
        C:\Recovery\WindowsRE\upfc.exe
        
        C:\Recovery\WindowsRE\upfc.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c230841-2b0b-4a20-a129-79d8e128aaf8.vbs"
        30⤵
        
        PID:2588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd01f7dd-221c-4bc0-a4b5-445b37257976.vbs"
        30⤵
        
        PID:3792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0781e564-31e3-4309-99fc-1830ddfa6703.vbs"
        28⤵
        
        PID:5352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fbe0ad1-e9cc-4332-8a1b-baf4af31fd2e.vbs"
        26⤵
        
        PID:2368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4837d08c-5fe8-4013-a151-4090efa35a1e.vbs"
        24⤵
        
        PID:2868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f90bf3e-6fe8-489a-b53e-9879b4a5f500.vbs"
        22⤵
        
        PID:5216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66b35313-c627-4167-a029-7ff9c76b0208.vbs"
        20⤵
        
        PID:4772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\660e0ba0-cb72-4105-be61-48bfd74a1e02.vbs"
        18⤵
        
        PID:5632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5913bdf5-47f9-497e-9a9e-bab1e8827607.vbs"
        16⤵
        
        PID:5604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1c810d9-1009-4c14-8d10-ac271375ecb2.vbs"
        14⤵
        
        PID:3600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ed7e07a-9be4-4cad-b7fd-6a85ac3019c9.vbs"
        12⤵
        
        PID:2516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad852fe5-72dc-4c18-89f1-2928a7d8038a.vbs"
        10⤵
        
        PID:4924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b8de125-1a6f-4830-8246-9cd5089c24f0.vbs"
        8⤵
        
        PID:4800
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d200be0-4b73-4380-8ec5-6b583b0d8f09.vbs"
        6⤵
        
        PID:3300
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43f6f4f8-ba6c-4482-9e52-a90ca982170a.vbs"
      4⤵
      PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\7e20f84d5244aba7145631d4073af8\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\7e20f84d5244aba7145631d4073af8\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\d25f591a00514bc9ba8441\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\d25f591a00514bc9ba8441\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\d25f591a00514bc9ba8441\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\d25f591a00514bc9ba8441\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\d25f591a00514bc9ba8441\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\d25f591a00514bc9ba8441\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\7e20f84d5244aba7145631d4073af8\SearchApp.exe

Filesize
885KB

MD5
59a1cbbf54f6b9131527034e5b3e0824

SHA1
2a25c4715549ddf2791291eb34c859104c84a8fb

SHA256
d3a0bec77f4eff55b54fdc375827bdb384b5a903e279443c1eccbe0bf8ad6aa0

SHA512
1bc96d3df74308650a46186b75471a2bdd99fa561bb6899c2da013956bc3e581a83a9a6ad9d69189360bf012203f54caf38e789e9fad868ace6933fc43768e4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1931d747-0b21-429e-b669-bdd374c402a1.vbs

Filesize
706B

MD5
3aa02d49816ce1a0122515cea0b1af3e

SHA1
84f82f578e31653df852e6dae73c64fbecc3749a

SHA256
a8f66199b464d1ae92c4f517ec6a6b5f60ccf706f820cdf2496957324ba2dbb7

SHA512
8deec5cf88bf6e7e38b6d3215f19e13257b93401102b493527cda2ccfa127fdcf9b8857de4ea82f74533ff37821d3e7e118b91db45e271c53766503c05f6369c

Download Submit
C:\Users\Admin\AppData\Local\Temp\34669438-761d-47f5-ab73-d59dbc95e2dd.vbs

Filesize
706B

MD5
5bb2b436cb21b257596ac2800d7d1130

SHA1
139f267a1cdc10ceda480309a637b45c42c6c832

SHA256
0564944a9ea2833f731a3f586a9a5cd6724c7bc35305f8ed986590bbf44196fa

SHA512
547bf121976e209645b84da1cfd777106099ba386b488a8d5d2a3759a34370f4549b2e237c9f6c00b9116af9f98a5a73826fb9d3f7fd4b013b95a4af885b99fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\38a17281-285a-4b7a-b45a-f5fde7266b4e.vbs

Filesize
706B

MD5
17d9df562864f4408e47f0622916ed5b

SHA1
c910249c3898c610d8c11283fc9a1aa034c7a530

SHA256
adc12f5514b5e08eec8b5fd77572479bf7f890d1c9d90b1d5b7408b621934bd3

SHA512
fda2f1608ce0768143d95efe8860dab13d85d9a0db91040c2f0921db2514530f585e4b4fce4c590d6877a12b34c62239843466c111ee9d15fd2c0a8564d02d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\43b5e679-47a3-4315-ad25-aa603269b323.vbs

Filesize
706B

MD5
d980c7d628c37bd31b8d4af66fd60aa7

SHA1
54036709f621ed64b90c868a8b3b85e50832677c

SHA256
31c31118e9a679e11e66fc983459459852b3db7e6bfdbe5dad47adf8502594ab

SHA512
02c2a0aeb57dcbd5caa20abf148ef091ba116e45b5c23602c7c7edd3c7b395122b419c8e2b078acf0c29da516f777667709b433ccf11f94a8895755526ae0283

Download Submit
C:\Users\Admin\AppData\Local\Temp\43f6f4f8-ba6c-4482-9e52-a90ca982170a.vbs

Filesize
482B

MD5
1a88392cd03cc0edb60bd8b0916cf6ea

SHA1
158fd24078cc76a2ed4791391be8089c7c08a81a

SHA256
6cecf40c7034495745a1b97f6426a2bb581604cebeecfd6f790313daa688c5df

SHA512
c6af7b5617445ca705384bb5e6d3abdb42ab2b9cffc1d491be724ac7862f9c08496bd6c149b0aee546b45c67c467d33288bf5677d7caaf600ff86e9f19a3f85c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4840b6f1-47ac-4f61-bcb9-bbfb90e6fb21.vbs

Filesize
706B

MD5
ee1e6fe2e126c1474e2e363fd8c302e2

SHA1
2046fddd09ed6e74e9bfb6b717d598d4ed854bad

SHA256
316357e53f9cae0d9fdecc560111e76d8933a9f9b79236724f73ff50fff3e31a

SHA512
856bc4642d1a21ab75c99ff87bfaae14a7dcf9dc90a9026f90d37b2a0254d4dd647c055092d859edf8d5d18fd2bd0baa98b2ab165c740561e75bbf5d6120ff75

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c230841-2b0b-4a20-a129-79d8e128aaf8.vbs

Filesize
706B

MD5
57fbd9b7b986bc35538edd2eb8bcafe1

SHA1
57803442a2c18368c7c961389754e85099119d01

SHA256
6ca62d91bbb6371eebdc646cd824f3d21389450b808a3d6071082a3dcdeae856

SHA512
f0cdac4d40b17606d02b05e2065978485abd73c8982bc880ef68d718b64f4e0ea5812fddf62f5617acfc16ff9dd6e33524fa87f49dd9ca4897edca7b53eac3fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\5fdc6f02-4a14-49b7-bfd4-2f0e9afdf82a.vbs

Filesize
706B

MD5
fc98c042557410b2afbdb4358c2caa01

SHA1
4990517777275a34c60f676f1ee386c986148eef

SHA256
e410ec65ec820072df2e34dbf2eeee6ca182227ed3ea954a31e1a50aecc4c83b

SHA512
d3d319ec133f860cd918a0f536d39a606d51f80e78dcff4dd07ee5109ae66b745177351c2375b78703bef1b84686849da2449fcde46287c80f7f2f26db7386ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ad791d2-26a8-43d0-84dd-a56fdf790e87.vbs

Filesize
706B

MD5
f22aafb3c48288b11c079662542de738

SHA1
f2d5b0997d895c32e455b82abf0ad28a5340ebb3

SHA256
88eec5ed2e3935cde49b50d787ea1d1838b57aae8c86aabd87e6bde49cf1f880

SHA512
cc6d69cb8f46ecc9ee51e637ec0fb16dc425a571d8cc64681d643b192d61a94f8cf78916644a8a64406979c4debd345e59c56606f2a3f2afe7d9b392ca9ab570

Download Submit
C:\Users\Admin\AppData\Local\Temp\94069bac-19cd-402d-bbf2-02797b69802b.vbs

Filesize
706B

MD5
b0b3e2397172f56ad25dcc7663ff46ff

SHA1
a4f33f522a6590613fb565720fbc169efba96c49

SHA256
56107e54859feaa242574513a6423681c3c22d4b2a18001375854853dc54a123

SHA512
3275e0f1556bac308bc4ba3347f1ef42b0820e01e7f16ee6a62e6a002e679682bee09c8c506cf6f0e14960f12673f38769de0b5dd078f7b20cefde80c219a0da

Download Submit
C:\Users\Admin\AppData\Local\Temp\LHOIIhOOD2.bat

Filesize
195B

MD5
3db871997611e9978c735319cddd08c4

SHA1
1a6e59f84a7af06c0e5ab3a95ae56842adc5237b

SHA256
aed7af95d13c3ee99f1fcf5673e4dc7e8b5200e471636336f8a65178d1f37f88

SHA512
2e49d0644da2a38a9209d6cf8f96dc89cf2328e4dfa536a412dbfa9f2e760f824a34f9f754358999700938d566ae9940c3ba4533786ec99007cf7f0ea827d395

Download Submit
C:\Users\Admin\AppData\Local\Temp\b77f3373-9880-4a04-af14-9620e46802b0.vbs

Filesize
706B

MD5
69550bb10c1c6739ebc9f4bc93facda0

SHA1
691d510d8749a49ab4a12435ccb6c967a00a681b

SHA256
37eb8ebe75b3211298f273e4711228c8b8b07004cd4529327521f51fb05dfb5d

SHA512
c1438494fcf3be51ff16c5cf39d29e5f27d38091f8fc01d9295565c4b528ce097241769de8d94a5aa4d183f8dc927b08c632a52795ddc42f10e358c03da6ac6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c9a0fcf1-b03f-4fa7-a1b8-c90e0a67410f.vbs

Filesize
706B

MD5
375a0a867526df53e5358842579a5c94

SHA1
9ae8cfd113445f95e8f85b7ba3ff44f95f19a236

SHA256
97d6606356f52d122ad03e603e40b50571f707906ef769468a0a5b98dd0db179

SHA512
a4dc165599fc0072cc7944b13b99766a3266a8833272436b14ebd62f2b57a89517e72c3907a180885771e9535cba05e7e09f85790d816eb57a5ceea4e5e9ab04

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2d46471-2388-4fc2-a7d8-c7eb31dc13a8.vbs

Filesize
706B

MD5
d75d9c11a206f22671700490553f7ea1

SHA1
81f888ce986b8919473ca214ba0bfd1496dba812

SHA256
2bbde84d2e5b6b62d6ea545cbf004e27793d826b1925bebf76287d7551a9a83c

SHA512
9b4266380b7ff3854af67d53d20d6679d91792c4bc3432ffe0626285571f60391417e586274ae51ce89c14acc812de049106d8555ab222b34461e736fdf77d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3d65d02-79e2-45b0-aac4-785730c54312.vbs

Filesize
706B

MD5
d936d94e4c46822527c245003cb4d95b

SHA1
b1cf1cca20ade0869bd1ea620ac2fb48a37bf476

SHA256
dc3f562f8c129713eae0d0f4c18eb44e65bd380b200dddd27dc226b80c2861bb

SHA512
c4f08f8bc1d95385b4425d4609ec3bcc67462d54cb94758256c1f0466d991e281cd2e7a5d18cc57e8699d500e583209dad76856b602eb79b8153d4b40e344bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc678916-db82-4188-8470-53b74cc2e962.vbs

Filesize
706B

MD5
2546dd87958497026b33e4304b8c233d

SHA1
91373e8f94457b6b6fc81188a2f2c8b2d04cfe10

SHA256
8da91f060512517d519ccede2318d4c396bd14fa5fe552ba9979c9c71d2187bf

SHA512
c3fe0aac764400547db10638d446d184ac3656dfed07bfea2a9753333a4a318311a62d7257e280039e30f23cc0267059e6968836b122a4c56044553133df8d88

Download Submit
C:\d25f591a00514bc9ba8441\fontdrvhost.exe

Filesize
885KB

MD5
4454ceb4919130c9dd9ac71aefa53879

SHA1
718ee7efda5afef9a41513902c33a767d3eba95c

SHA256
b7c8e0d773962b93371cd3a7f5617d0ced09ed117b3082fdabe319954cc2c59d

SHA512
7a7a4f2bca12d9a518d8e5dbee655a4a210c13eb44edd1d93597bd6a010a4fe9ede1c0ef6d9baca14f411ca27524ccdee486758cfb36bc67727b9c42ecca7cd1

Download Submit
memory/2020-187-0x000000001B5A0000-0x000000001B5D5000-memory.dmp

Filesize
212KB

Download
memory/2532-0-0x00007FF9E0563000-0x00007FF9E0565000-memory.dmp

Filesize
8KB

Download
memory/2532-7-0x000000001AE10000-0x000000001AE1A000-memory.dmp

Filesize
40KB

Download
memory/2532-8-0x000000001B330000-0x000000001B33E000-memory.dmp

Filesize
56KB

Download
memory/2532-9-0x000000001B340000-0x000000001B348000-memory.dmp

Filesize
32KB

Download
memory/2532-138-0x00007FF9E0560000-0x00007FF9E1021000-memory.dmp

Filesize
10.8MB

Download
memory/2532-10-0x000000001B350000-0x000000001B35C000-memory.dmp

Filesize
48KB

Download
memory/2532-4-0x000000001B380000-0x000000001B3D0000-memory.dmp

Filesize
320KB

Download
memory/2532-5-0x000000001ACB0000-0x000000001ACC0000-memory.dmp

Filesize
64KB

Download
memory/2532-3-0x000000001ADD0000-0x000000001ADEC000-memory.dmp

Filesize
112KB

Download
memory/2532-2-0x00007FF9E0560000-0x00007FF9E1021000-memory.dmp

Filesize
10.8MB

Download
memory/2532-6-0x000000001ADF0000-0x000000001AE06000-memory.dmp

Filesize
88KB

Download
memory/2532-1-0x00000000000E0000-0x00000000001C4000-memory.dmp

Filesize
912KB

Download