dcrat | fd198cf3ef764ffa17e7bd465d666057804a25ed5c6061074c0de7b6df43a667

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f148dd5c5e1754e666715462f5a410b.exe
Size

885KB
MD5

2f148dd5c5e1754e666715462f5a410b
SHA1

0c5f8fcab489df669639c334af2e1f1e4868fab6
SHA256

070cd87bc58c7b6dc8a21b89e93a548f173fcc7668f68c2e9462ce18eeccf11a
SHA512

a515fe57b44d71a0709e9a1cb56f5c2f87bc9cf609ee111af21b12bae620305a2df102b93d34c48784bbcdba39092e8eeb2be5f15cbf99ba256c973172c7e4fe
SSDEEP

12288:UlNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:UlNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	1592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	1592	schtasks.exe	30

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral7/memory/2100-1-0x0000000000EA0000-0x0000000000F84000-memory.dmp	dcrat
behavioral7/files/0x0005000000019fb9-18.dat	dcrat
behavioral7/memory/2776-180-0x00000000010C0000-0x00000000011A4000-memory.dmp	dcrat
behavioral7/memory/1356-202-0x0000000000330000-0x0000000000414000-memory.dmp	dcrat
behavioral7/memory/2284-214-0x0000000000D70000-0x0000000000E54000-memory.dmp	dcrat
behavioral7/memory/1404-226-0x00000000003D0000-0x00000000004B4000-memory.dmp	dcrat
behavioral7/memory/2344-238-0x00000000011D0000-0x00000000012B4000-memory.dmp	dcrat
behavioral7/memory/548-261-0x00000000002C0000-0x00000000003A4000-memory.dmp	dcrat
behavioral7/memory/2544-273-0x00000000012B0000-0x0000000001394000-memory.dmp	dcrat
behavioral7/memory/1704-296-0x0000000000340000-0x0000000000424000-memory.dmp	dcrat

Executes dropped EXE 11 IoCs

pid	Process
2776	winlogon.exe
2560	winlogon.exe
1356	winlogon.exe
2284	winlogon.exe
1404	winlogon.exe
2344	winlogon.exe
1212	winlogon.exe
548	winlogon.exe
2544	winlogon.exe
1988	winlogon.exe
1704	winlogon.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\RCXB520.tmp	2f148dd5c5e1754e666715462f5a410b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\RCXB530.tmp	2f148dd5c5e1754e666715462f5a410b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\RCXB531.tmp	2f148dd5c5e1754e666715462f5a410b.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\RCXB533.tmp	2f148dd5c5e1754e666715462f5a410b.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe	2f148dd5c5e1754e666715462f5a410b.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXB4F5.tmp	2f148dd5c5e1754e666715462f5a410b.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\RCXB532.tmp	2f148dd5c5e1754e666715462f5a410b.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\b75386f1303e64	2f148dd5c5e1754e666715462f5a410b.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXB4F6.tmp	2f148dd5c5e1754e666715462f5a410b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXB50C.tmp	2f148dd5c5e1754e666715462f5a410b.exe
File created	C:\Program Files\Windows Portable Devices\spoolsv.exe	2f148dd5c5e1754e666715462f5a410b.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\101b941d020240	2f148dd5c5e1754e666715462f5a410b.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\taskhost.exe	2f148dd5c5e1754e666715462f5a410b.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\2f148dd5c5e1754e666715462f5a410b.exe	2f148dd5c5e1754e666715462f5a410b.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\36a00afdfcfa30	2f148dd5c5e1754e666715462f5a410b.exe
File created	C:\Program Files\Windows Sidebar\es-ES\taskhost.exe	2f148dd5c5e1754e666715462f5a410b.exe
File created	C:\Program Files\Windows Portable Devices\f3b6ecef712a24	2f148dd5c5e1754e666715462f5a410b.exe
File created	C:\Program Files\Windows Sidebar\es-ES\b75386f1303e64	2f148dd5c5e1754e666715462f5a410b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXB50B.tmp	2f148dd5c5e1754e666715462f5a410b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\RCXB51F.tmp	2f148dd5c5e1754e666715462f5a410b.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\IME\IMESC5\HELP\RCXB534.tmp	2f148dd5c5e1754e666715462f5a410b.exe
File opened for modification	C:\Windows\IME\IMESC5\HELP\RCXB535.tmp	2f148dd5c5e1754e666715462f5a410b.exe
File created	C:\Windows\Microsoft.NET\Framework\1036\audiodg.exe	2f148dd5c5e1754e666715462f5a410b.exe
File created	C:\Windows\Microsoft.NET\Framework\1036\42af1c969fbb7b	2f148dd5c5e1754e666715462f5a410b.exe
File created	C:\Windows\IME\IMESC5\HELP\winlogon.exe	2f148dd5c5e1754e666715462f5a410b.exe
File created	C:\Windows\IME\IMESC5\HELP\cc11b995f2a76d	2f148dd5c5e1754e666715462f5a410b.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\1036\RCXB4D4.tmp	2f148dd5c5e1754e666715462f5a410b.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\1036\RCXB4E5.tmp	2f148dd5c5e1754e666715462f5a410b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2644	schtasks.exe
932	schtasks.exe
388	schtasks.exe
2160	schtasks.exe
2712	schtasks.exe
2984	schtasks.exe
2168	schtasks.exe
592	schtasks.exe
2808	schtasks.exe
2608	schtasks.exe
2600	schtasks.exe
2424	schtasks.exe
1828	schtasks.exe
1704	schtasks.exe
1760	schtasks.exe
2228	schtasks.exe
2636	schtasks.exe
2012	schtasks.exe
1916	schtasks.exe
2916	schtasks.exe
2076	schtasks.exe
352	schtasks.exe
2904	schtasks.exe
1640	schtasks.exe
2928	schtasks.exe
2412	schtasks.exe
2260	schtasks.exe
2084	schtasks.exe
1624	schtasks.exe
2004	schtasks.exe
1048	schtasks.exe
2372	schtasks.exe
2688	schtasks.exe
2716	schtasks.exe
1464	schtasks.exe
2208	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2100	2f148dd5c5e1754e666715462f5a410b.exe
2100	2f148dd5c5e1754e666715462f5a410b.exe
2100	2f148dd5c5e1754e666715462f5a410b.exe
2776	winlogon.exe
2560	winlogon.exe
1356	winlogon.exe
2284	winlogon.exe
1404	winlogon.exe
2344	winlogon.exe
1212	winlogon.exe
548	winlogon.exe
2544	winlogon.exe
1988	winlogon.exe
1704	winlogon.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	2f148dd5c5e1754e666715462f5a410b.exe
Token: SeDebugPrivilege	2776	winlogon.exe
Token: SeDebugPrivilege	2560	winlogon.exe
Token: SeDebugPrivilege	1356	winlogon.exe
Token: SeDebugPrivilege	2284	winlogon.exe
Token: SeDebugPrivilege	1404	winlogon.exe
Token: SeDebugPrivilege	2344	winlogon.exe
Token: SeDebugPrivilege	1212	winlogon.exe
Token: SeDebugPrivilege	548	winlogon.exe
Token: SeDebugPrivilege	2544	winlogon.exe
Token: SeDebugPrivilege	1988	winlogon.exe
Token: SeDebugPrivilege	1704	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2840	2100	2f148dd5c5e1754e666715462f5a410b.exe	67
PID 2100 wrote to memory of 2840	2100	2f148dd5c5e1754e666715462f5a410b.exe	67
PID 2100 wrote to memory of 2840	2100	2f148dd5c5e1754e666715462f5a410b.exe	67
PID 2840 wrote to memory of 2856	2840	cmd.exe	69
PID 2840 wrote to memory of 2856	2840	cmd.exe	69
PID 2840 wrote to memory of 2856	2840	cmd.exe	69
PID 2840 wrote to memory of 2776	2840	cmd.exe	70
PID 2840 wrote to memory of 2776	2840	cmd.exe	70
PID 2840 wrote to memory of 2776	2840	cmd.exe	70
PID 2776 wrote to memory of 1984	2776	winlogon.exe	72
PID 2776 wrote to memory of 1984	2776	winlogon.exe	72
PID 2776 wrote to memory of 1984	2776	winlogon.exe	72
PID 2776 wrote to memory of 2008	2776	winlogon.exe	73
PID 2776 wrote to memory of 2008	2776	winlogon.exe	73
PID 2776 wrote to memory of 2008	2776	winlogon.exe	73
PID 1984 wrote to memory of 2560	1984	WScript.exe	74
PID 1984 wrote to memory of 2560	1984	WScript.exe	74
PID 1984 wrote to memory of 2560	1984	WScript.exe	74
PID 2560 wrote to memory of 3000	2560	winlogon.exe	75
PID 2560 wrote to memory of 3000	2560	winlogon.exe	75
PID 2560 wrote to memory of 3000	2560	winlogon.exe	75
PID 2560 wrote to memory of 1672	2560	winlogon.exe	76
PID 2560 wrote to memory of 1672	2560	winlogon.exe	76
PID 2560 wrote to memory of 1672	2560	winlogon.exe	76
PID 3000 wrote to memory of 1356	3000	WScript.exe	77
PID 3000 wrote to memory of 1356	3000	WScript.exe	77
PID 3000 wrote to memory of 1356	3000	WScript.exe	77
PID 1356 wrote to memory of 388	1356	winlogon.exe	78
PID 1356 wrote to memory of 388	1356	winlogon.exe	78
PID 1356 wrote to memory of 388	1356	winlogon.exe	78
PID 1356 wrote to memory of 3008	1356	winlogon.exe	79
PID 1356 wrote to memory of 3008	1356	winlogon.exe	79
PID 1356 wrote to memory of 3008	1356	winlogon.exe	79
PID 388 wrote to memory of 2284	388	WScript.exe	80
PID 388 wrote to memory of 2284	388	WScript.exe	80
PID 388 wrote to memory of 2284	388	WScript.exe	80
PID 2284 wrote to memory of 1748	2284	winlogon.exe	81
PID 2284 wrote to memory of 1748	2284	winlogon.exe	81
PID 2284 wrote to memory of 1748	2284	winlogon.exe	81
PID 2284 wrote to memory of 1968	2284	winlogon.exe	82
PID 2284 wrote to memory of 1968	2284	winlogon.exe	82
PID 2284 wrote to memory of 1968	2284	winlogon.exe	82
PID 1748 wrote to memory of 1404	1748	WScript.exe	83
PID 1748 wrote to memory of 1404	1748	WScript.exe	83
PID 1748 wrote to memory of 1404	1748	WScript.exe	83
PID 1404 wrote to memory of 1632	1404	winlogon.exe	84
PID 1404 wrote to memory of 1632	1404	winlogon.exe	84
PID 1404 wrote to memory of 1632	1404	winlogon.exe	84
PID 1404 wrote to memory of 580	1404	winlogon.exe	85
PID 1404 wrote to memory of 580	1404	winlogon.exe	85
PID 1404 wrote to memory of 580	1404	winlogon.exe	85
PID 1632 wrote to memory of 2344	1632	WScript.exe	86
PID 1632 wrote to memory of 2344	1632	WScript.exe	86
PID 1632 wrote to memory of 2344	1632	WScript.exe	86
PID 2344 wrote to memory of 904	2344	winlogon.exe	87
PID 2344 wrote to memory of 904	2344	winlogon.exe	87
PID 2344 wrote to memory of 904	2344	winlogon.exe	87
PID 2344 wrote to memory of 924	2344	winlogon.exe	88
PID 2344 wrote to memory of 924	2344	winlogon.exe	88
PID 2344 wrote to memory of 924	2344	winlogon.exe	88
PID 904 wrote to memory of 1212	904	WScript.exe	89
PID 904 wrote to memory of 1212	904	WScript.exe	89
PID 904 wrote to memory of 1212	904	WScript.exe	89
PID 1212 wrote to memory of 1680	1212	winlogon.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2f148dd5c5e1754e666715462f5a410b.exe
"C:\Users\Admin\AppData\Local\Temp\2f148dd5c5e1754e666715462f5a410b.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\etelVECoQh.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2856
- - C:\Windows\IME\IMESC5\HELP\winlogon.exe
    "C:\Windows\IME\IMESC5\HELP\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3a13605-62dc-47c3-9e10-c5579bf660a4.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1984
    - - C:\Windows\IME\IMESC5\HELP\winlogon.exe
        
        C:\Windows\IME\IMESC5\HELP\winlogon.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2560
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\137630a3-5849-4fac-8059-5cef10b26210.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\IME\IMESC5\HELP\winlogon.exe
        
        C:\Windows\IME\IMESC5\HELP\winlogon.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16f6e82e-3829-4e15-92c4-ec4b2b9fb42a.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\IME\IMESC5\HELP\winlogon.exe
        
        C:\Windows\IME\IMESC5\HELP\winlogon.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a65876ba-e8f8-4d40-bd1e-c08ebc38b9f2.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\IME\IMESC5\HELP\winlogon.exe
        
        C:\Windows\IME\IMESC5\HELP\winlogon.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab94fa37-3835-475c-b273-e83f2e2785f8.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\IME\IMESC5\HELP\winlogon.exe
        
        C:\Windows\IME\IMESC5\HELP\winlogon.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fe0cf42-0b5c-436c-b1f5-7c2ecd44a94b.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\IME\IMESC5\HELP\winlogon.exe
        
        C:\Windows\IME\IMESC5\HELP\winlogon.exe
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\744c8271-4909-4d80-b17a-4b489e958eeb.vbs"
        16⤵
        
        PID:1680
        
        C:\Windows\IME\IMESC5\HELP\winlogon.exe
        
        C:\Windows\IME\IMESC5\HELP\winlogon.exe
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83b25b97-bef3-48da-88bf-8d1f79449979.vbs"
        18⤵
        
        PID:1948
        
        C:\Windows\IME\IMESC5\HELP\winlogon.exe
        
        C:\Windows\IME\IMESC5\HELP\winlogon.exe
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c896f517-3a73-4ddc-9555-ca8bdf7b41b5.vbs"
        20⤵
        
        PID:2272
        
        C:\Windows\IME\IMESC5\HELP\winlogon.exe
        
        C:\Windows\IME\IMESC5\HELP\winlogon.exe
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\811d0129-891e-4527-9063-40bd357340fd.vbs"
        22⤵
        
        PID:1068
        
        C:\Windows\IME\IMESC5\HELP\winlogon.exe
        
        C:\Windows\IME\IMESC5\HELP\winlogon.exe
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc790a4d-3fb3-4863-9b46-18f8dc26e76b.vbs"
        24⤵
        
        PID:2200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fffef905-da90-4916-bacb-436a2c8b9b5a.vbs"
        24⤵
        
        PID:912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a799825e-82f7-4690-8d5c-e4c26a507cc6.vbs"
        22⤵
        
        PID:2644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f7766d9-3196-40e3-89e0-4d8923dc346d.vbs"
        20⤵
        
        PID:1912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63a3fd63-3b72-40a9-a47b-01a8f3ca75f9.vbs"
        18⤵
        
        PID:2996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2148a8fb-8ff6-4caa-aebe-015b30683660.vbs"
        16⤵
        
        PID:1032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ef5777d-bec2-4c3d-bf4b-251a4b26f775.vbs"
        14⤵
        
        PID:924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9657d01d-2e7d-4155-8fc6-8292c2b0563f.vbs"
        12⤵
        
        PID:580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4d13186-0ec4-4501-b903-12b77aa5a5dc.vbs"
        10⤵
        
        PID:1968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c676d373-1b2a-48cd-99e7-a1898801115d.vbs"
        8⤵
        
        PID:3008
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcd7752e-42e3-4966-a334-8f15cd8e91d1.vbs"
        6⤵
        
        PID:1672
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef2aab21-454f-40b8-aa7f-6321807b6269.vbs"
      4⤵
      PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\Microsoft.NET\Framework\1036\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework\1036\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\Microsoft.NET\Framework\1036\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Start Menu\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Start Menu\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2f148dd5c5e1754e666715462f5a410b2" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\2f148dd5c5e1754e666715462f5a410b.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2f148dd5c5e1754e666715462f5a410b" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\2f148dd5c5e1754e666715462f5a410b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2f148dd5c5e1754e666715462f5a410b2" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\2f148dd5c5e1754e666715462f5a410b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\es-ES\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\IME\IMESC5\HELP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\IME\IMESC5\HELP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\IME\IMESC5\HELP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe

Filesize
885KB

MD5
2f148dd5c5e1754e666715462f5a410b

SHA1
0c5f8fcab489df669639c334af2e1f1e4868fab6

SHA256
070cd87bc58c7b6dc8a21b89e93a548f173fcc7668f68c2e9462ce18eeccf11a

SHA512
a515fe57b44d71a0709e9a1cb56f5c2f87bc9cf609ee111af21b12bae620305a2df102b93d34c48784bbcdba39092e8eeb2be5f15cbf99ba256c973172c7e4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\137630a3-5849-4fac-8059-5cef10b26210.vbs

Filesize
715B

MD5
2c5038c99c79079527110d73954348fa

SHA1
2a949130fd8262eb3202aeccf7fb1990d1153c16

SHA256
a7a12d1ae19d5d709073c51e76ca25013e702e7bfaf80d2a03e04b15f22bdda3

SHA512
80bfac0c3ab725d2af49b30e4b5a5cd969c5d4cd1959a6d4fb469fe8d3801631354476246552620a0d7869aea5aea3b03d462d76109d14dae7579e4bc188611e

Download Submit
C:\Users\Admin\AppData\Local\Temp\16f6e82e-3829-4e15-92c4-ec4b2b9fb42a.vbs

Filesize
715B

MD5
6b0a57c8abf7895cf1726f3f20838982

SHA1
34831b0a9cff2414b6357fa7cefb5c28eea05dd0

SHA256
e71a60a79fdbeca7b0c17596e3a09fb35a95ca848cf6c7ef6bc6ea26130790d4

SHA512
6e97abd932fa252f8027f361f6ddf430fcd330901f0a6112d89c834b2e1df293f1c0ae2826ce4c8a023e3ed91afecea4465d7f8d64d26c22ff2bd627a21c5963

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fe0cf42-0b5c-436c-b1f5-7c2ecd44a94b.vbs

Filesize
715B

MD5
5f4d973f8db8fe22807d48cb148357da

SHA1
d1eddca1a8cbbed7079a74a2498abd91e50b40b8

SHA256
ef3b6a7cb4a2dc32f348ffe5fa836678a33a2a1062b81f0ac5db76744f073e52

SHA512
5690e878716ea79d2f06fedabf6a583edfb3d3683eb465ea0c288b3468f46830e4ff6fd59ed82f454717242cd2cd99d85db2e0f20725284e970a22b9b85947d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\744c8271-4909-4d80-b17a-4b489e958eeb.vbs

Filesize
715B

MD5
b65b5f5575d71a4ddff8589024643418

SHA1
8a1f873ae7750c2e7cd0831e881a1c400d4b15ee

SHA256
7c667261a568d5ff81a19c4be8164569a00b5d6d3a9537166f34b39c2ae21b37

SHA512
904a4217be347563d1e3335b3bf71829eb503c1e194b6fddd90aceda649d0bca7752ace6e32b5e1cc6ae31dc95e4409ca52af6de487a82a5e3eb387fd172e306

Download Submit
C:\Users\Admin\AppData\Local\Temp\811d0129-891e-4527-9063-40bd357340fd.vbs

Filesize
715B

MD5
b46bd64cbdbccbf6606fa00bc96b8305

SHA1
b9dc5214e96683e37153e1d9e799cf1887a6b6a3

SHA256
ac16adc3401efde9fd38688be62f6e1d5495080636c63689bcc4cd6f59ae3e05

SHA512
c1c1941cf9858531120b3f265619d164da2fb51e76b46302a6b0f8ac513929f52c88c7c7e601416aa561e87d1cde6b28cd92ba5796426fe0dde657cba9f497ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\83b25b97-bef3-48da-88bf-8d1f79449979.vbs

Filesize
714B

MD5
cbf39b77b5d541692852df22109a7bc8

SHA1
8de05b42d9b5c3a81d09ee5d672cdf86dc6fc261

SHA256
e1b18fe6fc1fb264a58df99bdff177f64f26eb833ef20f499b714e8cbf609b9a

SHA512
2513f1563c5ad4753b746081651bc025ffb470a858fee72db31e899be1e16c8bf7446d926edbe35d1d9f42ec4ae44cc9b5b4770a65f060dd656b128e33f03c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3a13605-62dc-47c3-9e10-c5579bf660a4.vbs

Filesize
715B

MD5
25217bfd67dab2dc91b08aef07a16a03

SHA1
f8d42615e6a7e6d9773b55ca97476026f49511e1

SHA256
20e02fca0cc189751cbcf2b30f94dfc8e624154fa2c293856f3e34396d65ae96

SHA512
e6acf18e82e73793721addf310a0c66bfbc28e1b66a870df4125f328ab9618f2091fd765d01eaa9e2eacd941fb3a3af668aa22dd6224e250525d20982f7e0dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a65876ba-e8f8-4d40-bd1e-c08ebc38b9f2.vbs

Filesize
715B

MD5
44f9fda902ff641a55e3a17c831c733a

SHA1
8db23f8cefa353d3fd53df0a3c1aad13c49f5d97

SHA256
6c6aa0aefd06b3276d2411c84c53ad74992ba9a56f2ace5d882ffd79efa34012

SHA512
a86824e09478995a8acda0a2b8bbd6b1ac901e17694b51751bb68b86419cb98925e1185c810c1541225b3aeac6b41e8e8c25e4fcad252858b534aad7956063aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab94fa37-3835-475c-b273-e83f2e2785f8.vbs

Filesize
715B

MD5
8e810354ecdf20f6967a8b701a45e1ff

SHA1
2d0f21e50ea26471c86437717c0c7fd2ec339ff5

SHA256
41d93477a2ab1c9421c0f454aa1bc9db12e6cb4c1c4b177936bb087f2e25a2a5

SHA512
04ec4a68a17b42b4fb2a39a3e701422b520ea7777f12c6a94515e0ce91e2b4633a344290604896c06751a121cd8104709a28bd91fb1cf48b7a77933cd89a3f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc790a4d-3fb3-4863-9b46-18f8dc26e76b.vbs

Filesize
715B

MD5
ce29fde240c9f458c5fd1cd4d46357de

SHA1
ed1b6063e33cadd986023bdb176bdbaa062adb5f

SHA256
c3c2d0068a98f2670f7f9c6ad5ba2a3f5bccd98abb0aa1241ec8c80d39e1b61a

SHA512
ac944639f10179551f124fc47e01b78fcd4fa7c8cdd4b1601dbe62ad95a3c2a14ae8ec3566454d83dc049ef3018f1634fb385e35ce2932664d74ee229f5066b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\c896f517-3a73-4ddc-9555-ca8bdf7b41b5.vbs

Filesize
715B

MD5
eeb026ed590fbf144772205c7db8ceb5

SHA1
b8f3fa746c1e1922897f4a41df20c11916c44da7

SHA256
d68b45992ad0ded75a539936c519111fa9e0a9716dddc354599e82d76fe01852

SHA512
adeb18154ae6b869811c9199d7ad70236c10ea9a178d2be8177c030f14f397b852abd02cf22671273921e98f8ec4f484d1bd2201afc983ea636f0269c71bc82d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef2aab21-454f-40b8-aa7f-6321807b6269.vbs

Filesize
491B

MD5
b580c5da13edb9ae508d28dca01a22c3

SHA1
36f752066c0f3199d0111d09673f2a0b6850f093

SHA256
1bd4d42502e838ba7d578e6d57cd350442d7ba0a44a89cd2ba75da14e15f9936

SHA512
760b5b88fcb5cdb2e6fefd7288047e85680d5f67983cf597a3e6b351e9de721774f90fcc5a750b26ca587898a16c2c01ff111bedcf9619818f98cade458e1dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\etelVECoQh.bat

Filesize
204B

MD5
63af8386468ef3b2fc507e8d9559dab1

SHA1
d9edeb5bd9865b56c759055e606eb21dffdee480

SHA256
ae459997ee5a9ad0aac33c1d2350b918b05e6fa480e84dd1f857deca455aac80

SHA512
5f25dc477cdfaaaed078743a3bac990aae85f067d3247c3628dc9b1405e9dda8af141d31501d1d4a1ef5c45539287c9bf0b6c3abdd2c543a67e9c16d4f6c61f7

Download Submit
memory/548-261-0x00000000002C0000-0x00000000003A4000-memory.dmp

Filesize
912KB

Download
memory/1356-202-0x0000000000330000-0x0000000000414000-memory.dmp

Filesize
912KB

Download
memory/1404-226-0x00000000003D0000-0x00000000004B4000-memory.dmp

Filesize
912KB

Download
memory/1704-296-0x0000000000340000-0x0000000000424000-memory.dmp

Filesize
912KB

Download
memory/2100-3-0x00000000004F0000-0x000000000050C000-memory.dmp

Filesize
112KB

Download
memory/2100-4-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/2100-2-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/2100-177-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/2100-9-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/2100-1-0x0000000000EA0000-0x0000000000F84000-memory.dmp

Filesize
912KB

Download
memory/2100-0-0x000007FEF5903000-0x000007FEF5904000-memory.dmp

Filesize
4KB

Download
memory/2100-8-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/2100-5-0x0000000000510000-0x0000000000526000-memory.dmp

Filesize
88KB

Download
memory/2100-6-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/2100-7-0x0000000000530000-0x000000000053E000-memory.dmp

Filesize
56KB

Download
memory/2284-214-0x0000000000D70000-0x0000000000E54000-memory.dmp

Filesize
912KB

Download
memory/2344-238-0x00000000011D0000-0x00000000012B4000-memory.dmp

Filesize
912KB

Download
memory/2544-273-0x00000000012B0000-0x0000000001394000-memory.dmp

Filesize
912KB

Download
memory/2776-180-0x00000000010C0000-0x00000000011A4000-memory.dmp

Filesize
912KB

Download