dcrat | 7e71c79883eb025596762b4e0bf86b447039079dfe510ccf13a383b612575fa6

Analysis

max time kernel
157s
max time network
169s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dfc71cfc45034d671ac0f319bc080bd.exe
Size

885KB
MD5

3dfc71cfc45034d671ac0f319bc080bd
SHA1

7d8a8faccf06d8ec762bdf56e8842dd069ec3801
SHA256

13af700b0453342984055a1e70619698a9163812e7524e4c6c264e29f25fd9a1
SHA512

8c824df6e8976dbf362cc075a1f114d9b86ad16cc0bedd880ef0a6afb7e745b901d957b96b8cf40020cbfb1c52f82874eacd319a9dc905b64d793c953503a00e
SSDEEP

12288:8lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:8lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	520	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	360	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2620	schtasks.exe	30

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral23/memory/2848-1-0x0000000000B50000-0x0000000000C34000-memory.dmp	dcrat
behavioral23/files/0x000500000001a459-19.dat	dcrat
behavioral23/files/0x000600000001a4ac-55.dat	dcrat
behavioral23/files/0x000600000001c84b-130.dat	dcrat
behavioral23/memory/2660-216-0x0000000000810000-0x00000000008F4000-memory.dmp	dcrat
behavioral23/memory/1908-228-0x0000000000990000-0x0000000000A74000-memory.dmp	dcrat
behavioral23/memory/2896-240-0x0000000001340000-0x0000000001424000-memory.dmp	dcrat
behavioral23/memory/884-285-0x00000000002E0000-0x00000000003C4000-memory.dmp	dcrat
behavioral23/memory/1308-297-0x0000000000E70000-0x0000000000F54000-memory.dmp	dcrat
behavioral23/memory/2588-320-0x0000000000220000-0x0000000000304000-memory.dmp	dcrat
behavioral23/files/0x000700000001a473-324.dat	dcrat

Executes dropped EXE 9 IoCs

pid	Process
2660	lsm.exe
1908	lsm.exe
2896	lsm.exe
1564	lsm.exe
2136	lsm.exe
2156	lsm.exe
884	lsm.exe
1308	lsm.exe
2112	lsm.exe

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\explorer.exe	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\7a0fd90576e088	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files (x86)\Google\CrashReports\lsm.exe	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files\7-Zip\Lang\explorer.exe	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files\Uninstall Information\csrss.exe	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files\Uninstall Information\886983d96e3d3e	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXE239.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXE23A.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\en-US\RCXE177.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files\Microsoft Office\RCXE155.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files\Windows Portable Devices\886983d96e3d3e	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files (x86)\Google\CrashReports\101b941d020240	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files\Windows Media Player\it-IT\6cb0b6c459d5d3	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCXE133.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files\Microsoft Office\RCXE145.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\RCXE25D.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files\7-Zip\Lang\7a0fd90576e088	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files\Microsoft Office\OSPPSVC.exe	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\886983d96e3d3e	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCXE144.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\en-US\RCXE176.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\RCXE187.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXE25E.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXE26F.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files\Microsoft Office\1610b97d3ab4a7	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\RCXE25C.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\csrss.exe	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXE093.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXE0A4.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files\Windows Portable Devices\csrss.exe	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files\Windows Media Player\it-IT\dwm.exe	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\RCXE188.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Vss\Writers\System\RCXE227.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Windows\Vss\Writers\System\RCXE238.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Windows\Vss\Writers\System\explorer.exe	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Windows\Vss\Writers\System\7a0fd90576e088	3dfc71cfc45034d671ac0f319bc080bd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3016	schtasks.exe
2328	schtasks.exe
520	schtasks.exe
2444	schtasks.exe
2244	schtasks.exe
1648	schtasks.exe
2312	schtasks.exe
2104	schtasks.exe
2024	schtasks.exe
1488	schtasks.exe
2156	schtasks.exe
2012	schtasks.exe
1336	schtasks.exe
3024	schtasks.exe
1780	schtasks.exe
2356	schtasks.exe
1580	schtasks.exe
1276	schtasks.exe
1496	schtasks.exe
2184	schtasks.exe
1224	schtasks.exe
2696	schtasks.exe
2148	schtasks.exe
904	schtasks.exe
1596	schtasks.exe
2016	schtasks.exe
2268	schtasks.exe
688	schtasks.exe
1304	schtasks.exe
1928	schtasks.exe
2308	schtasks.exe
1688	schtasks.exe
2920	schtasks.exe
1868	schtasks.exe
2544	schtasks.exe
580	schtasks.exe
2256	schtasks.exe
2664	schtasks.exe
1008	schtasks.exe
1980	schtasks.exe
360	schtasks.exe
3040	schtasks.exe
604	schtasks.exe
1912	schtasks.exe
1380	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2848	3dfc71cfc45034d671ac0f319bc080bd.exe
2848	3dfc71cfc45034d671ac0f319bc080bd.exe
2848	3dfc71cfc45034d671ac0f319bc080bd.exe
2660	lsm.exe
1908	lsm.exe
2896	lsm.exe
1564	lsm.exe
2136	lsm.exe
2156	lsm.exe
884	lsm.exe
1308	lsm.exe
2112	lsm.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	3dfc71cfc45034d671ac0f319bc080bd.exe
Token: SeDebugPrivilege	2660	lsm.exe
Token: SeDebugPrivilege	1908	lsm.exe
Token: SeDebugPrivilege	2896	lsm.exe
Token: SeDebugPrivilege	1564	lsm.exe
Token: SeDebugPrivilege	2136	lsm.exe
Token: SeDebugPrivilege	2156	lsm.exe
Token: SeDebugPrivilege	884	lsm.exe
Token: SeDebugPrivilege	1308	lsm.exe
Token: SeDebugPrivilege	2112	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2660	2848	3dfc71cfc45034d671ac0f319bc080bd.exe	76
PID 2848 wrote to memory of 2660	2848	3dfc71cfc45034d671ac0f319bc080bd.exe	76
PID 2848 wrote to memory of 2660	2848	3dfc71cfc45034d671ac0f319bc080bd.exe	76
PID 2660 wrote to memory of 1992	2660	lsm.exe	77
PID 2660 wrote to memory of 1992	2660	lsm.exe	77
PID 2660 wrote to memory of 1992	2660	lsm.exe	77
PID 2660 wrote to memory of 2100	2660	lsm.exe	78
PID 2660 wrote to memory of 2100	2660	lsm.exe	78
PID 2660 wrote to memory of 2100	2660	lsm.exe	78
PID 1992 wrote to memory of 1908	1992	WScript.exe	79
PID 1992 wrote to memory of 1908	1992	WScript.exe	79
PID 1992 wrote to memory of 1908	1992	WScript.exe	79
PID 1908 wrote to memory of 1724	1908	lsm.exe	80
PID 1908 wrote to memory of 1724	1908	lsm.exe	80
PID 1908 wrote to memory of 1724	1908	lsm.exe	80
PID 1908 wrote to memory of 580	1908	lsm.exe	81
PID 1908 wrote to memory of 580	1908	lsm.exe	81
PID 1908 wrote to memory of 580	1908	lsm.exe	81
PID 1724 wrote to memory of 2896	1724	WScript.exe	82
PID 1724 wrote to memory of 2896	1724	WScript.exe	82
PID 1724 wrote to memory of 2896	1724	WScript.exe	82
PID 2896 wrote to memory of 2072	2896	lsm.exe	83
PID 2896 wrote to memory of 2072	2896	lsm.exe	83
PID 2896 wrote to memory of 2072	2896	lsm.exe	83
PID 2896 wrote to memory of 1464	2896	lsm.exe	84
PID 2896 wrote to memory of 1464	2896	lsm.exe	84
PID 2896 wrote to memory of 1464	2896	lsm.exe	84
PID 2072 wrote to memory of 1564	2072	WScript.exe	85
PID 2072 wrote to memory of 1564	2072	WScript.exe	85
PID 2072 wrote to memory of 1564	2072	WScript.exe	85
PID 1564 wrote to memory of 2224	1564	lsm.exe	86
PID 1564 wrote to memory of 2224	1564	lsm.exe	86
PID 1564 wrote to memory of 2224	1564	lsm.exe	86
PID 1564 wrote to memory of 1864	1564	lsm.exe	87
PID 1564 wrote to memory of 1864	1564	lsm.exe	87
PID 1564 wrote to memory of 1864	1564	lsm.exe	87
PID 2224 wrote to memory of 2136	2224	WScript.exe	88
PID 2224 wrote to memory of 2136	2224	WScript.exe	88
PID 2224 wrote to memory of 2136	2224	WScript.exe	88
PID 2136 wrote to memory of 1656	2136	lsm.exe	89
PID 2136 wrote to memory of 1656	2136	lsm.exe	89
PID 2136 wrote to memory of 1656	2136	lsm.exe	89
PID 2136 wrote to memory of 864	2136	lsm.exe	90
PID 2136 wrote to memory of 864	2136	lsm.exe	90
PID 2136 wrote to memory of 864	2136	lsm.exe	90
PID 1656 wrote to memory of 2156	1656	WScript.exe	91
PID 1656 wrote to memory of 2156	1656	WScript.exe	91
PID 1656 wrote to memory of 2156	1656	WScript.exe	91
PID 2156 wrote to memory of 2444	2156	lsm.exe	92
PID 2156 wrote to memory of 2444	2156	lsm.exe	92
PID 2156 wrote to memory of 2444	2156	lsm.exe	92
PID 2156 wrote to memory of 3060	2156	lsm.exe	93
PID 2156 wrote to memory of 3060	2156	lsm.exe	93
PID 2156 wrote to memory of 3060	2156	lsm.exe	93
PID 2444 wrote to memory of 884	2444	WScript.exe	94
PID 2444 wrote to memory of 884	2444	WScript.exe	94
PID 2444 wrote to memory of 884	2444	WScript.exe	94
PID 884 wrote to memory of 1148	884	lsm.exe	95
PID 884 wrote to memory of 1148	884	lsm.exe	95
PID 884 wrote to memory of 1148	884	lsm.exe	95
PID 884 wrote to memory of 1968	884	lsm.exe	96
PID 884 wrote to memory of 1968	884	lsm.exe	96
PID 884 wrote to memory of 1968	884	lsm.exe	96
PID 1148 wrote to memory of 1308	1148	WScript.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3dfc71cfc45034d671ac0f319bc080bd.exe
"C:\Users\Admin\AppData\Local\Temp\3dfc71cfc45034d671ac0f319bc080bd.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Program Files (x86)\Google\CrashReports\lsm.exe
  "C:\Program Files (x86)\Google\CrashReports\lsm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d93a14f9-3724-47df-b6d6-ad5176e63c31.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Program Files (x86)\Google\CrashReports\lsm.exe
      "C:\Program Files (x86)\Google\CrashReports\lsm.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\966e46f2-c289-4f4c-8926-ae74d301c9a9.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1724
      - C:\Program Files (x86)\Google\CrashReports\lsm.exe
        
        "C:\Program Files (x86)\Google\CrashReports\lsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\231f2b8a-3be6-441b-a1a8-dd8a8019d3cc.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Program Files (x86)\Google\CrashReports\lsm.exe
        
        "C:\Program Files (x86)\Google\CrashReports\lsm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20db0322-3616-4a58-b5fa-5bd578def885.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Program Files (x86)\Google\CrashReports\lsm.exe
        
        "C:\Program Files (x86)\Google\CrashReports\lsm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5431e297-2680-4ddf-a7e0-5c31632794ee.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Program Files (x86)\Google\CrashReports\lsm.exe
        
        "C:\Program Files (x86)\Google\CrashReports\lsm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cac589d2-b21e-4ddc-8268-a659c219a326.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Program Files (x86)\Google\CrashReports\lsm.exe
        
        "C:\Program Files (x86)\Google\CrashReports\lsm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c9d2e39-846c-4cab-95c8-4779475057d6.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Program Files (x86)\Google\CrashReports\lsm.exe
        
        "C:\Program Files (x86)\Google\CrashReports\lsm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc5e7a9c-8917-4fb0-a2f4-064fd43fb836.vbs"
        17⤵
        
        PID:1788
        
        C:\Program Files (x86)\Google\CrashReports\lsm.exe
        
        "C:\Program Files (x86)\Google\CrashReports\lsm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7cc1c53c-aa9d-4684-bddd-43b9ac0022e4.vbs"
        19⤵
        
        PID:1588
        
        C:\Program Files (x86)\Google\CrashReports\lsm.exe
        
        "C:\Program Files (x86)\Google\CrashReports\lsm.exe"
        20⤵
        
        PID:2588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4722f6b-b171-4dd3-a4d8-6f6926dd3303.vbs"
        21⤵
        
        PID:2988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efcb3a21-8c24-4dcc-893f-83455d34e72b.vbs"
        21⤵
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1899522-a09a-427c-ad14-6a1da8cce6fa.vbs"
        19⤵
        
        PID:912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3aaa469-1b51-4fd9-8621-f05b3be28009.vbs"
        17⤵
        
        PID:1452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e99b276-0ab3-48ee-9b51-f24f7f58ebaf.vbs"
        15⤵
        
        PID:1968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a40a4d59-ec90-4675-a404-4af28e827735.vbs"
        13⤵
        
        PID:3060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\882f7a5b-4fc3-4e4c-a6ef-650ce8120c3e.vbs"
        11⤵
        
        PID:864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19009f28-9f21-4770-be5d-0ebe18fbcb1e.vbs"
        9⤵
        
        PID:1864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e816a118-ebc9-4873-950c-1d1cd7885410.vbs"
        7⤵
        
        PID:1464
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a583cb48-695e-47eb-84f8-bb6e964811c3.vbs"
        5⤵
        
        PID:580
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86644303-59fa-438b-8215-eb34aa7b1db4.vbs"
    3⤵
    PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\CrashReports\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\CrashReports\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\it-IT\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Vss\Writers\System\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\Vss\Writers\System\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe

Filesize
885KB

MD5
a3613d8da656c25294eff1fb53667786

SHA1
9a5dfda3e6d82d4e12c683322af64a84e9c7764e

SHA256
ff5312c895e2f9a243f64059fbf3b2b1d0de280a3ca88288ad0a252dcaedd014

SHA512
84b0e58b62cd1ab670b0ed438890315447ceb0d24df5d3968cd4e69152430f8cb446d81b104c220c89064e5d98f8feb5ae1071c56f9bf941a224956fdbf8cef5

Download Submit
C:\Program Files\Microsoft Office\OSPPSVC.exe

Filesize
885KB

MD5
3dfc71cfc45034d671ac0f319bc080bd

SHA1
7d8a8faccf06d8ec762bdf56e8842dd069ec3801

SHA256
13af700b0453342984055a1e70619698a9163812e7524e4c6c264e29f25fd9a1

SHA512
8c824df6e8976dbf362cc075a1f114d9b86ad16cc0bedd880ef0a6afb7e745b901d957b96b8cf40020cbfb1c52f82874eacd319a9dc905b64d793c953503a00e

Download Submit
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe

Filesize
885KB

MD5
cb2e92fc61c44af3920b8f22e9d791c8

SHA1
0e6f42196bcc9a0a05d677ee8c5da96d90e6306d

SHA256
05ddc2a9f7b730c9a70d2c34e7c967857457f6dab0284950dd529db6fd2a4b1a

SHA512
e926d3aaacc88cc245d094ed4ff342e217868da8c66fdfcc4690e05031626773b3368a98b10aa225cb8c75338400f79ce9095574433e321fba6b1d895666213e

Download Submit
C:\Users\Admin\AppData\Local\Temp\20db0322-3616-4a58-b5fa-5bd578def885.vbs

Filesize
726B

MD5
d7acf685677f921bba95fed55cccd65c

SHA1
74feb86dea0669579ffcb693b5912172f5300427

SHA256
4a1496f22e5038d7594278c522e7bb5a1e762bb3e9d332cd095a230167566a89

SHA512
9931b1e39f1569d6bfcb495bc15574c334e5d4cafacbc66e203f9cf610592bcae2a1ba32d3e669ca5e86de19bf62b23501b7fd9bb19933478160bd53009de912

Download Submit
C:\Users\Admin\AppData\Local\Temp\231f2b8a-3be6-441b-a1a8-dd8a8019d3cc.vbs

Filesize
726B

MD5
a2b06904e93479369d3def730c5f1a3d

SHA1
88898470673af68fbc79634bb8bd711ae40b8e3c

SHA256
653f2f76acacdf45f100f0f745b2c02c7570dc256ec0b3d8b5464f56c5b38c5b

SHA512
7390d6709918cdcf48881f61702a97f36b6af90f9487c57a57fc3bf1a18816b304c9c3602a44aac0467f4df2088ef6f46d55f087faee18b7dc107273203f0f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5431e297-2680-4ddf-a7e0-5c31632794ee.vbs

Filesize
726B

MD5
c1fb39aa14586eefc3942f422d843647

SHA1
c11c679e4e2322d22a1bd25fc92a9996c45a6ece

SHA256
427c21c455e0fbb1a221caacb93193ce50ff70cca62f8f15c653207cc9082685

SHA512
0fab10af2c6d20dc537ae6a0618e52dab60bb73a0397e9356a0c2400bc23dd00241c1fac4cecb0cb177de1a0eff71c7a5b3db8c8ad2f86038e63622e37b85e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7cc1c53c-aa9d-4684-bddd-43b9ac0022e4.vbs

Filesize
726B

MD5
b6bd8475a34d46537e71d5ab3540eeeb

SHA1
b235bf7ee0f8c9b004696c655ba51f08be6be3e9

SHA256
4bae7d6a0f5682caa0336eebff7219d8cd23dda24568f06a92bc28bcb0041107

SHA512
e7d563bb0126d26361918d286cf67602d23d120841d42f99f86544cb6ccb350d6501dd0ad5f4fb8eb08a5851496838a9d43aeeedea59d7f96f78be68bc18a221

Download Submit
C:\Users\Admin\AppData\Local\Temp\86644303-59fa-438b-8215-eb34aa7b1db4.vbs

Filesize
502B

MD5
422bcd3263d8387c01285b06f0f84ad2

SHA1
e48cd1960954ad662bfdb3c6f933d21927af9940

SHA256
17caf1e5de852acc6aa2036ce3fc1486121c2eba944c6e9dd5261ac63311010c

SHA512
23afd6ee3baff69e3b50bcd35ab5a4ed82fecfdb4c2051731caa122a2d30c09853e3c063ab3988e29df051197874de65e477289558940692f914c37949b66e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\966e46f2-c289-4f4c-8926-ae74d301c9a9.vbs

Filesize
726B

MD5
3669ac9de23bd49c09deda3d106cc371

SHA1
1b15784886a76f13e7a0f83624c33f03ab9cc273

SHA256
7e17c631bef5abc7854aa304084a45b0b64ad562592960a65c2398453db17a1f

SHA512
aa8fc791af06c636f53be5188767b637e24f45f639c0df723375ee9fa8ed8e083ce0f82e4c15625fbc264a13cfaf2886ca4539e4ffcdf2bb7eb1fc072cf8d4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c9d2e39-846c-4cab-95c8-4779475057d6.vbs

Filesize
725B

MD5
1c4529634f84902664a6f06ff08e3930

SHA1
2a4534d46a807175d31e54a848e1aca41865ff16

SHA256
8f4d6a73a67232ab28ad33f08187ee591308e5f0c7a7a10a715412ec29708cca

SHA512
a8851ff2be0c3bf34514228f72c02f2ebf965d1be35d1bbcefe08dd22056ab4dbac1b4b57ce4bb55cec927d0a630e639814dbe9e695a73f7097f31452aa19c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4722f6b-b171-4dd3-a4d8-6f6926dd3303.vbs

Filesize
726B

MD5
68083ba872330a37251bd57717f1a31b

SHA1
a812aa6b74448c32282b381e970b84002c09ff62

SHA256
a52090e9a878d72e11a18dff6e83942a480d72a3788c7e15d9f4f382a501190d

SHA512
c4985b5818b91693290890b89f9932e8a14e06c06500e6c8d4c1221f748713b2f3edbb67a41796fc75091c7a5b2cbf30e4538d524a274a5de68dbc2ffb7d3cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\c593460a1cc26114da33333df493100821daf2d0.exe

Filesize
638KB

MD5
04c14c2a56d9d71d61fe00a86e79501c

SHA1
9c2f3f3ec69b1d95fd6d07c8b8ca90ba2194a75e

SHA256
04de6b9c6e5f427b9130c70db6c669dfd16599af5b9e77e3d6e3706a23992f17

SHA512
2db6efc7ccb5369618577d71807b0173874c9aa3a25c7d96b27fe6290820a7bbbbc2ba603983d31c5982154b2a29696f13a0ebee509f598e786bbc3c88fd0e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cac589d2-b21e-4ddc-8268-a659c219a326.vbs

Filesize
726B

MD5
7cefa51deea62131e1c8bcc7cd73cf94

SHA1
88b0eddc2fe4b009069b35d6c10a785e49ad150a

SHA256
698b0322c6dfe8ca741fb5d842e08577b6fbc54c68555dad29c6d5c65cd78e9a

SHA512
95fee1d2b4a029299cf67e9706e257c785ff8b7c9b2d6d00e7335fd5aface35c875b0af9b3cafd5c85055a8908a6742691b2e7e79f6f0ecb2ae4d5a339e639f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc5e7a9c-8917-4fb0-a2f4-064fd43fb836.vbs

Filesize
726B

MD5
7289bd15def0133e8545f5274a61050c

SHA1
95e4e4a794fbfac5e039f1e6a03854b4ec46f4ce

SHA256
4e8ee57d77fe73cd0d355376e2c37ab8225341c3c28467598207795402e8145b

SHA512
904ca623f718aeb3b4e51053c63e65d3dcce6f648b192f861bcdc68bbbf9885671c781816ac84def92c848267c378c8f4d707ef18097df7765d8f070e20061d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d93a14f9-3724-47df-b6d6-ad5176e63c31.vbs

Filesize
726B

MD5
8c97ff6b7a064585fbfb35a0a659680a

SHA1
7754191d912fd074b16278b042e92451de375f35

SHA256
b73ceb145ef4afdfadf7a9966e521729e1c0f70527341499a483f6bbe92318d0

SHA512
9fdda421992c0d7c7bc14648893c36a7f3e054bbb15ff0ac26861bff910eff4c0918dc1b79109ff74989c0fe769c3c689255985b9c6432a6be4cc8714ba9cbb1

Download Submit
memory/884-285-0x00000000002E0000-0x00000000003C4000-memory.dmp

Filesize
912KB

Download
memory/1308-297-0x0000000000E70000-0x0000000000F54000-memory.dmp

Filesize
912KB

Download
memory/1908-228-0x0000000000990000-0x0000000000A74000-memory.dmp

Filesize
912KB

Download
memory/2588-320-0x0000000000220000-0x0000000000304000-memory.dmp

Filesize
912KB

Download
memory/2660-216-0x0000000000810000-0x00000000008F4000-memory.dmp

Filesize
912KB

Download
memory/2848-7-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/2848-8-0x0000000000630000-0x000000000063E000-memory.dmp

Filesize
56KB

Download
memory/2848-217-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2848-41-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2848-10-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/2848-9-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/2848-0-0x000007FEF5F63000-0x000007FEF5F64000-memory.dmp

Filesize
4KB

Download
memory/2848-1-0x0000000000B50000-0x0000000000C34000-memory.dmp

Filesize
912KB

Download
memory/2848-6-0x0000000000600000-0x0000000000616000-memory.dmp

Filesize
88KB

Download
memory/2848-5-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/2848-4-0x0000000000250000-0x000000000026C000-memory.dmp

Filesize
112KB

Download
memory/2848-3-0x000007FEF5F63000-0x000007FEF5F64000-memory.dmp

Filesize
4KB

Download
memory/2848-2-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2896-240-0x0000000001340000-0x0000000001424000-memory.dmp

Filesize
912KB

Download