dcrat | ce63ae9069832ff3b0f2eb76b384c40cd8b70987280d4cc07559493a2b5c04ff

Analysis

max time kernel
138s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cf97069999c57b9ff02fc34f4efbe8e.exe
Size

885KB
MD5

4cf97069999c57b9ff02fc34f4efbe8e
SHA1

c22915791d667d801d2931538432a27d61294bd2
SHA256

bf2520c5a62515ec02d2bb261460be7aa67d9983cdd5fa835c5124a215a900cb
SHA512

b3baa564a6a10d4f48e0b4c1154c4220978ead57c5d9dedb8095a8386abbc18ce06fef25cae94b1633f438144b102cb5a1ffcfa1f7a3ad20b132eaa1678e0ddb
SSDEEP

12288:8lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:8lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5984	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5688	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3108	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5636	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5272	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5296	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5792	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5180	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	6112	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5932	6112	schtasks.exe	87

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral20/memory/244-1-0x0000000000420000-0x0000000000504000-memory.dmp	dcrat
behavioral20/files/0x0007000000024255-19.dat	dcrat

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	4cf97069999c57b9ff02fc34f4efbe8e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	SearchApp.exe

Executes dropped EXE 12 IoCs

pid	Process
5096	SearchApp.exe
1660	SearchApp.exe
5104	SearchApp.exe
1912	SearchApp.exe
5968	SearchApp.exe
3768	SearchApp.exe
4844	SearchApp.exe
2276	SearchApp.exe
4728	SearchApp.exe
2792	SearchApp.exe
4128	SearchApp.exe
4436	SearchApp.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\edge_BITS_4556_1930870954\backgroundTaskHost.exe	4cf97069999c57b9ff02fc34f4efbe8e.exe
File created	C:\Program Files\edge_BITS_4556_1930870954\eddb19405b7ce1	4cf97069999c57b9ff02fc34f4efbe8e.exe
File created	C:\Program Files (x86)\Windows Mail\upfc.exe	4cf97069999c57b9ff02fc34f4efbe8e.exe
File created	C:\Program Files (x86)\Windows Mail\ea1d8f6d871115	4cf97069999c57b9ff02fc34f4efbe8e.exe
File opened for modification	C:\Program Files\edge_BITS_4556_1930870954\RCX80A3.tmp	4cf97069999c57b9ff02fc34f4efbe8e.exe
File opened for modification	C:\Program Files\edge_BITS_4664_752076059\RCX8131.tmp	4cf97069999c57b9ff02fc34f4efbe8e.exe
File created	C:\Program Files\edge_BITS_4664_752076059\SearchApp.exe	4cf97069999c57b9ff02fc34f4efbe8e.exe
File created	C:\Program Files\edge_BITS_4664_752076059\38384e6a620884	4cf97069999c57b9ff02fc34f4efbe8e.exe
File opened for modification	C:\Program Files\edge_BITS_4556_1930870954\RCX8092.tmp	4cf97069999c57b9ff02fc34f4efbe8e.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX80EA.tmp	4cf97069999c57b9ff02fc34f4efbe8e.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX80EB.tmp	4cf97069999c57b9ff02fc34f4efbe8e.exe
File opened for modification	C:\Program Files\edge_BITS_4664_752076059\RCX8132.tmp	4cf97069999c57b9ff02fc34f4efbe8e.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Boot\Misc\PCAT\backgroundTaskHost.exe	4cf97069999c57b9ff02fc34f4efbe8e.exe
File created	C:\Windows\AppReadiness\csrss.exe	4cf97069999c57b9ff02fc34f4efbe8e.exe
File created	C:\Windows\AppReadiness\886983d96e3d3e	4cf97069999c57b9ff02fc34f4efbe8e.exe
File opened for modification	C:\Windows\AppReadiness\RCX80D9.tmp	4cf97069999c57b9ff02fc34f4efbe8e.exe
File opened for modification	C:\Windows\AppReadiness\RCX80E9.tmp	4cf97069999c57b9ff02fc34f4efbe8e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	4cf97069999c57b9ff02fc34f4efbe8e.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	SearchApp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5688	schtasks.exe
5064	schtasks.exe
4576	schtasks.exe
4564	schtasks.exe
4896	schtasks.exe
4752	schtasks.exe
5984	schtasks.exe
3108	schtasks.exe
4512	schtasks.exe
4816	schtasks.exe
4872	schtasks.exe
4788	schtasks.exe
5792	schtasks.exe
4676	schtasks.exe
3240	schtasks.exe
1604	schtasks.exe
4016	schtasks.exe
4828	schtasks.exe
5180	schtasks.exe
4672	schtasks.exe
4940	schtasks.exe
4840	schtasks.exe
5932	schtasks.exe
4264	schtasks.exe
3172	schtasks.exe
5296	schtasks.exe
5028	schtasks.exe
4992	schtasks.exe
1684	schtasks.exe
4556	schtasks.exe
1156	schtasks.exe
2948	schtasks.exe
4528	schtasks.exe
2760	schtasks.exe
5636	schtasks.exe
5272	schtasks.exe
4804	schtasks.exe
4972	schtasks.exe
1700	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
244	4cf97069999c57b9ff02fc34f4efbe8e.exe
244	4cf97069999c57b9ff02fc34f4efbe8e.exe
244	4cf97069999c57b9ff02fc34f4efbe8e.exe
244	4cf97069999c57b9ff02fc34f4efbe8e.exe
5096	SearchApp.exe
1660	SearchApp.exe
5104	SearchApp.exe
1912	SearchApp.exe
1912	SearchApp.exe
5968	SearchApp.exe
5968	SearchApp.exe
3768	SearchApp.exe
3768	SearchApp.exe
4844	SearchApp.exe
4844	SearchApp.exe
2276	SearchApp.exe
4728	SearchApp.exe
2792	SearchApp.exe
4128	SearchApp.exe
4436	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	244	4cf97069999c57b9ff02fc34f4efbe8e.exe
Token: SeDebugPrivilege	5096	SearchApp.exe
Token: SeDebugPrivilege	1660	SearchApp.exe
Token: SeDebugPrivilege	5104	SearchApp.exe
Token: SeDebugPrivilege	1912	SearchApp.exe
Token: SeDebugPrivilege	5968	SearchApp.exe
Token: SeDebugPrivilege	3768	SearchApp.exe
Token: SeDebugPrivilege	4844	SearchApp.exe
Token: SeDebugPrivilege	2276	SearchApp.exe
Token: SeDebugPrivilege	4728	SearchApp.exe
Token: SeDebugPrivilege	2792	SearchApp.exe
Token: SeDebugPrivilege	4128	SearchApp.exe
Token: SeDebugPrivilege	4436	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 244 wrote to memory of 4072	244	4cf97069999c57b9ff02fc34f4efbe8e.exe	127
PID 244 wrote to memory of 4072	244	4cf97069999c57b9ff02fc34f4efbe8e.exe	127
PID 4072 wrote to memory of 1668	4072	cmd.exe	129
PID 4072 wrote to memory of 1668	4072	cmd.exe	129
PID 4072 wrote to memory of 5096	4072	cmd.exe	133
PID 4072 wrote to memory of 5096	4072	cmd.exe	133
PID 5096 wrote to memory of 2452	5096	SearchApp.exe	135
PID 5096 wrote to memory of 2452	5096	SearchApp.exe	135
PID 5096 wrote to memory of 6024	5096	SearchApp.exe	136
PID 5096 wrote to memory of 6024	5096	SearchApp.exe	136
PID 2452 wrote to memory of 1660	2452	WScript.exe	138
PID 2452 wrote to memory of 1660	2452	WScript.exe	138
PID 1660 wrote to memory of 6088	1660	SearchApp.exe	140
PID 1660 wrote to memory of 6088	1660	SearchApp.exe	140
PID 1660 wrote to memory of 2924	1660	SearchApp.exe	141
PID 1660 wrote to memory of 2924	1660	SearchApp.exe	141
PID 6088 wrote to memory of 5104	6088	WScript.exe	142
PID 6088 wrote to memory of 5104	6088	WScript.exe	142
PID 5104 wrote to memory of 4552	5104	SearchApp.exe	143
PID 5104 wrote to memory of 4552	5104	SearchApp.exe	143
PID 5104 wrote to memory of 4548	5104	SearchApp.exe	144
PID 5104 wrote to memory of 4548	5104	SearchApp.exe	144
PID 4552 wrote to memory of 1912	4552	WScript.exe	149
PID 4552 wrote to memory of 1912	4552	WScript.exe	149
PID 1912 wrote to memory of 5000	1912	SearchApp.exe	150
PID 1912 wrote to memory of 5000	1912	SearchApp.exe	150
PID 1912 wrote to memory of 5444	1912	SearchApp.exe	151
PID 1912 wrote to memory of 5444	1912	SearchApp.exe	151
PID 5000 wrote to memory of 5968	5000	WScript.exe	152
PID 5000 wrote to memory of 5968	5000	WScript.exe	152
PID 5968 wrote to memory of 184	5968	SearchApp.exe	153
PID 5968 wrote to memory of 184	5968	SearchApp.exe	153
PID 5968 wrote to memory of 244	5968	SearchApp.exe	154
PID 5968 wrote to memory of 244	5968	SearchApp.exe	154
PID 184 wrote to memory of 3768	184	WScript.exe	156
PID 184 wrote to memory of 3768	184	WScript.exe	156
PID 3768 wrote to memory of 2972	3768	SearchApp.exe	157
PID 3768 wrote to memory of 2972	3768	SearchApp.exe	157
PID 3768 wrote to memory of 1928	3768	SearchApp.exe	158
PID 3768 wrote to memory of 1928	3768	SearchApp.exe	158
PID 2972 wrote to memory of 4844	2972	WScript.exe	159
PID 2972 wrote to memory of 4844	2972	WScript.exe	159
PID 4844 wrote to memory of 1260	4844	SearchApp.exe	160
PID 4844 wrote to memory of 1260	4844	SearchApp.exe	160
PID 4844 wrote to memory of 1140	4844	SearchApp.exe	161
PID 4844 wrote to memory of 1140	4844	SearchApp.exe	161
PID 1260 wrote to memory of 2276	1260	WScript.exe	162
PID 1260 wrote to memory of 2276	1260	WScript.exe	162
PID 2276 wrote to memory of 3252	2276	SearchApp.exe	164
PID 2276 wrote to memory of 3252	2276	SearchApp.exe	164
PID 2276 wrote to memory of 2820	2276	SearchApp.exe	165
PID 2276 wrote to memory of 2820	2276	SearchApp.exe	165
PID 3252 wrote to memory of 4728	3252	WScript.exe	166
PID 3252 wrote to memory of 4728	3252	WScript.exe	166
PID 4728 wrote to memory of 5776	4728	SearchApp.exe	167
PID 4728 wrote to memory of 5776	4728	SearchApp.exe	167
PID 4728 wrote to memory of 2040	4728	SearchApp.exe	168
PID 4728 wrote to memory of 2040	4728	SearchApp.exe	168
PID 5776 wrote to memory of 2792	5776	WScript.exe	169
PID 5776 wrote to memory of 2792	5776	WScript.exe	169
PID 2792 wrote to memory of 4000	2792	SearchApp.exe	170
PID 2792 wrote to memory of 4000	2792	SearchApp.exe	170
PID 2792 wrote to memory of 1144	2792	SearchApp.exe	171
PID 2792 wrote to memory of 1144	2792	SearchApp.exe	171

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4cf97069999c57b9ff02fc34f4efbe8e.exe
"C:\Users\Admin\AppData\Local\Temp\4cf97069999c57b9ff02fc34f4efbe8e.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:244
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dw3woHWRTK.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1668
- - C:\Recovery\WindowsRE\SearchApp.exe
    "C:\Recovery\WindowsRE\SearchApp.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15e78294-834d-4089-9d06-66efd7c25b15.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2616994-b133-46a5-8bd8-17e08c5efb9e.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:6088
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd6c9b3a-2cdc-440b-a16c-f33090d95dd7.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0234829-6032-4601-9f81-c9f8f6749764.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c59ab335-0cc4-49e9-869a-e5b5ff73216e.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:184
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a75dec1-c113-4391-9d0f-71334ac2f63b.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82d85588-16f5-42cf-8e04-32f616227356.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e6603e3-0502-41a1-ac31-abbc99b951a6.vbs"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6da68124-4069-4a7c-a7b7-a854a5a7526f.vbs"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:5776
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b687a3ee-5d75-45a4-8413-a63028e490e4.vbs"
        22⤵
        
        PID:4000
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5af3bd2-3e0c-4232-9dbb-5b5593d89e7d.vbs"
        24⤵
        
        PID:384
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e87edde-ab25-48d6-b8b6-2b58283fa878.vbs"
        26⤵
        
        PID:5100
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        27⤵
        
        PID:224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bb3b1f8-3286-47bc-9b03-8f6eaa2b5294.vbs"
        28⤵
        
        PID:3888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec33fc1d-8037-4bf8-932c-3bf3c4ba5e38.vbs"
        28⤵
        
        PID:544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e10483b-9a3b-4965-be5b-aae78e0c832e.vbs"
        26⤵
        
        PID:6060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a663153-a549-481e-91a5-106fefcb63fc.vbs"
        24⤵
        
        PID:4572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\173a9747-ec61-4eb3-9cf1-0e6ccc541ec4.vbs"
        22⤵
        
        PID:1144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15e078ed-f5e6-4a05-a979-b598bbcfed28.vbs"
        20⤵
        
        PID:2040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e167b5eb-3f8f-4ff2-9615-e1f8cbbb44c8.vbs"
        18⤵
        
        PID:2820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\242dd36f-e6be-49b3-8b8d-b88b79340750.vbs"
        16⤵
        
        PID:1140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7466442-55f1-4b7e-b1cd-82a27ea6f062.vbs"
        14⤵
        
        PID:1928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a679f5a-b899-4739-8db8-d3509718ae54.vbs"
        12⤵
        
        PID:244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c145666-b004-47f0-93ed-08e35a444b1f.vbs"
        10⤵
        
        PID:5444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f33c466-24e3-4fa4-8a43-c26d3a9491a6.vbs"
        8⤵
        
        PID:4548
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9b4e44d-fe5a-47c7-8967-aebdced735b5.vbs"
        6⤵
        
        PID:2924
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c347c70-a964-484d-aefd-143bf99f29c0.vbs"
      4⤵
      PID:6024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files\edge_BITS_4556_1930870954\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4556_1930870954\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files\edge_BITS_4556_1930870954\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\f9532e701a889cdd91b8\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\f9532e701a889cdd91b8\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Cookies\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Cookies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\AppReadiness\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\AppReadiness\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\AppReadiness\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Users\Public\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Public\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Users\Public\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files\edge_BITS_4664_752076059\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4664_752076059\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files\edge_BITS_4664_752076059\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\TextInputHost.exe

Filesize
885KB

MD5
4cf97069999c57b9ff02fc34f4efbe8e

SHA1
c22915791d667d801d2931538432a27d61294bd2

SHA256
bf2520c5a62515ec02d2bb261460be7aa67d9983cdd5fa835c5124a215a900cb

SHA512
b3baa564a6a10d4f48e0b4c1154c4220978ead57c5d9dedb8095a8386abbc18ce06fef25cae94b1633f438144b102cb5a1ffcfa1f7a3ad20b132eaa1678e0ddb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\15e78294-834d-4089-9d06-66efd7c25b15.vbs

Filesize
711B

MD5
91695a873ec5d29b1c39f10ef916b0bf

SHA1
376f9da4e7806bc8fe16ce77e4399947761fa936

SHA256
93c2f6f693c2e0ac6ea5b378edfbd9ceb3575166e734c2336e0e73572ab3d97a

SHA512
9ccc5e73f0ba97353284a112a6a089aa3b55810f9819ad499f04e03e94ada0bd876afebd102761941b8f1f6f0c270aef0b4c9142b88eba3c6ab7f726aa4dbf74

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e6603e3-0502-41a1-ac31-abbc99b951a6.vbs

Filesize
711B

MD5
2d0415abccf72d113c76519bf63e003f

SHA1
8390569d9cb181d558a833ca2be3b0c7aa250f9d

SHA256
d0b97c6d04b1aeab6976278d16d77d7a86aec6de8db233ebc32655b44477aa2a

SHA512
4ba0b9f275f0076eca41f594633a92be1826b6e4482b2fb5e6af00b50cbd53929049231a71e564a81d6246931f997606dbb7e4dfd7f32d34520ce307b6c2ffae

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e87edde-ab25-48d6-b8b6-2b58283fa878.vbs

Filesize
711B

MD5
09e91ca58b0d2a23bf6b2a4cd612ca83

SHA1
2b774cb61218682f701297600a0b89a2ab6ed5fa

SHA256
7ad69d2751e762491d101f07d238958d91c9942f119019498df5263aa1a0e128

SHA512
19e8fa8a1821e15edf3c39c65f26c570ef44c33759b21d5f9e80cb2a15e93200ccee33ded2ed585829662f807f7885672a4861a4c43628e136a0d847de65421b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c347c70-a964-484d-aefd-143bf99f29c0.vbs

Filesize
487B

MD5
cbdb80943e91f1c53c8fe9e2dc522127

SHA1
66e26573753c92ab5646cfc4fcfd31ecf40c0ecc

SHA256
2380dc846dce105e67ca8730e84df936222d60964fd87221627b6edbb28ed298

SHA512
4bbea3053b29a008825c6fb68630c12a56e8fa89efeaf82baa1c90891e72b1a77dcb29a17bfed641b50cb620cb5ce0a98f2e509af4efdb87ae235cce38f0c5ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a75dec1-c113-4391-9d0f-71334ac2f63b.vbs

Filesize
711B

MD5
8f8501ae918eeb3fbcd3332b6aa813dc

SHA1
f19de7802c6e3dd4ef2cdbc8cca02b0be41a6c98

SHA256
2861ce506a6ad4d86358393ce8b02a3f99c2a6e25e4b2d9520a65fb97c0cabbc

SHA512
9385453076c45effe2ef1d04a07b8763f3037b9d6b1c871650ca98ca01cbdb699246dd05680194be671dc89dd1081571b3ab05281efd56d552ae4514154d9dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6da68124-4069-4a7c-a7b7-a854a5a7526f.vbs

Filesize
711B

MD5
29200cc0ce85113968aff6775f2f33e8

SHA1
1850159c74a1b685e2d441a6264bc992574599ca

SHA256
eaac569f532b85d817f963526a028803f76ad960b39c237b2481e13b80732f70

SHA512
0e11fdb9d844050a4f0a261979c76c2d1de339031ebbd200ffa6d4913f33ca135a46a9d7e4bb2a260b69f30d5972883ea41f7572b7b67157195008a52dfdadad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7bb3b1f8-3286-47bc-9b03-8f6eaa2b5294.vbs

Filesize
710B

MD5
cae42fc498714d923c54e473ca8aa193

SHA1
4f44b68d3dfd9355767c786656de04a8350323d8

SHA256
9e496c8c1aace6bf05cc3771c4f82677b88de7b39881446e4e4b7f2484e230e5

SHA512
f033fb7efc289384e811290eea9c1779b49168a31c111e61fd932badbb43e869dc5760b4036c963dd26acd2c283bf91d5e7aacf1824eca9beb87c2e5313b030f

Download Submit
C:\Users\Admin\AppData\Local\Temp\82d85588-16f5-42cf-8e04-32f616227356.vbs

Filesize
711B

MD5
65724d7b3484697a1a66eaa2824aa457

SHA1
9ada015beea585c2d2393b07b5721afec2bedcd2

SHA256
8a2166b07a815adf1361f3c85439e75f3f5b0b5a120cdd3192d6c7517340071b

SHA512
43e52624ca1f520d937c557c8300764a0d34f8ee3462a0d358bf7fd5fe8f80b78da68733739e7a6c7cb3be591b0954a1a70ec04fea10d372537261c90bc69722

Download Submit
C:\Users\Admin\AppData\Local\Temp\b687a3ee-5d75-45a4-8413-a63028e490e4.vbs

Filesize
711B

MD5
1825163842acab10cb1dad3828216f8a

SHA1
eb69d78a921ce6f97d9f38efca0dd07a47d8ee08

SHA256
9cfcf0084b9b00b7978dadf920644fef16b78a9e2020b250893678497ee77b04

SHA512
03068cca1fd93dbbb145cf496400d1ded3e2210771cf35596ae2b7e5b3b166fc5b12be188572376d573622d3c453952c7c32934d30c9c238613784060f1aaba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c59ab335-0cc4-49e9-869a-e5b5ff73216e.vbs

Filesize
711B

MD5
cea4097456ea10d40d7a88e4d3cc70d5

SHA1
04d2647ec4b17b855d2af7b7e4f57d166ba0933f

SHA256
acf2beae7c5c16a607f9b8109a98bfdbd13ffba3d885f646c78463df637b1fa8

SHA512
3bf163516140438bf8821d8e26848b58c767eeab66e513c221267c26c8ac52a6988df6b057f65b3be7cd6eae95626226cf222d6853a8bc61f54808e791301f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0234829-6032-4601-9f81-c9f8f6749764.vbs

Filesize
711B

MD5
8148ea6eea4f6a5cc53c71700deb529f

SHA1
c59acb9ea83b54798723f7fca5c58c520acc65c3

SHA256
bebc9269c0e2f4a77f7e449408e1aa58ef0b852109c2b1edf86378f336fc6063

SHA512
596786d17328b2d6029a8e4a5eb1bffe431a3b6a48d3daa91a4a672608d92398b58565ae806383d67f81829bdd77d48cd12dc4520494a0317d786caddcdb4d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2616994-b133-46a5-8bd8-17e08c5efb9e.vbs

Filesize
711B

MD5
b9f43545ddc1557d65b595a18f0275ec

SHA1
d87fb49ef777bb3c130e07ecf28e231afc5d1ed0

SHA256
cd8b70442b386fb7f77cb69cb2c84b8f48acd23a268f3bccc997c672ce795d49

SHA512
ec8c9bb04b9b39def99d4775b6f768bf1fed6b74b9bd1000fc799869130213848ad9cfb36879e6d3ef05d1c947459b741bd9e6a23c1f20849ee3b7ba7346014a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dw3woHWRTK.bat

Filesize
200B

MD5
a9f440d67f97fc282b69b5c9cb9562ef

SHA1
ec9cc12d89b9ccace26d4e4f5a503f3232af2757

SHA256
d6c4dfb29403487ea171c18be764b28a0e5dd4d80fe2cc33d7af92a4c22aa1e9

SHA512
b53b79bbcd245ec86d59729961112ba693dbfb55e8b51bf953cb941e1e656c317984844428ad1e615660931e70b2302afe2cb623ab856da246da27743f71dfca

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5af3bd2-3e0c-4232-9dbb-5b5593d89e7d.vbs

Filesize
711B

MD5
fc2c9ffc4ba0f9863722d121b0e27ab1

SHA1
9ce5c89632dc2a88b9a100ec757fba65319bbbbd

SHA256
c4d7fc6a0f6468d9ef7cc9790beeed12d4d21a423403426434e5a43b2c5ba533

SHA512
4acb2a5af6a55189acd4f76a34c994915ca94a8cb682a4aa7a21a66bd3763308b683871559546424790360ebdcf60f3f9d6e1bdabebe348d67070b612785bad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd6c9b3a-2cdc-440b-a16c-f33090d95dd7.vbs

Filesize
711B

MD5
6604f76f322de3bfcf15a19a26f8f0cf

SHA1
29e55717f80d8a8ebac8a895da9890947b05c9a5

SHA256
54690b841a3a1c6b6f75ce5d2bbca6f420cef614a6ad284b04ae9ca6a3fe7523

SHA512
3029be2488fd9484648ee65d281e49827d3927537ad8d128c0f46af0d21b63617a417550e8f09031804649123c582a3b3795f2a284ea905a39ffa856b8502f96

Download Submit
memory/244-4-0x000000001B6B0000-0x000000001B700000-memory.dmp

Filesize
320KB

Download
memory/244-5-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/244-3-0x000000001B640000-0x000000001B65C000-memory.dmp

Filesize
112KB

Download
memory/244-9-0x000000001B680000-0x000000001B688000-memory.dmp

Filesize
32KB

Download
memory/244-1-0x0000000000420000-0x0000000000504000-memory.dmp

Filesize
912KB

Download
memory/244-6-0x000000001B660000-0x000000001B676000-memory.dmp

Filesize
88KB

Download
memory/244-2-0x00007FF961470000-0x00007FF961F31000-memory.dmp

Filesize
10.8MB

Download
memory/244-7-0x0000000002590000-0x000000000259A000-memory.dmp

Filesize
40KB

Download
memory/244-8-0x00000000025B0000-0x00000000025BE000-memory.dmp

Filesize
56KB

Download
memory/244-10-0x000000001B690000-0x000000001B69C000-memory.dmp

Filesize
48KB

Download
memory/244-0-0x00007FF961473000-0x00007FF961475000-memory.dmp

Filesize
8KB

Download
memory/244-191-0x00007FF961470000-0x00007FF961F31000-memory.dmp

Filesize
10.8MB

Download